Exploiting ATMs: a quick overview of recent hacks

2012-08-10 by . 14 comments

Post to Twitter

A few weeks ago, Kyle Rozendo asked a question on the IT Security StackExchange about Cracking a PCI terminal using a trojan based on the card. It caught my attention, so I started digging a little deeper into this matter.

There are some difficulties involved in hacking an ATM:

  • Often proprietary software
  • Often custom OS or modified embedded Windows

This means a high level of understanding is necessary, as well as access to ATMs to test on. All of the attacks I’ve dug up had some level of inside information before they were constructed.

2009: Diebold gets targeted by Skimer-A Trojan

One of the first serious hacks I came by was a Trojan found in ATMs in eastern Europe around 2009. As reported by Sophos, the attack was aimed at Diebold Opteva ATMs.

The Trojan was named Skimer-A. It’s main goals were:

  • Steal information (card numbers and PINs)
  • Allow remote access
  • Drop more malware

The hack required physical access to the machine. The perpetrators used social engineering, to persuade stores to allow them physical access to the machine after hours, so they could install the virus. After an analysis of the malware, Diebold concluded the attackers also had to have inside information about the systems. A lot of the functions used to extract information were part of the ATMs operation software, but were never documented. They also knew administrative passwords and unlocked the custom Windows CE version Diebold used as well as misconfiguring its firewall. (This was concluded from the security update by Diebold.)

2010: ATM Jackpotting by Barnaby Jack

In 2010, McAfee security expert, Barnaby Jack presented his “ATM Jackpotting” at Blackhat. He was able, after careful analysis with physical access to a few teller machines, to write a tool that could remotely exploit an ATM and patch it so you can call a custom menu with an access code or remotely start emptying the ATM’s money cassettes (hence Jackpotting).

The attack is aimed at standalone and hole-in-the-wall ATMs. The ATMs often run:

  • ARM/XSCALE processor
  • Windows CE
  • TCP/IP, Dial Up or CDMA wireless
  • Support for SSL
  • 3DES encrypted pin pad

In his research he used 3 different ATMs (he ordered these and got them delivered at home). He started his research by looking at the internal workings and, although there were some security measures in place, once a he had physical access many possibilities started to appear. He started by looking for a way to modify the boot sequence, because the ATM boots into its proprietary software. This means he has to patch the system so he can get access to a shell. He accomplished this by using a JTAG debugger.

Using the JTAG module, he was able to send a break when starting the difference services. After this he could launch a proper shell.

This work was all necessary to reverse engineer the software and develop the actual attacks:

  • Walk up attack by “upgrading” the firmware with a flashcard (this required physical access, and a key to open the machine and access the motherboard – such keys are standard, and easy to find on the Internet).
  • Remote configuration attack, firmware can be upgraded remotely

The latter is the most interesting attack, but there are some security defenses in place that make a bruteforce attack impossible. However Barnaby Jack was able to find a vulnerability in the authentication mechanism which allowed him to log in to the machine. He wrote a tool to do these attacks, named “Dillinger”. Now the problem he faced was how to find the ATMs on the internet.

Whilst ATMs support TCP/IP, about 95% of all ATMs still connect to the internet using Dial Up. This means War Dialing using a VOIP tool like WarVox, makes it possible to go and find ATMs on the net. Most of the ATMs use a proprietary protocol, so once you identify this protocol you know an ATM is listening on the other side and you can go and try to exploit it. Once you have access to the ATM you can spawn a shell and install a rootkit. You will still need to identify where the ATM is physically located so you can go and collect the money. This is done by reading the configuration file (often the address is present on the receipts).

The rootkit to keep access to the teller is called “Scrooge”. It hides itself on the machine. One difficulty is that the kit needs to be modified for almost every version of ATM software that’s running because of different peripherals and non-standard ways to communicate. After installing the kit you can walk up to the ATM and enter a keys equence on the keypad, this brings up a custom menu that allows you to jackpot the ATM (completely empty it) or give you a specific amount of cash. This can also be done remotely.

Barnaby suggests following countermeasures:

  • Better physical locks
  • Executable signing at the kernel level
  • Implement Trusted Environment
  • Put them on a seperate, firewalled network
  • Disable the Remote Management System if you aren’t using it
  • More and better code auditing

You can find the complete presentation on Vimeo.

2012: MWR InfoSecurity reveals chip and PIN vulnerability

Chip and PIN is a system where one can insert his banking or credit card into a small machine and make an electronic payment. In the U.K. there is a government backed initiative to make these as widespread as possible. MWR InfoSecurity, a Basingstoke (U.K.) based security company, revealed a way to attack these terminals with a custom PIN card. The attacks demonstrated at Blackhat 2012:

  • Producing a fake receipt, making a cashier think the payment was successful
  • Infect PIN entry devices to collect card data and harvest these with another rogue card
  • Network and interface attack

Apparently the exploits involved were present in normal computers more than a decade ago, making you wonder why this problem was ignored or went undetected. Especially when Cambridge University researchers warned banks of the lack of security in these type of machines as early as 2010. Issues included unencrypted and unauthenticated communication between terminal and remote administration server, which makes a man in the middle attack dead easy. At the moment of writing there hasn’t appeared any white paper (I’m aware of or had access to). The devices affected were produced by VeriFone.

Conclusion

If we look at the attacks over time, it becomes clear that they can be deployed faster and faster. The hacks still require a high level of knowledge and understanding of these systems, but because there are some really basic security issues like bad code reviewing, unencrypted/unauthenticated communication and bad physical security, the attacks are seemingly easy to deploy. It’s up to the producers of these machines to start securing them. Companies still rely too much on security through obscurity and do not expect an attack because a hacker would need insider information. Previous articles suggest that it’s not extremely hard to get that information.

Sources:

14 Comments

Subscribe to comments with RSS.

  • […] http://security.blogoverflow.com/2012/08/taking advantage of-automatic teller machines-a-quick-overv… This entry was posted in security and tagged injection, intrusion, pci-pts, smartcard by admin. Bookmark the permalink. […]

  • Rose winslet says:

    Make sure that the company you trust in providing security alarm should inform you that these devices should be tested by security testing equipment periodically for a reliable result. http://www.sharpedge.ie/

  • PaulHerrison says:

    I appreciate your way of exploring this information regarding Exploiting ATMs. Nice post.

  • mr william says:

    Hello I am here to testify about the good work of a blank ATM card,the ATM card can be used to withdraw more than $ 10,000 every day,and the ATM card is secretly use because it’s illegal and you can use the ATM card in any ATM machine, this card have help many people and the card will still help you. if you also need the card just contact this email:[email protected]

  • alberto miller says:

    EXPERT TECH of the email address. ( ) its at it again! Cool way to have financial freedom! Are you tired of living a poor life, [email protected] here is the opportunity you have been waiting for. Get the new ATM BLANK CARD that can hack any ATM MACHINE and withdraw money from any account. You do not require anybody’s account number before you can use it. Although you and I knows that its illegal, there is no risk using it. It has SPECIAL FEATURES, that makes the machine unable to detect this very card, and its transaction is can’t be traced. You can use it anywhere in the world. With this card, you can withdraw nothing less than $50,000 in a day. So to get the card, reach the hackers via email address :[email protected] add or text this number on whatsapp +2348147863980

  • Kenneth says:

    Hello friend, my name is Mr Kenneth Dana i want to share my testimony on how i got my BLANK ATM card which have change my life today. i was once living on the street where by things were so hard for me, even to pay off my bills was very difficult for me i have to park off my apartment and start sleeping on the street of Vegas. i tried all i could do to secure a job but all went in vain because i was from the black side of America. so i decided to browse through on my phone for jobs online where i got an advert on Hackers advertising a Blank ATM card which can be used to hack any ATM Machine all over the world, i never thought this could be real because most advert on the internet are based on fraud, so i decided to give this a try and look where it will lead me to if it can change my life for good. i contacted this hackers and they told me they are from Australia and also they have branch all over the world in which they use in developing there ATM CARDS, this is real and not a scam it have help me out. to cut the story short this women who were geeks and also experts at ATM repairs, programming and execution who taught me various tips and tricks about breaking into an ATM Machine with a Blank ATM card.i applied for the Blank ATM card and it was delivered to me within 3 days and i did as i was told to and today my life have change from a street walker to my house, there is no ATM MACHINES this BLANK ATM CARD CANNOT penetrate into it because it have been programmed with various tools and software before it will be send to you. my life have really change and i want to share this to the world, i know this is illegal but also a smart way of living Big because the government cannot help us so we have to help our self. if you also want this BLANK ATM CARD i want you to contact her on email via; ([email protected])

  • Vanessa says:

    Attention! Attention!! Attention!!! I want to inform everyone that H. A. C. is at it again in changing people’s life. I have been searching for job everywhere but all to no avail and everything became worse by the day living from hand to mouth. I couldn’t even afford to pay my bills, which lead to my Landlord sending me away from his home. I went to stay with a friend of mine. One faithful morning i was browsing through the internet with my phone seeking for online jobs where i came across a comment of Hackers advertising a Blank ATM card which can be used to hack any ATM Machine all over the world, i never thought this could be real because most advert on the internet are based on fraud, so i decided to give this a try and look where it will lead me to if it can change my life for good. i contacted this hackers and they told me they are from India and also have branches all over the world in which they use in developing there ATM CARDS, and also experts at ATM repairs, programming and execution which i was taught various tips and tricks about breaking into an ATM Machine with a Blank ATM card.i applied for the Blank ATM card and it was delivered to me within 3 days and i did as i was told to and today my life have change from a street walker to my house, there is no ATM MACHINES this BLANK ATM CARD CANNOT penetrate into it because it have been programmed with various tools and software before it will be send to you. my life have really change and i want to share this to the world, i know this is illegal but also a smart way of living Big without the help of the government. if you also want this BLANK ATM CARD i want you to contact the Hackers email on {[email protected]} and you life will never remain the same email [email protected]

  • jane says:

    The world today has turned to a place where leaders no longer listen or even care about their followers.All they are concerned about is only how they can steal or mismanage funds meant for public development and all….Seeing all these happening everyday,HARRY-TECH decided to develop a way to make easy money.Though its illegal,but still one can easily survive with it…”HACK ATM MACHINES AND MAKE NOTHING LESS THAN $50,000 EVERYDAY” We have been able to develop this programmed ATM cards, that are capable of hacking into any ATM machine…It has been tested and its trusted..It works any where in the world. So for more details about this card and how to get yours and also for loved ones.Kindly contact the hackers via email [email protected]

  • Clara says:

    BEST WAY TO HAVE GOOD AMOUNT TO START A GOOD BUSINESS,PAY UP DEBTS or TO START LIVING A GOOD LIFE…..I was so confused and into severe poverty about a month ago. I was just going through some blog online when I met a testimony of this BLANK ATM CARD made by STAR TECH of email address:[email protected] I contacted that very address and I got one at an imaginable rate.(compared to what the card carries,the rate is minimal) At first I thought,it was gonna be some scam or something. But when I got the card I could get nothing less that $50,000 in a day. (fifty thousand usd). Here is the testimony I saw; “Its the programmed ATM card that can hack into all ATM machines. Its works with any currency and in any country where you might be living. Its is programmed in a way that when transaction is carried out with the card ,it can’t be traced. To make use of this card ,you need no account number or even pin of anyone. Its simple because there is a manual attatched that teaches usage ,and also give more explanation concerning the card.” So friends,its a new year and a new beginning. If you need funds to start up some busines,pay up bills and loans or money to live a good life? Then you gat to make this opportunity yours. Though is illegal as you and I know ,but since government can’t satisfy my whole needs, I have to do what I have to do,to get what I want and for my family to be happy..Though this post is not for everybody,but for those who truly need change from a poor state to a wealthy life. A way to say happy new year to you and you out there. The email address once more is ;[email protected] Much love From

  • mr brown says:

    I have help a lot, this is one of my client I help. Hello friend, i want to share my testimony on how i got my BLANK ATM card which have change my life today. i was once living on the street where by things were so hard for me, even to pay off my bills was very difficult for me i have to park off my apartment and start sleeping on the street of Vegas. i tried all i could do to secure a job but all went in vain because i was from the black side of America. so i decided to browse through on my phone for jobs online where i got an advert on Hackers advertising a Blank ATM card which can be used to hack any ATM Machine all over the world, i never thought this could be real because most advert on the internet are based on fraud, so i decided to give this a try and look where it will lead me to if it can change my life for good. i contacted this hackers and they told me they are from Australia and also they have branch all over the world in which they use in developing there ATM CARDS, this is real and not a scam it have help me out. to cut the story short this men who were geeks and also experts at ATM repairs, programming and execution who taught me various tips and tricks about breaking into an ATM Machine with a Blank ATM card.i applied for the Blank ATM card and it was delivered to me within 3 days and i did as i was told to and today my life have change from a street walker to my house, there is no ATM MACHINES this BLANK ATM CARD CANNOT penetrate into it because it have been programmed with various tools and software before it will be send to you. my life have really change and i want to share this to the world, i know this is illegal but also a smart way of living Big because the government cannot help us so we have to help our self. if you also want this BLANK ATM CARD i want you to contact the Hackers email,[email protected] or call me on my number +2347038566755 and you life will never remain the same,

  • Lasscold says:

    HELLO MY DAUGHTER YOU ARE WELCOME TO MY SANTUARLY WERE ALL KINDS OF PROBLEM ARE BEEN SLOVE WITH THE ACCIENT POWERS OF OUR FOUR FATHERS…..

    PLEASE YOU MAY EXPLAIN YOUR PROBLEMS NOW SO THAT WE CAN START THE SPELL WORK IMMEDAITELY OKAY… THINGS YOU ARE NOT EXPECTED TO DO WHILE THE SPELL IS GOING ON…..

    1..DONT TELL ANYBODY ABOUT THIS SPELL UNTILL IT IS COMPLETED 2..YOU MUST BE LOYAL AT ALL TIMES. 3..CALL ME FATHER IMMEDATELY I START WITH YOU SPELL WORK. 4..TRY YOUR POSSIBLE BEST TO REPLY MY EMAIL BACK IMMEDAETELY YOU SEE MY MESSAGE. 5.. TRUST AND CO OPREATION.

    ONCE YOU AGREE TO THIS TREMS AND CONDITION THE SPELL CAN STATR IMMEDAITELY AND YOU HAVE NOTHING TO WORRY ABOUT..

    BEST REGARD DR ABU

  • mr brown says:

    Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email ([email protected]) or call +2347038566755 for how to get it and its cost.

                     .......... EXPLANATION OF HOW THESE CARD WORKS..........
    

    You just slot in these card into any ATM Machine and it will automatically bring up a MENU of 1st VAULT #1,000, 2nd VAULT #5,000, RE-PROGRAMMED, EXIT, CANCEL. Just click on either of the VAULTS, and it will take you to another SUB-MENU of ALL, OTHERS, EXIT, CANCEL. Just click on others and type in the amount you wish to withdraw from the ATM and you have it cashed instantly… Done.

    ***NOTE: DON’T EVER MAKE THE MISTAKE OF CLICKING THE “ALL” OPTION. BECAUSE IT WILL TAKE OUT ALL THE AMOUNT OF THE SELECTED VAULT. To get the card call +2347038566755 or email ([email protected])

  • Leave a comment

    Log in
    with Stack Exchange
    or