Malware components can have a long useful life, lurking around and then re-appearing in the most unexpected of places.
The recent reports of POS malware in payment kiosks by U.S.-based vendor Avanti is just the latest example.
If industry reports are accurate, that the first step in the attack uses a derivative of the known Poseidon dropping mechanism, it shows once again that a vulnerability more than two years old can be successfully re-purposed. While this attack was very specific, dropping a data logger targeting payment account information into POS systems, this mechanism could be altered to carry another payload, such as ransomware.
Then, as we saw with the spread of WannaCry, different sectors can be targeted, such as health care, manufacturing or automotive.
Amplifying these risks is the meteoric rise of internet-connected devices. Once highly specialized, purpose-built systems like POS, as well as IoT devices other industries such as automobiles or healthcare, started connecting to the internet, the attack surface grew exponentially.
Worse still, POS and other IoT systems are particularly vulnerable to this re-purposing of malware elements that seems to be in play here. These systems were designed to do specific tasks, and are not equipped with patching and update mechanisms such as those present in desktops and servers to help keep pace with new threat vectors.
But payment systems providers must consider Windows-based kiosks, POS and ATMs, like other embedded systems in automobiles and medical equipment, that were developed and deployed years ago. What is the cost to continually update and test new versions of these years-old, specialized software programs? Let alone the difficulties and impact on service delivery of managing the complex, risky and expensive process of deploying those updates.
While the Avanti breach appears to have focused on stealing payment card and biometric information, what is to stop enterprising criminals from following the WannaCry example and dropping ransomware into POS systems, or attacking other industries like automotive manufacturing and hospitals where production and customer care systems are halted due to the attack?
Is this an impossible situation for payment systems and other IoT device manufacturers? Far from it.
As an industry, payment system providers and other IoT systems makers in all stripes and colors need to shift the paradigm and build in tamper-proof security based on their factory settings. Instead of relying on a failed model of detect and correct, POS, IoT and embedded system designs must ensure that foreign code—anything that varies from factory installed software—can never run in a payment terminal, an automobile or any manufacturer’s production equipment. This whitelist approach must be done in-memory as well as on disk, with zero false positives and with negligible impact on performance. These technologies exist today in military and defense systems and are commercially available for any IoT device manufacturers at reasonable prices.
Analysis reports of this Avanti attack show it starts with a loader that puts itself on the disk and downloads a utility from a command and control (C&C) server.
Preventing such bug exploits and cyberattacks can be done by hardening those POS or payment systems, Windows-based or otherwise, according to their factory settings, and blocking any unauthorized change, i.e., malware, so that the IoT device will be resilient to these attacks with zero-day prevention.
POS kiosks, like cars, medical and manufacturing equipment, and other IoT devices have embedded controllers.
From fast food to the fast lane, these system architectures must evolve so that controllers can be hardened against foreign intrusions. Any code or function call that isn't part of the factory settings is detected and prevented in real time, with zero false positives.
Hardening the connected controllers is the only way to ensure security in POS and other IoT systems years after they are developed, cost effectively and reliably.