Slapping a full-size QUERTY keyboard on an automated teller machine is not the best way to keep the ATM safe from prying hands, as one Sberbank customer found out this holiday season.
In early December, an employee of Russian website Habrahabr went to get some cash from a Sberbank ATM that incidentally had a full-size keyboard. Out of boredom, as the man recalls, he started hitting the Shift key repeatedly when, all of the sudden, the Sticky Keys feature switched on, giving him full access to the machine’s underlying Windows XP operating system.
Sticky Keys, an accessibility feature originating in Apple’s System 6, is shared by many GUI-based operating systems, including Microsoft’s ancient Windows XP.
By pressing the Shift key five times in a row, Windows serializes keystrokes, allowing the user to press and release modifier keys. This eliminates the need to hold one key with a finger while reaching for other keys.
While it’s certainly helpful to users who have physical disabilities or to those with Emacs Pinky syndrome, Sticky Keys leaves Windows-based ATMs vulnerable to attacks – especially when customers are offered a full-size keyboard. The hack was captured on video and posted to YouTube (embedded below) for everyone’s viewing pleasure.
As the footage shows, Sticky Keys let the user quickly access the Windows XP UI, including the Start menu and taskbar. Access to these areas of the OS means a malicious user could try to modify the way the ATM works, shut down the machine, use the ATM as a regular PC and, under the right conditions, maybe even deploy malware.
Sberbank took weeks to fix the problem, according to the Habrahabr post, but eventually patched all its ATMs. A bank statement appeared to downplay the flaw as a “peculiarity” of its systems that otherwise “did not carry any risks for device security.”