Saturday, March 1, 2014

Targeting Target

Target Stores took a tremendous hit when hackers broke into company computers and stole the identities and credit card numbers of zillions of customers.  Certainly I will think twice before shopping at Target. 
  Little has been released about how they did it.  But it appears the bad guys infected the "point of sale" equipment (jargon for cash register).  The malware skimmed off the credit card info right at the scanner, before it was encrypted.
   Question:  How do you infect a cash register with malware?   Needless to say just about everything electronic has a microprocessor inside these days.  They work off programs stored in memory.  Understand that computer memory, random access memory (RAM) is volatile.  When the power goes off, it forgets everything.  An infection cannot survive living in RAM.  It must work its way into non-volatile storage.  In the good old days, devices like cash registers kept their programs in Programmable Read Only Memory, PROMS for short.  PROMS were cheap and very dependable and best of all, they could not be written in circuit.  Only special test equipment, PROM programmers, could write into PROMS.  The only way to change programs burned into PROM was for a tech to open the device casework, remove the old PROM and insert a new PROM.  You ain't going to pull off that stunt over the Internet.  I suppose the bad guys could have infiltrated Target after closing hours (does Target ever close?)  and rework all the cash registers.  Does not sound likely to me.
   And, technology moves on.  They invented the Electrically Eraseable PROM, EEPROM which can be reprogrammed in circuit.  Production loved them.  They used to buy blank PROMS, keep them in the stockroom, program batches of them, get the programmed ones stuffed into boards as opposed to blank ones.   Blank PROMs look just like programmed PROMS after all.  And make sure the right version of the program is in the PROM.  With EEPROMs all these possibilities of error go away.  Just stuff the board and solder it, then program the EEPROM in circuit.  And with EEPROMS we now have the possibility of changing the program in the cash register without laying a hand on it.  Assuming the cash register make was stupid enough to allow reprogramming of his product in the field.  There are plenty of ways to disable the programming capability before you ship the product. 
    Presumable the bad guys infected Target's central computers, the ones in finance and the stockroom that talk to the cash registers and total up dollar volume of sales and keep track of inventory so they can reorder product as it sells out.  And somehow the central computers infected the cash registers, by sending new programming out over the wire to the checkout counters. Had Target been more security minded they would not have allowed the central computers to talk to the cash registers.  Just listening is enough to make the system work. 
   I assume the Target people are hard at work securing things.  I haven't heard that they had succeeded yet.

2 comments:

DCE said...

Anything that can have its software updated remotely is at risk. The equipment I help design can be updated in the field, but only indirectly and not 'live'. But then our equipment doesn't process sales transactions nor deal with financial information.

Dstarr said...

That about sums it up. Every time Windows Update goes to work I worry that it might do something awful to trusty desktop.