physically connected a Raspberry Pi device to a network switch shared with an ATM. Equipped with a 4G modem, the device allowed attackers to remotely access the bank’s internal network over mobile data, completely bypassing perimeter firewalls.
Well, no shit. If you don’t have physical security, you don’t have any security. This is like security 101.
I’ve seen ATMs using Windows 7 embedded. 802.1x support on 7 (let alone embedded) was extremely janky at best. Also it didn’t support some of the features that modern switches support too. That’s not an excuse for them but most likely their “defense in depth” was very limited and they just didn’t do quite a bit of it.
Well, no shit. If you don’t have physical security, you don’t have any security. This is like security 101.
There are mitigations possible against allowing unrecognized MAC addresses from getting network connection when plugged into an open port.
Security is meant to have layers. Defense in depth.
Can’t be forgetting 802.1x
I’ve seen ATMs using Windows 7 embedded. 802.1x support on 7 (let alone embedded) was extremely janky at best. Also it didn’t support some of the features that modern switches support too. That’s not an excuse for them but most likely their “defense in depth” was very limited and they just didn’t do quite a bit of it.
Even if you’re able to plug into the network, it’s a failure that still had access.