One basic tenet of computer securityis this: If you can’t vouch for a networked thing’s physical security, you cannot also vouch for its cybersecurity. That’s because in most cases, networked things really aren’t designed to foil a skilled and determined attacker who can physically connect his own devices. So you can imagine my shock and horror seeing a Cisco switch and wireless antenna sitting exposed atopof an ATM out in front of a bustling grocery store in my hometown of Northern Virginia.
I’ve long warned readers to avoid stand-alone ATMs in favor of wall-mounted and/or bank-operated ATMs. In many cases, thieves who can access the networking cables of an ATM are hooking up their own sniffing devices to grab cash machine card data flowing across the ATM network in plain text.
But I’ve never before seen a setup quite this braindead. Take a look:
An ATM in front of a grocery store in Northern Virginia.
Now let’s havea closer look at the back of this machine to see what we’re dealing with:
Need to get online in a jiffy? No problem, this ATM has plenty of network jacks for you to plug into. What could go wrong?
Daniel Battisto, the longtime KrebsOnSecurity reader who alerted me to this disaster waiting to happen, summed up my thoughts on it pretty well in an email.
“I’d like to assume, for the sake of sanity, that the admin who created this setup knows that Cisco security is broken relatively simple once physical access is gained,” said Battisto, a physical and ITsecurity professional. “I’d also like to assume that all unused interfaces are shutdown, and port-security has been configured on the interfacesin use. I’d also like to assume that the admin established a good console login.”
While it’s impossible to test the security of this setup without tampering with the devices, “considering that this was left like this in the front vestibule of a grocery store with no cameras around AND the console cable still attached, my above assumptions are likely invalid,” Battisto observed.
“In my experience, IT departments often overlook basic security practices, and double down on the oversight by not implementing proper physical security controls (you’d be surprised, maybe, at the number of sensitive server rooms that I’ve been in that had the keys to all of the racks taped to the outside of the doors),” he said.
If something doesn’t look right about an ATM, don’t use it and move on to the next one. It’s not worth the hassle and risk associated with having your checking account emptied of cash. Also, it’s best to favor ATMs that are installed inside of a building or wall as opposed to free-standing machines, which may be more vulnerable to tampering.
If you liked this piece, check out my entire series on skimming devices,All About Skimmers.