Sunday, 7 June 2009

Are TFL top-up machines secure?

Another day, another FAIL.This becomes my daily routine it seems, but that's another story.
This time TFL - operating London's public transport network that covers undergound, overground, DLR, buses and whatever else comes.



During one of the Security Now! podcasts (#193 was about Conficker so it was somewhere between #194 and #196) one of the main discussion topics was (to no surprise) why Windows shouldn't be used in places like ATMs, hospital equipment (MRI scanners, heart monitors, etc) and most of other control
systems we have and use today.

In fact it's really hard not to agree with that. The arguments were very clear and sound:
  • Most if not all of those systems are "consumer grade", not any kind of "industry type" things
  • They are connected to the network
  • They are not patched in general (it works so don't touch it)
  • Most don't run any antivirus/firewall (not related to business function?)
  • Many were not planned to be put on-line in any way (but we know they are)
The machine above takes cash or card - can we trust it then? Does it run anti-virus software and firewall (it's networked - it should)? How can I be sure it won't do what some ATMs in eastern Europe did? We can't be sure of anything if they end up like above, so feel free to add those to a 'Windows no-go list' if you wish and do top-ups on-line at the TFL website - I think it will be safer than at those machines - in general they don't reinforce any trust I might have had for them some time ago.