The recent news that XP source code has been made publicly available has been met with varied response. Understandably, some folks assume it’s been out of support for so long that it doesn’t really matter. However there are a few key ways this exposure can have a serious impact.
First, there’s the risk to critical verticals
This news made me think about the problem that still persists related to end of life operating systems that permeate different sectors. While the global market share of Windows XP machines is a mere 0.82%, however that prominence increases in certain industry segments – including ATM machines and medical devices.
So, as I sat down to write this, I reached out to friends in the financial and healthcare sectors to research the issue a bit more. While the ideal response to, “How many ATM machines and medical devices are still running Windows XP?” would be 0%, the reality is not that simple.
On April 8, 2014, Microsoft ended standard support for Windows XP. At that time the Payment Card Industry Security Standards Council (PCI SSC) estimated that 95% of the ATMs globally were running Windows XP, and so the migration started to Windows 7. Trend Micro Research and Europol further explored the cybersecurity risks to ATM machines in 2017.
Fast forward 6 years to January 14th, 2020 when Microsoft made effective the end-of-life (EoL) of Windows 7. It is estimated the move will affect 85% of over 3.5 million ATMs running Microsoft OS’s globally. This time, though, the upgrade will require ATM deployers to upgrade both software and hardware. The cost of this upgrade for financial institutions and ATM deployers is high, both in terms of the actual spend and with their overall resources to support such a widespread change.
According to those who I spoke with, the estimated exposure of ATMs still running Windows XP even after 6 years is approximately 25%. By rough estimate, that could be over 750 thousand machines globally, resulting in a sizeable risk.
Because of the significant costs of versioning up those machines, some in the financial sector are calling for the Windows operating systems. This may ease the cost and burden of upgrading ATMs every few years, but it does not solve the risk to ATM attacks. Just this summer, Diebold released an alert describing a new jackpotting campaign in which cybercriminals were leveraging a connected black box to send illegitimate dispense commands that potentially included proprietary parts of the Diebold software stack. Whether its Windows, Linux, or even a proprietary stack, the cost over time of not updating software is much greater than the initial transition, both in terms of exposure and risk.
In healthcare, the exposure is much greater, and frankly the risk is as well. A huge portion of exposed internet-connected imaging devices at hospitals in the US and globally run outdated operating systems, according to Trend Micro Research report in 2017.
The medical devices running Windows XP include machines that take X-rays, MRIs, mammograms and CAT scans. The risk becomes tangible when access to these devices is disrupted, degraded, or denied.
There’s also risk beyond critical industries
While the risk to critical industries and machines is high, it’s not the only area of risk Windows XP still poses. There are two other ways the source code exposure can have a broader impact.
- Some parts of the world still heavily rely on this operating system. Despite the end of support, Windows XP prevails across some global markets. This creates a big target for cybercriminals looking for a quick win.
- Legacy systems from Windows XP still exist in Windows 10. Cybercriminals could mine for XP bugs in these legacy code that are still under support, creating a viable exploit chain that would work on modern OS’s.
Dustin Childs, communications manager for Trend Micro’s Zero Day Initiative, said this about the possible impact:
“Right now, exploit developers are likely pouring through the code looking for bugs they can use against modern OSes. However, it’s not a 1-to-1 translation. Modern operating systems have additional mitigations that make exploitation more difficult. It’s another reason you should upgrade to the latest operating system to benefit from the new defensive features.”
Updates are never simple. Overhauling a typical business environment to run a new operating system takes significant lift and budget. Multiply that at the scale of a government, hospital system, factory or globally dispersed ATMs, and you face a problem that many are unable to address.
Source code leaks like this can have a much greater impact than many may realize. If your business is among those running XP, keep a close eye on those systems, and everyone should pay attention for exploits targeting legacy systems that are still supported.