Legacy Windows XP systems used by public authorities in the UK remains a concern. The WannaCry outbreak last month followed by the current ‘NotPetya‘ outbreak — both using a vulnerability patched in newer versions of Windows, but initially unpatched in XP — highlights the problem.
Information obtained by Steve O’Connell, a member of the London Assembly and a Conservative Party spokesperson for policing and crime, shows that the Metropolitan Police Service (MPS, or the Met) was still using 18,293 XP machines on their network at the time of providing the information. Since XP is no longer supported by Microsoft, it is left vulnerable to any new exploits such as EternalBlue and DoublePulsar — and it appears that only the tendency for WannaCry to crash XP rather than infect it prevented the worldwide outbreak from being far worse than it was.
The Met’s position is more precarious than implied by O’Connell’s figures. Last month, the UK’s data protection regulator, the ICO, published findings (PDF) from a consensual audit of the Met. While finding some areas of ‘good practice’, it also noted other areas in need of improvement.
In particular, one area for improvement includes the continued use of XP on some desktops and laptops leading to “a residual risk to personal data.” But in relation to WannaCry and NotPetya, this risk is magnified by weaknesses in both the Met’s backup and business continuity procedures. “Backup arrangements for file systems are not tested to ensure that they are recoverable in the event of a disaster.”
Furthermore, “The database used to store BC information is unsupported and not backed up.”
The ICO’s conclusion was that “The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance [with the Data Protection Act].”
The combination of a vulnerable system and untested recovery capabilities is particularly susceptible to ransomware — and even more so where the ransomware attacks are more intent on mischief than collecting ransoms, as seems to be the case with both WannaCry and NotPetya. The threat to, or potential loss of, personal data stored by the Metropolitan Police is particularly concerning.
“It is vital the Met is given the resources to step up its upgrade timeline before we see another cyber-attack with nationwide security implications,” warns O’Connell. But, of course, things are never so simple. SecurityWeek reached out to the Met to confirm O’Connell’s figures, and received the following statement:
“The MPS is undergoing a complete refresh of its information technology processes, infrastructure, and equipment – including its desktop computers.
“However, the upgrade programme is not as simple as it would be for many other organizations due to the amount of specialist legacy software upon which parts of the MPS still rely.
“Replacements or remediation for this software that are compatible with a more modern operating system have to be ready before the roll-out is completed to ensure continued operational effectiveness.
“We have completed the upgrade of just over 17,000 devices to Windows 8.1, and this reduces the number of desktops running Previous XP to around 10,000.”
The spokesperson did not know, and was unable to find out in time for this article, whether the Met has patched all its Windows systems (not just the XP ones) against MS17-010 vulnerabilities (also known as the EternalBlue vulnerabilities) after the WannaCry outbreak. However, he did add, “The entire Met ICT estate has a number of layers of industry-leading security, which we have been monitoring closely over the past 24 hours. The MPS estate currently remains un-impacted by the cyber-attack and our security checks continue.”
The complicating factor of legacy software on legacy systems is a problem, and not just for the Met. “I’m sympathetic to the fact that financially stretched government agencies and public services may not feel that an OS upgrade is the best use of scarce resources,” independent security expert David Harley told SecurityWeek.
“Sometimes,” he continued, “there are technical reasons for not upgrading a system required to run specific software or peripherals. There may be systems for which an OS upgrade is expected to damage functionality for other reasons, such as underpowered hardware. There are systems that may not require updating because they’re fully air-gapped, I suppose. And the risk from running systems that can no longer be updated is sometimes overhyped: there’s plenty of malware that doesn’t rely on unpatched Windows versions to allow it to execute.”
But none of this means that organizations can relax their efforts to upgrade XP systems. “Nonetheless,” concluded Harley, “the risk of attack by malware that makes use of vulnerabilities in unpatched machines (such as the new Petya variant that apparently makes use of EternalBlue) is quite significant enough to make it unwise to rely on systems that are no longer normally updated, even if the agencies concerned are taking advantage of rare events like Microsoft’s XP patch in May… After all, dangers to their data, systems and internal processes don’t only affect their ‘business’ but all of us.”
The bottom line is that 10,000 XP systems still in use by the Metropolitan Police Service is really 10,000 too many.