Kaspersky Embedded Systems Security

Kaspersky Embedded Systems Security is the solution for protection of ATMs, payment terminals and other built-in systems.

2017

Release of upgraded version with ensuring integrity of files and memory protections of process

On July 27 Kaspersky Lab provided upgraded version of the solution Kaspersky Embedded Systems Security for protection of ATMs, POS terminals and self-service terminals. New features will help the companies to observe requirements of regulating authorities and to reflect the most difficult attacks, including with participation of insiders.

Due to the complication of the attacks on financial institutions in general and on ATMs separately Kaspersky Lab expanded possibilities of Kaspersky Embedded Systems Security. So, in response to distribution of besfaylovy malwares which "live" in memory of the device and completely are removed at its reset, in the updated solution process memory protection function appeared. Thanks to it information security specialists will be able to exclude start in memory of the operating system of the ATM or POS terminal of the malware, including viruses encoders.

Due to the complication of the attacks on financial institutions in general and on ATMs in particular Kaspersky Lab expanded possibilities of Kaspersky Embedded Systems Security. Photo: www.plusworld.ru

In addition, in Kaspersky Embedded Systems Security there was a function of monitoring of integrity of files which monitors changes in them, helping to distinguish timely vulnerabilities or infections. The possibility of the analysis of event logs of Windows allows to reveal abnormal activity. And solution integration with SIEM systems promotes aggregation of all data on events in IT infrastructure within uniform corporate command center information security.

In general, according to developers, all innovations in total with already existing Kaspersky Embedded Systems Security functions do infrastructure of more transparent — any attempts of intervention in operation of devices will be quickly revealed. It will be promoted, in particular, also the Prohibition by Default function permitting execution of only in advance authorized processes, both control of start of programs, and monitoring of the connected devices, and centralized operation by the network screen.

In the nearest future security of the built-in systems will become one of priority tasks for all companies, especially those which work in the financial sector. Malefactors even more often attack ATMs and POS terminals as so far less attention, than to corporate networks was paid to their protection incomparably. Now all understand that rules of the game changed: cyberrobberies were more than once committed via ATMs, and regulators begin to toughen security requirements of similar devices — Dmitry Zveginets, the head of protection of ATMs and sales points of Kaspersky Lab tells

The dangerous vulnerability allowing hackers to receive all money from the ATM is detected

In July, 2017 the Positive Technologies company reported that her expert Georgy Zaytsev detected vulnerability in the Application Control component which is a part of specialized protection for the built-in systems of Kaspersky Embedded Systems Security of versions 1.1 and 1.2.

The error was found in the course of audit of security of the ATM on which this software product was installed. Operation of the detected vulnerability potentially allowed the malefactor to perform eventually installation of unknown software on the ATM, and then ― to develop the attack up to removal of all money from the device, speak in Positive Technologies.

In Kaspersky Lab Positive Technologies are grateful for the fact that she announced the developer the detected vulnerabilities.

In particular, the malefactor had an opportunity to load Kaspersky Embedded Systems Security service to such status that he was not able to process requests for check of start of files in the allowed time. It, in turn, allowed attacking to start any applications not from the white list. Thus the malefactor had an opportunity to start on the ATM .exe-files (for example, from the USB stick or on network) for increase in the privileges in a system, its infections or just for removal of all money which is available in the device.

The principle of the white list permits start on the device only of the entrusted programs. Vulnerability in Application Control opened two ways for a bypass of this restriction and start of the file necessary to the malefactor, ― Georgy Zaytsev explains. ― In the first case in the end of the executable file the malefactor could add a large number of any of nothing the meaning data. Later it was necessary to start accomplishment of the file twice. At the first start there is a calculation a file hash amount, i.e. its identifier: on its basis the decision on permission or prohibition of start should be made. At sufficient file size this process will take more time, than is taken away on check. And as a result after the selected term the file will be performed.

As Kaspersky Embedded Systems Security allows to save results to avoid recalculation a hash amount at the subsequent starts, this method will work only at the first start of the file, speak in the company.

The second method allowed to bypass also this restriction and consisted in simultaneous start of a large number of copies of the application. It also led, roughly speaking, to "hangup" of the application and as result — to start of the file not from the white list, ― Georgy Zaytsev noted.

Positive Technologies reported also that Kaspersky Lab already released a patch for elimination of the found vulnerability in versions of solution 1.1 and 1.2. In the same patch one more Positive Technologies found experts the vulnerability allowing to disconnect functionality of Application Control by sending a special request to the klif.sys driver was corrected. In the new version of Kaspersky Embedded Systems Security 2.0 these vulnerabilities are absent.

Kaspersky Lab told TAdviser that vulnerabilities which announces Positive Technologies did not allow to withdraw directly money from ATMs. In order that the attack led to negative effects, several factors would have to work at once: so, before using vulnerabilities, attacking would have to find a method to infect a system, having bypassed protective solution components and to start the malware in OS, explained in the company.

The last service pack which is released on June 23, 2017 protects users of Kaspersky Embedded Systems Security from those vulnerabilities which announces Positive Technologies, added to Kaspersky Labs.

Safety of users – an unconditional priority for us, and we do everything possible to protect that to them it is expensive. We are grateful to Positive Technologies company for the fact that it announced us the detected vulnerabilities. Kaspersky Lab understands, third-party researches of products of the company regarding existence of vulnerabilities in them are how useful and valuable – we even have a special bug bounty program providing remuneration of experts who announce us the available program bugs. Eventually all this helps to improve our products, - say in the company.

The company did not specify TAdviser in what number of ATMs and what banks the solution Kaspersky Embedded Systems Security is installed. Positive Technology did not tell too on what ATM of bank with this software audit was booked.

According to information from open sources, Kaspersky Embedded Systems Security use, for example, ATMs of Kuban Credit bank. At the end of 2017 request for proposals on delivery of this software on the covered area also carried out one more bank which name is not specified. In the latter case 3.5 thousand licenses Kaspersky Embedded Systems Security for protection of ATMs were required for bank.

2016: Premiere of the solution

In May, 2016 Kaspersky Lab issued the solution for protection of ATMs, POS terminals and self-service terminals – Kaspersky Embedded Systems Security.

In the solution of Kaspersky Lab the technologies allowing to fight against the most widespread methods of the attacks on these types of devices are implemented. Thanks to the Prohibition by Default mode in a system only those files, drivers and libraries which are obviously resolved by the administrator are performed. It gives the chance to protect ATMs and payment terminals from difficult purposeful threats, such as Tyupkin and Skimer, at the level of end devices.

Using the Control of Devices mode — attempts of physical connection of not authorized USB drives to these types of machines are blocked. Thus one of the main vulnerabilities which are regularly used by cybercriminals for gaining access to a system is closed.

The product is completely compatible to all current versions of Windows and also Windows XP Embedded, Windows Embedded 8.0 Standard and also to Windows 10 IoT. System requirements are minimum — from 256 MB of RAM and 50 MB of a disk space.

The solution can be managed via the uniform centralized administration console Kaspersky Security Center. The product is integrated with a cloud service of Kaspersky Security Network (KSN) that allows to obtain analytical data on threats in real time and to prevent the attacks of exploits of zero day. Also he fulfills the requirements of the standard of data security of the industry of payment cards (PCI DSS) according to which systems working with bank cards should be supplied with regularly updated antivirus.

The product differs from Endpoint Security first of all in the fact that the anti-virus module is optional (it is possible not to set), and the main functionality is "white lists" and prohibition by default (Default Deny). The product is developed in compliance with requirements of PCI DSS, malotrebovatelen to resources and supports the basic operation systems used in the built-in devices:

• Windows XP Embedded
• Windows Embedded Standard 2009
• Windows XP Professional
• Windows Embedded POSReady 7
• Windows Embedded Standard 7
• Windows Embedded Standard 8
• Windows 10 IoT Enterprise