By Rick Anderson, delivery director, Wind River
While ATM security is not necessarily “life critical” as with many other industries (think transportation, medical and some industrial applications) there are certainly financial and identity theft risks associated with these devices.
Plenty of info is available on the web regarding various ATM attack vectors, estimated number of annual hacks and the cost to the industry. The question we will ponder here is very specific: Would replacing the Windows operating system in an ATM with a Linux-based one improve security? Most experts believe the answer is yes.
Today’s ATM looks much like a personal computer on your desk. It runs the world’s most popular desktop operating system — Windows —on the world’s most popular hardware: Intel motherboards.
But therein lies part of the problem. Being “most popular” means there are few barriers to keeping the bad guys from simulating the internals of a typical ATM. This fact alone makes Windows more prone to attack than alternatives.
Open source, a more secure option
Linux may have a much smaller overall marketshare than Window, but a lot of systems are still running it. Linux has something else going for it: open source.
Data suggests that open source solutions provide the best security. This is because the code is readily available for anyone to inspect and there are, literally, thousands of eyes scrutinizing every code change.
As for Windows, users are given a fair amount of system access by default. While ATM vendors attempt to lock these down, it’s difficult to find and secure every area. Linux is built differently and many things are protected by default. Although these can be overridden by the system administrator, selecting a locked-down system versus an open one as a starting point offers an advantage.
Another advantage of Linux is that it has many security tools built into the distribution, and these tools have been in place for a long time. In fact, most Linux distributions come with a complete security suite that has been hardened together for quite some time.
In contrast, with Windows, you need to select your firewall, your anti-virus tool, a solution for whitelisting key applications, an encryption solution, a firmware over-the-air program, etc. These apps may or may not work well together and could expose you to additional security flaws.
Furthermore, each new version of Windows is supported only on the newest hardware. This causes all kinds of problems for ATM vendors. Do you upgrade your hardware at a cost of millions every few years? Do you try to run your software on unsupported hardware? Or do you just not upgrade and continue on with an unsupported solution?
An enduring solution
There are no easy answers here. And most ATM vendors are facing this problem right now with the expiration of Windows 7 support and the need to move to Windows 10. Linux, on the other hand, often supports hardware for a very long time, mainly because the open source community demands it.
As long as someone is running “motherboard X” and “peripheral Y,” and they are willing to keep the code moving forward, Linux will be supported. Because the code is open, you are not handcuffed, waiting for Microsoft to determine whether it’s supported or not. You, your OEM or your ODM can take up support if it is really required.
Linux might also have an advantage over Windows in that security flaws are patched more quickly. While it is hard to prove, Windows service pack and Patch Tuesday methodology seems very rigorous and therefore slow.. What’s more, Linux patches are often smaller because they include only the security flaw fix, while Windows security patches get combined with many other fixes.
Finally, from a footprint perspective, Linux has fewer lines of code than Windows, which offers another advantage: a smaller attack vector.
These days, security is an absolute requirement. Indeed, for those companies that do secure their products, it can be a differentiator. Those don’t do a good job of securing their products face increasing threats, possible fines and putting their very existence at risk.
And make no mistake about it, as far as data breaches go, things will continue to get worse before they get better.
A version of this article originally appeared on Wind River’s blog.