author photo
By Clare O’Gara
Wed | Jul 1, 2020 | 7:31 AM PDT

It's the IT version of robbing a bank.

Attacks on ATMs are infamous in cybersecurity. But according to recent research from Eclypsium, the reason might be flawed drivers.

How drivers contribute to ATM attacks

The stance from Eclypsium is clear: when a driver is screwed, so is security.

In a recent study, "Screwed Drivers Open ATMs to Attack," Eclypsium dove into the discussion about the risks that malicious or insecure drivers pose to Windows-based systems. According to the research, the conversation boils down to two main points:

  1. Vulnerable or poorly designed drivers (often created by technology vendors for managing or updating their products) can be used by attackers to gain control over the Windows kernel and underlying device firmware.
  2. There is not a universally applicable way to prevent Windows from loading bad drivers once they've been identified. Microsoft's HVCI technology may protect newer devices, but devices on anything but the latest hardware must rely on manually updated blacklists.

Eclypsium has examined driver risks before, but is now looking to apply the research to ATMs or point-of-sale (POS) systems.

"Attackers can deliver malware by compromising the banking network connected to the device, by compromising the device's connection to card processors, or by gaining access to the ATM's internal computer. And much like traditional attacks, attackers or malware often need to escalate privileges on the victim device to gain deeper access into the system."

This is where drivers enter the picture:

"By taking advantage of the functionality in insecure drivers, attacks or their malware can gain new privileges, access information, and ultimately steal money or customer data."

3 challenges to addressing flawed ATM drivers

When it comes to mitigating the issue of "screwed drivers," Eclypsium says there are a few barriers to entry.

For three primary reasons, the research notes why problematic drivers are hard to address:

  1. First and foremost, these devices are highly regulated. And while strong regulations play an important role in establishing security standards for these devices, they can also inadvertently make updates slower.
  2. ATMs and other financial devices can also be an operational challenge to update. Devices are naturally widely distributed, and heavily secured to prevent physical tampering or abuse.
  3. Lastly, many of these devices have long refresh cycles and often rely on older embedded versions of the Windows operating system.

Interested in this research? Check it out here.