Exploiting ATMs: a quick overview of recent hacks

2012-08-10 by . 6 comments

Post to Twitter

A few weeks ago, Kyle Rozendo asked a question on the IT Security StackExchange about Cracking a PCI terminal using a trojan based on the card. It caught my attention, so I started digging a little deeper into this matter.

There are some difficulties involved in hacking an ATM:

  • Often proprietary software
  • Often custom OS or modified embedded Windows

This means a high level of understanding is necessary, as well as access to ATMs to test on. All of the attacks I’ve dug up had some level of inside information before they were constructed.

2009: Diebold gets targeted by Skimer-A Trojan

One of the first serious hacks I came by was a Trojan found in ATMs in eastern Europe around 2009. As reported by Sophos, the attack was aimed at Diebold Opteva ATMs.

The Trojan was named Skimer-A. It’s main goals were:

  • Steal information (card numbers and PINs)
  • Allow remote access
  • Drop more malware

The hack required physical access to the machine. The perpetrators used social engineering, to persuade stores to allow them physical access to the machine after hours, so they could install the virus. After an analysis of the malware, Diebold concluded the attackers also had to have inside information about the systems. A lot of the functions used to extract information were part of the ATMs operation software, but were never documented. They also knew administrative passwords and unlocked the custom Windows CE version Diebold used as well as misconfiguring its firewall. (This was concluded from the security update by Diebold.)

2010: ATM Jackpotting by Barnaby Jack

In 2010, McAfee security expert, Barnaby Jack presented his “ATM Jackpotting” at Blackhat. He was able, after careful analysis with physical access to a few teller machines, to write a tool that could remotely exploit an ATM and patch it so you can call a custom menu with an access code or remotely start emptying the ATM’s money cassettes (hence Jackpotting).

The attack is aimed at standalone and hole-in-the-wall ATMs. The ATMs often run:

  • ARM/XSCALE processor
  • Windows CE
  • TCP/IP, Dial Up or CDMA wireless
  • Support for SSL
  • 3DES encrypted pin pad

In his research he used 3 different ATMs (he ordered these and got them delivered at home). He started his research by looking at the internal workings and, although there were some security measures in place, once a he had physical access many possibilities started to appear. He started by looking for a way to modify the boot sequence, because the ATM boots into its proprietary software. This means he has to patch the system so he can get access to a shell. He accomplished this by using a JTAG debugger.

Using the JTAG module, he was able to send a break when starting the difference services. After this he could launch a proper shell.

This work was all necessary to reverse engineer the software and develop the actual attacks:

  • Walk up attack by “upgrading” the firmware with a flashcard (this required physical access, and a key to open the machine and access the motherboard – such keys are standard, and easy to find on the Internet).
  • Remote configuration attack, firmware can be upgraded remotely

The latter is the most interesting attack, but there are some security defenses in place that make a bruteforce attack impossible. However Barnaby Jack was able to find a vulnerability in the authentication mechanism which allowed him to log in to the machine. He wrote a tool to do these attacks, named “Dillinger”. Now the problem he faced was how to find the ATMs on the internet.

Whilst ATMs support TCP/IP, about 95% of all ATMs still connect to the internet using Dial Up. This means War Dialing using a VOIP tool like WarVox, makes it possible to go and find ATMs on the net. Most of the ATMs use a proprietary protocol, so once you identify this protocol you know an ATM is listening on the other side and you can go and try to exploit it. Once you have access to the ATM you can spawn a shell and install a rootkit. You will still need to identify where the ATM is physically located so you can go and collect the money. This is done by reading the configuration file (often the address is present on the receipts).

The rootkit to keep access to the teller is called “Scrooge”. It hides itself on the machine. One difficulty is that the kit needs to be modified for almost every version of ATM software that’s running because of different peripherals and non-standard ways to communicate. After installing the kit you can walk up to the ATM and enter a keys equence on the keypad, this brings up a custom menu that allows you to jackpot the ATM (completely empty it) or give you a specific amount of cash. This can also be done remotely.

Barnaby suggests following countermeasures:

  • Better physical locks
  • Executable signing at the kernel level
  • Implement Trusted Environment
  • Put them on a seperate, firewalled network
  • Disable the Remote Management System if you aren’t using it
  • More and better code auditing

You can find the complete presentation on Vimeo.

2012: MWR InfoSecurity reveals chip and PIN vulnerability

Chip and PIN is a system where one can insert his banking or credit card into a small machine and make an electronic payment. In the U.K. there is a government backed initiative to make these as widespread as possible. MWR InfoSecurity, a Basingstoke (U.K.) based security company, revealed a way to attack these terminals with a custom PIN card. The attacks demonstrated at Blackhat 2012:

  • Producing a fake receipt, making a cashier think the payment was successful
  • Infect PIN entry devices to collect card data and harvest these with another rogue card
  • Network and interface attack

Apparently the exploits involved were present in normal computers more than a decade ago, making you wonder why this problem was ignored or went undetected. Especially when Cambridge University researchers warned banks of the lack of security in these type of machines as early as 2010. Issues included unencrypted and unauthenticated communication between terminal and remote administration server, which makes a man in the middle attack dead easy. At the moment of writing there hasn’t appeared any white paper (I’m aware of or had access to). The devices affected were produced by VeriFone.

Conclusion

If we look at the attacks over time, it becomes clear that they can be deployed faster and faster. The hacks still require a high level of knowledge and understanding of these systems, but because there are some really basic security issues like bad code reviewing, unencrypted/unauthenticated communication and bad physical security, the attacks are seemingly easy to deploy. It’s up to the producers of these machines to start securing them. Companies still rely too much on security through obscurity and do not expect an attack because a hacker would need insider information. Previous articles suggest that it’s not extremely hard to get that information.

Sources:

6 Comments

Subscribe to comments with RSS.

  • [...] http://security.blogoverflow.com/2012/08/taking advantage of-automatic teller machines-a-quick-overv… This entry was posted in security and tagged injection, intrusion, pci-pts, smartcard by admin. Bookmark the permalink. [...]

  • Rose winslet says:

    Make sure that the company you trust in providing security alarm should inform you that these devices should be tested by security testing equipment periodically for a reliable result. http://www.sharpedge.ie/

  • PaulHerrison says:

    I appreciate your way of exploring this information regarding Exploiting ATMs. Nice post.

  • Specializing in ATM Processing & ATM Equipment. Learn about passive income from the ATM Business. Put More More Money in your Pocket. http://www.atmdepot.com/

  • mark steven says:

    You are welcome to the wonder land of hacks, want to know how to hack an ATM MACHINE OR BANK ACCOUNT? You can hack and break into a bank’s security without carrying guns or any weapon.

    HOW IS THIS POSSIBLE

    First of all, we have to learn about the manual hacking of ATM MACHINES AND BANKING ACCOUNTS before introducing the software.

    HOW THE ATM MACHINE WORKS

    If you have been to the bank, you find out that the money in the ATM MACHINE is being filled right inside the house where the machine is built with enough security.

    To hack this machine manually, get an ATM card, weather valid or not, as long as it can freely enter into the machine. Then get a candle, light the candle and use the wax to cover the panel on the ATM CARD, covering that panel will make the card look defualt to the machine.

    Now, go to any Bank near you and try this trick, but if you are caught, thats your own wella ooh! not mine. When you get to the machine, insert the card and enter a default pin which is 0000. Done that? Wait and see the action. The atm machine will dispense cash. But some times the machine would say card not smart or it would just eject your card. The reasons is because some atm machines are upgraded while others are not.

    HOW DO I KNOW AN UPGRADED MACHINE For you to know an upgraded atm machine, you will observe that most times when you use a particular atm machine, as the machine is dispensing the cash, the bank will also send you a debit alert. If the machine is not upgraded, it may take up to 30 minutes before the bank sends a debit alert. The candle trick is 60% efficient on a machine that is not upgrade but it may not work on upgraded machine because of its sensitivity.

    THE BANK HACKING SOFTWARE

    From our studies on the manual hacking of the atm machine, you will agree with me that its affects the bank alone but using the software affects the individual or organisation that owns the bank account.

    HOW THE SOFTWARE WORKS

    Like I said, the software is very easy to use, but you need a prepaid debit mastercard and a knowledge on how to hide your browsing ip (your location) on your pc. The money you hack will be sent to your prepaid debit mastercard not your bank account, this is for security reasons but afterwards, you can go to the nearest atm machine close to you and withdraw the money using your mastercard. NOTE: I advice that you should not use your correct house address on your mastercard billing details to avoid probs for yourself.

    Having known this, you download the software, install it, launch it and enter every information required on start. After this, logon to the control panel and click on transfer funds, then you will be brought to a page where you will enter the details of the bank account you want to hack. Details like account name, account number, name of bank, country and zipcode. After entering the informations, click submit and the person’s bank account balance will display, then enter the amount you want and click send to card, the money will be sent to your prepaid debit mastercard.

    HOW TO GET THE SOFTWARE

    I am currently selling this software at a give away price of $300 to serious minded people. If you need this software, contact me with this email…[email protected]

  • Leave a comment

    Log in
    with Stack Exchange
    or