Exploiting ATMs: a quick overview of recent hacks
10 Aug 2012
A few weeks ago, Kyle Rozendo asked a question on Security.stackexchange about Cracking PCI terminal using a trojan based on the card. It caught my attention, so I started digging a little deeper into this matter.
There are some difficulties involved in hacking an ATM:
- Often proprietary software
- Often custom OS or modified embedded Windows
This means a high level of understanding is necesarry, as well as access to ATM's to test on. All of the attacks had some level of inside information before they were constructed.
2009: Diebold gets targeted by Skimer-A Trojan
One of the first serious hacks I came by, was a Trojan found in ATM's in eastern Europe around 2009. As reported by Sophos
, the attack was aimed at Diebold Opteva ATMs.
The Trojan was named Skimer-A. It's main goals were:
- Steal credit card information (numbers and pins)
- Allow remote access
- Drop more malware
The hack required physical access to the machine. The perpetrators forced local stores to provide physical access to the machine after hours so they could install the virus. According to Diebold the hackers had to have inside information, they concluded this after analysis of the malware. A lot of the functions used to extract information, were part of the ATMs operation software, but were never documented. They also knew administrative passwords and unlocked the custom Windows CE version used Diebold as well as misconfiguring its firewall. (this was concluded from the security update by Diebold)
2010: ATM Jackpotting by Barnaby Jack
In 2010, McAfee security expert, Barnaby Jack presents his "ATM Jackpotting" at Blackhat. He was able, after careful analysis with physical access to a few teller machines, to write a tool that could remotely exploit an ATM and patch it so you can call a custom menu with an access code or remotely start emptying the ATM's money cassettes (hence Jackpotting).
The attack is aimed at standalone and hole-in-the-wall ATMs. The ATMs often run:
- ARM/XSCALE processor
- Windows CE
- TCP/IP, Dial Up or CDMA wireless
- Support for SSL
- 3DES encrypted pin pad
In his research he used 3 different ATMs (he ordered these and got them delivered at home). He started his research by looking at the internal workings and although there were some security measures in place, once a he had physical access the possibilities started to appear. He started by looking for a way to modify the bootsequence, because the ATM boots into its proprietary software. This means he has to patch the system so he can get access to a shell. He accomplished this by using a JTAG debugger
Using the JTAG module, he was able to send a break when starting the difference services. After this he could launch a proper shell.
This work was all necessary to reverse engineer the software and develop the actual attacks:
- Walk up attack by "upgrading" the firmware with a flashcard (physical access required and a key to open the machine and access the motherboard (these keys are standard and easy to find on the internet).
- Remote configuration attack, firmware can be upgraded remotely
The latter is the most interesting attack, but there are some security defenses in place that make a bruteforce attack impossible. However Barnaby Jack was able to find a vulnerability in the authentication mechanism which allowed him to log in to the machine. He wrote a tool to do these attacks, named "Dillinger". Now the problem he faced was how to find the ATMs on the internet.
Whilst ATMs support TCP/IP, about 95% of all ATMs still connect to the internet using Dial Up. This means War Dialing using a VOIP tool like WarVox, makes it possible to go and find ATMs on the net. Most of the ATMs use a proprietary protocol, so once you identify this protocol you know an ATM is listening on the other side and you can go and try to exploit it.
Once you have access to the ATM you can spawn a shell and install a rootkit. You will still need to identify where the ATM is physically located so you can go and collect the money. This is done by reading the configuration file (often the address is present on the receipts).
The rootkit to keep access to the teller is called "Scrooge". It hides itself on the machine. One difficulty is that the kit needs to be modified for almost every version of ATM software that's running because of different peripherials and non-standard ways to communicate. After installing the kit you can walk up to the ATM and enter a keysequence on the keypad, this brings up a custom menu that allows you to jackpot the ATM (completely empty it) or give you a specific amount of cash. This can also be done remotely.
Barnaby suggests following countermeasures:
- Better physical locks
- Executable signing at the kernel level
- Implement Trusted Environment
- Put them on a seperate, firewalled network
- Disable the Remote Management System if you aren't using it
- More and better code auditing
You can find the complete presentation here on Vimeo
2012: MWR InfoSecurity reveals chip and PIN vulnerability
Chip and Pin is a system where one can insert his banking- or creditcard into a small machine an electronic payment. In the U.K. there is a government backed initiative to make these as widespread as possible. MWR InfoSecurity, a Basingstoke (U.K.) based security company, revealed a way to attack these terminals with a custom PIN-card.
The attacks demonstrated at Blackhat 2012:
- Producing a fake receipt, making a cashier think the payment was successful
- Infect PIN entry devices to collect card data and harvest these with another rogue card
- Network and interface attack
Apparently the exploits involved were present in normal computers more than a decade ago, making you wonder why this problem was ignored or went undetected. Especially when Cambridge University researchers warned banks of the lack of security in these type of machines as early as 2010.
Issues included unencrypted communication between terminal and remote administration server, which makes a man in the middle attack dead-easy. At the moment of writing there hasn't appeared any white paper (I'm aware of or had access to). The devices affected were produced by VeriFone.
In February 2013 I was at an OWASP chapter meeting where a Cambridge researcher demonstrated how they were able to circumvent payment authorization systems. They still required the card to be cable-connected to a special computer which they had in back-back with the wire running through their sweaters sleeves. So I was rather skeptical about the usability of such a hack, but this quickly disappeared when he explained there were two French criminals who actually managed to put all that technology on a chip that fitted in the card and which was only 1.6mm higher than the original smart card chip. Criminals surpassing Cambridge researchers was rather surprising, but it also shows how motivated these criminals are and they probably weren’t even the best considering they were caught.
If we look at the attacks over time, it becomes clear that they can be deployed faster and faster.The hacks still require a high level of knowledge and understanding of these systems, but because there are some really basic security issues like bad code reviewing, unencrypted communication and bad physical security, the attacks are seemingly easy to deploy. It's up to the producers of these machines to start securing them. Companies still rely too much on security through obscurity and do not expect an attack because a hacker would need insider information. Previous articles suggest that it's not extremely hard to get that information.
- Geoff White,Channel 4,Credit card readers can be hacked for details, 29 July 2012
- Anonymous, Infosecurity, Russians hack Diebold ATM software, 19 March 2009
- Anonymous, Sophos, Troj/Skimer-A, 17 March 2009
- Pat Carroll, Finextra, Protecting Pin Pad Payment, 18 July 2012
- Vanja Svajcer, Naked Security, Credit card skimming malware targeting ATMs, 17 March 2009
- Graham Cluley, Naked Security, Is there malware lurking in your ATM?, 17 March 2009
- Graham Cluley , Naked Security, More details on the Diebold ATM Trojan horse case, 18 March 2009
- Warwick Ashford, Computer Weekly, BlackHat 2012: UK firm MWR InfoSecurity reveals chip and PIN vulnerability, 26 July 2012