DEF CON 18 - Barnaby Jack - Jackpotting Automated Teller Machines Redux

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
so it was a long time coming I want to give a big thanks to my mate Alex flew in from Europe to help me our road trip these ATMs to Vegas we literally are through to AET m/s in the back of an Escalade and Gunda from the Bay Area to Vegas thinking if we get pulled over for this me and I have a hell of a way trying to explain our way out of it we got here so more like two ATMs in the back of an Escalade and about 6000 notes of novelty currency but that be what on earth are you boys up to you then but so the attraction to target ATMs is fairly obvious you know the full of cash but for myself it's kind of part of a bigger picture and a bigger plan and next to explore systems that when compromised have direct and immediate consequences so whether it be our ATM machines medical devices smart meters you know the computer system in your vehicle particularly because they're not often designed the secure methodology from the get-go and as a result that research we can use that knowledge to our design bare and safer products in the future so the goal of the talk is to spark discussion on ways to remediate and fix the vulnerabilities I'm going to be demonstrating the goal isn't to give a cookbook recipe on how to hack ATMs the process of finding vulnerabilities I think is always more interesting you know the journey not the destination although the destination is pretty damn cool and that's one too and I hope to change the way people look at devices that from the outside seemingly impenetrable so current attacks are probably all aware of the skimmer which is certainly a fan favorite say a small overlay that slides over the card slot on the PIN pad manufactured to blend seamlessly with the ATM itself designed to capture both the track data and pin numbers and the technology on some of these is no joke to you know send you the data over GPS and some even have like tempo detection so when they found out or wipe itself up interesting physical theft and RAM reads you've probably seen those various YouTube videos where a couple of good ol boys fell through the front window of a police catch chained to the ATM and the other end to the pickup truck and just gunned it out of there not really the most subtle of attacks of course but it's kind of ninja status compared to some of the other ones and card trapping and card snooping where someone in such a small shim it's are commonly known as the Lebanese loop traps your card and it's designed such a way that when your cards read the card won't be returned and it's often combined with shoulder surfing to get your PIN but sometimes they'll get your PIN in ways which may not be quite as friendly so you cutting in frontal attacks basically going in ATM or pair of pliers in a blowtorch and explosives which is surprisingly popular which I find a little bit odd attack is literally tying a bunch of a bunch of explosives to an ATM and blowing the crap out of it now you think that would be our somewhat counterproductive to what you're trying to accomplish it and it's big in Australia so go figure and data breaches hacking the bank processor harvesting the card data and pins I suppose the best example that would have been the heck of the RBS WorldPay backend and certainly safest most technically sophisticated the attacks I've seen and I think about 9 million was stolen during that attack and of course other or miscellaneous so we have the default passcode attack from a couple years back that's where if the operator password was left unchanged on the ATM you could reprogram the ATM think there was a lower denomination than it really was so you probably think it was for the $5 note spins really give me $20 and I'll be adding more to the other category practical attacks if so I think I'll blow that let John Connors attack right out the water so I pick standalone ATMs there's a few a few reasons one are pretty easy to get ahold of like anything on the internet you can jump online and just Add to Cart basically but getting the ATMs delivered to your house on the other hand is interesting so I remember when one of the ATM delivery guys came in and he wheeled the ATM into my place and he just like why on earth do you need an ATM in your house for and and I was feeling a bit cheeky that these ciders looked at another I just don't like the transaction fees me and also they're everywhere right that every bar convenience store market waiver may be an orphan in secluded areas hidden out by the restroom tucked away in corners but I'm going to discuss attack methods for both standalone and hole-in-the-wall ATMs I'll go over walk-up style attacks but then shift focus to the far more important vector in my opinion and that's the remote attack and why the attacker can leverage with a sex successful remote compromise and when I mean remote I mean remote default because that's the only way to roll really so just to show how popular the z8 ATMs are this is literally one block just down the road from my place decided I'll just go on a bit of a pub crawls who I've refined as far as vulnerable ATMs go literally yeah this is half a mile my favorite is this dude actually who owns a Mexican restaurant he's a good sport and they just bought a patio resting on top of the ATM there it does things it they doesn't exactly look chuffed to be in this picture so the standard specs of a new model retail style ATM typically window see running an ARM processor new model support both tcp/ip and dial-up by default Wireless being CDMA not 802 11 so no droid drive by ATM hacks unfortunately for it would be cool to you know drive by a store and have it spit out let's cash no such luck SSL support and the Triple DES encrypted pin pads basically the pin pad itself performs all the encryption on the device has anti tampering mechanisms and I'll talk more about that beast a little bit later too all right is that better okay so here's ATM internals receipt printer over to the right you can see the card reader and there's a serial interface it leads down into the safe which is actually wired into the dispenser and there's also various motherboard inputs multiple USB SD cards Network and some debugging ports now this is usually a cover that protects siient the the circuit board and I've only removed there just to show the internals I guarantee that these ATMs are completely stopped completely unmodified totally untouched now funnily enough of all the possible ways an ATM tour could get disrupted it was actually my cat who almost took it down for me had like a USB keyboard plugged in and he was running around chasing a moth for something and tripped over the USB cord pulled it out and pulled out the processor plug in at the same time but luckily it was easily soldered back in for bad kitty so in my opinion the presentation shouldn't really be a full-blown technical tutorial so I'm going to be following up later with a white paper that goes into more technical details but rather than digging deep into the ins and outs of Windows CE internals I somewhat up the sum up the security hurdles I faced with this quote we were concerned about protection but not about security we weren't trying to design an airtight system like Windows NT and this was from Thomas Fenwick the guy who actually created the window-seat colonel and I got that from a book that was called inside Windows CE which is essentially just a bunch of interviews with the core developers so obviously things have changed a little bit since that book was written but to be honest there were not a lot of roadblocks so before we can even think about giving the guy from Terminator 2 a run for his money and actually start the rising attacks first step is to be able to interface with the ATM itself gain access to the file system and with access to the file system we can then pull the executive was off to be able to do some reverse engineering now unfortunately in the ATM boots that boots directly to a proprietary application so there's no Explorer show so we need a shell to make things easy and originally I thought I could just naively I thought I could just plug in the UAE board and just alt-tab but that wasn't to be the case of course so to get a show we'll need Explorer to somehow execute at boot time the C application boot sequence is pretty straightforward the kernel n kxe runs file sister it initializes the registry in the file system and then executes C applications listed in the HKH KLM and their GG key so the trick is the patched application we want executed into this boot list so we want to get explorer.exe into the boot list and there's two approaches the first approach assumes you actually have a copy of the C ROM image the written registry file can then be extracted modified recompiled into the image but this requires a way of course to rewrite the flash whether it be have serial ethernet JTAG or what have you now the other approach is to patch in explore while you're debugging which of course requires the bugging capability JTAG and so on so I decided to go with JTAG this is fairly straightforward way to accomplish our goals JTAG is essentially a hardware debugging interface which will give you unrestricted debugging access to the processor core now the hardware for this stuff used to be pretty pricey but these days we've opened OCD and some of the open source developments near the hardware for less than 100 bucks now so if JTA axis we can remotely debug with gdb debug the kernel boot loader so on J tags been talked about the death I've talked about to death I'm not going to dwell on that too much so this is the hardware the baggage is connected to the motherboard now probably seems obvious but the use of hardware the buggies and things that nature have absolutely nothing to do with the ATM attacks I'll be demonstrating simply used to initially gain access to the file system so we can reverse engineer to find vulnerabilities now speaking of JTAG I learned a valuable lesson when I was actually messing around one of the ATMs I had the JTAG hooked up screwing around I accidentally wiped out a massive chunk of the firmware which unfortunately overheard some of the core ATM files now at the time was unable to get the software for the ATM to fix it so I had to call a licensed ATM technician and three of them came over to my house and again you know why do you have ATMs in your house I said oh you know I haven't moved into the convenience store yet or whatever and anyway so yes what happened you know I've never seen something completely annihilated stuff like that and as I was just trying to change your splash screen you know I put in this little card and you know just crapped out and he's like oh yeah I'll do that they'll do that you know so the dude pops open the ATM and he's going on like firmware what on earth is that mate you know I'm just acting completely stupid teaches me a lot about hacking ATMs I got those business cards we kept in touch but I I think possibly after this presentation that relationship maybe were maybe severed but so yeah lesson was always back up your firmware so now that we can debug we need a way to inject now with the debugger connected to set a breakpoint on create process offset found by dumping the memory from the ATM and just doing a bite compared with an offline version of court yellow now when working with the ARM processor the parameters and parser function of past B registers before they utilize the stack so r0 being the first parameter is going to have the executive all that we want to execute now we simply replace the string of the ATM executive all reads from the registry override with explorer.exe now explora dot exe has to exist in the image for this to actually work if not you need to put a copy of Explorer on a removable disk and pass a full name to create process but then you get a shell so as simple as that really now when I was first playing on these ATMs I was actually quite excited to have a shell on it I'm having ATMs play movies and whatnot but but probably not really surprisingly ATMs are pretty crap for playing movies fairly slow flame rips frame rate and a 6-inch screen so they won't be replacing the home theater okay so with Explorer we can plug in a USB Drive and keyboards and copy off the files for reverse engineering modify the registries or Explorer is always going to boot remote debugging with JTAG of course is not the ideal with gdb is not the ideal way to debug a Windows machine so the next step is to actually set up or more sort of user friendly debugging environment so as a way to debug Windows CE applications where I having active sync that said bug Visual Studio over Ethernet you simply build an empty project override the local executive all with the executive from the device you're on to debug the TCP settings correct to copy a file from the device run a debugger and then you have application to bug in Visual Studio so now we finally have everything in place to be able to reverse engineer the software to locate the vulnerabilities but also to test any software we create for the ATM so finally we can get to planning an attack now of course there's a limited attack surface obviously we have the card reader but assuming we have an overflow or some other string based attack via the card tracks is extremely limited amount of characters and very restricted character set I'm not going to say it's not possible they'll be unlikely to be practical all that reliable the keypads possibly a long shot but you never know maybe maybe master passwords left and by developers backdoors what have you and then the network so any open ports answering phone line any options for any possible remote attacks and of course the various inputs on the motherboard itself but of course this requires access to the motherboard itself now of course progress is never really made of our a few failures along the way and my attempt to come up with a terminator 2's CAC I made this device it's a basically electromagnet wired up to an amp which is connected to a media player a wave file is created to simulate the data on a magstripe electromagnets plugged into the card slot you play the way of things the ATM thinks it's just read a magnetic stripe taking it works fine but didn't have any for for finding vulnerabilities ok so the walk up attack the the goal of course is to execute code on the ATM now the tech the cash dispenser is housed at the very least by a safe even if that's if you take the cheapest option if you spend more you can get some fairly heavy-duty vault style protections but the motherboard on the other hand is protected by one key fits all lock and this is standard practice as you can see and like everything else on the Internet's they're easily available to add to cut and you can get keys for pretty much every major vendor so one key safe will open all the models from that same manufacturer the cabinet now funnily enough the debug keys used to be available last year but they've somehow vanished I'm sure of a little creativity they can still be acquired so now if your master key you have access to the USB slots and whatever other inputs so you can pop up from the motherboard compartment and say USB key within a couple of seconds it's a lot faster installing the skimmer of course now even though the attack time here is sure of course it's still the possibility for detection that's the great thing about these retail and standalone type ATMs you know they're there in bars are up by the restrooms out of sight off by the ciggy machine or something but then there's also the kind of the psychological aspect of ATMs answering city kind of rude to look over the shoulder of someone as they're using the ATM unless you of course a criminal and if he was looking over my shoulder well he would learn a trick or two I suppose now all ATMs need ways to upgrade the firmware and this is most often leveraged via the removable drives so the ATM application will check the drive for valid upgrade a valid firmware is found it will load it up install and I've created the bison of course we can still install whatever code we want to now of course the family is typically proprietary format executive was encapsulating the firmware there checksums and encryption but these algorithms are easily figured out by reverse engineering the code on the ATM side so once you can create your own firmware package it has the correct format or you can then upgrades but of course with a few modifications now the remote attack which is obviously the most important vector so most if not all ATMs are running some sort of windows-based OS support some form of remote monitoring and remote configuration so this allows you to login to your ATM remotely review or change your settings get stats change splash screens and so on but another useful feature is the ability to remotely upgrade the software now this is sometimes a feature but it's always something you can leverage if you have a vulnerability right now obviously authentication is required to be able to do anything remotely and this particular model you require both the serial number and the passwords and they're both made up of combination numbers and there is five-second delay is forced after each connection attempt so a brute force is basically other question so we require a vulnerability within the authentication process itself and it just so happens so introducing Dillinger Dillinger is my remote ATM attack or administration tool whatever way you want to look at it so we've talked about loading codes locally on an ATM machine with the master key and the flash drive the correctly formed firmware you're basically set but the obvious drawback here is that you need to interact with the machine in some way so of course the ultimate win is to be able to execute code or load software remotely and that's where Dillinger comes them named after the bank robber so so diligent vinager of a fairly serious vulnerability in the ATM remote management capability and interestingly although most operators then actually uses capability remote monitoring is enabled by default on all of this manufacturers ATMs caching now typically to log into the machine remotely will require both knowledge of the serial number and of the password now due to a pretty awesome vulnerability I'm able to bypass all authentication on the device and the remote attack is 100% reliable now dillinger supports both tcp/ip and it also supports dial-up because i heard through a fairly knowledgeable source that approximately 95% of these standalone type ATMs are using a dial-up connection so of course back in the day trying to find an ATM over the phone line would be a long process of nights and nights of war dialling but thanks to tools like HT Moore's war Vox you can map our modems on exchange in a matter of hours then just write a custom tool to find a TMS and you're away so Dillinger allows you to manage an unlimited amount of ATMs through its interface so you could you know add a group say a city under the city you can add each individual ATM that you found and either its IP address or its phone number now the heart of the tool of course is the authentication bypass which is the stepping stone to doing anything useful really so one feature in Dillinger is to be able to test the bypass in a way which confirms the vulnerability but doesn't actually modify the remote system or leave any trace so the obvious problem with finding remote ATM is even you have no idea of the location so I've added a feature which you can pull the ATM settings which includes all the master passwords and the receipt data because you know each time using ATM you look at the bottom of the receipt as the location of where it is or at least the name of the business right upload a rootkit and so that's not really that's not a bad feature bypasses authentication initiated software upload which lets me replace the firmware so awesome so in general someone's going to need to be at the ATM if you want to get a payout right so I've had another feature so you're possible to carry out an attack without ever visiting the ATM and so on and sets a card that track data is captured and they can retrieve that track data remotely and finally the remote jackpot which I suppose speaks for itself really now introducing Scrooge Scrooge's the route cur I've developed specifically for ATMs implements a typical route cut technologies hides itself by very SI system calls hooks eyes up in the process this hides itself in the file system working Cisco's filtering results and so on now there's a hidden popup menu which can be activated with both four special key sequence on the ATM or inserting a card that has some custom track data on it it'll run on any arm or X scale based ATM and tell with a few tweaks originally it was designed for both Intel and arm but turns out that C on x86 is actually pretty rare and basically non-existent ATM world so the code for interfacing of the ATM has to be customized for different ATMs as they all use different peripherals and fairly non stated protocols for communicating so I just use a standard standard set Windows hook for capturing the site buttons on the ATM and although that's the API is actually undocumented Windows CE still exists and works as expected so a combination of keys will trigger the venue the menu it's varied enough not to launch by accident but you know if maybe some kids screwing around of it you might get a big payout but who knows the card reader is hooked via an inline detour style patch so essentially where you patch in a branch instruction to a piece of code you'd like to intercept branch chomps your code your code executes and then returns the original function now with the hook in place is a check on the read buffer any time a card has entered and if the second track matches give me the loop I will bring up the menu as well so the menu functions are fairly standard for what you'd expect you can dispense from each cassettes print out stats which includes a remaining bill count and of course exit so to add my own functionality I've added a few inline patches where basically if you know patching a few assembler stubs app functions you want to hook that stub calls functions in external DLL and execute any over written instructions and continues as normal so this could be done dynamically but the fact that these specific ATM vulnerabilities allow need to replace the entire firmware in into all the different executive bills I can make these patches permanent which is far more reliable it's also a lot easier on arm as every instruction is 32 bits long so I place hooks at the card reader the PIN pad and the parser that handles the remote configuration commands so with those hooks we can add some fairly handy features save the track data capture the pin pad and a few customer command sir get the track data remotely sure remote jackpot you know might as well so I blitz through these because there's a fair few demos I need to get through so I may as well put my money where my mouth is and I suppose I guess there's a pun there somewhere actually let's start with the remote stuff first right okay so we can start by adding a group so we'll make the the group DEFCON can now add an ATM my ATM location I guess would be on stage at Def Con and so even though I support both modem tcp/ip I just have this wait I'm Way over crossover cable just for the ease of demonstration early okay so of course I can test the bypass which is important this will allow me to ensure that the authentication bypass actually exists but when modify anything on the system so I'm going to attempt connection connected testing a thin ATM authentication bypass success now if you just want to quickly flip over to the ATM there and get that on screen as that possible so all that's all that's shown on the ATM is that RMS process is just as RMS process basically that's all that's in okay now let's go back to the computer now please now of course the the best is to be able to upload the rootkit which that will leverage that same authentication bypass to get there and I just going to reiterate that this is default on every single one of these ATMs so I upload the final version of Scrooge connects sends the authentication bypass success initializes a software uploads and now Scrooge is actually uploading to the ATM ah their port is just default that say again no I mean that's that's their support that they specify in the manual which I'm interesting enough can't be changed either okay if we could flip back to the ATM now so basically once the rootkits being uploaded the ATM should reboot just as RMS process so it realizes someone's are managing the ATM they just don't realize that that it's not legitimate I suppose okay so the rootkit got uploaded the ATM is rebooting so now as a boots are pictured on them it should have my rootkit surreptitiously running in the background okay let me know when that are boots back oh oh try to cover the vendors name but what can you do Iza I take one of those mics over there okay so as I said there's our met acacia on 80mm as I said there's two ways to pop up this remote menu one is by the commuter loot cards and the other is by a special key sequence so let's try it okay so it pops up my hidden menu there I will let me dispense 50 notes from a b c or d which are the four cassettes on the ATM printout statistics like I told earlier so let's I just tried dump 50 bills from the first cassette so these actually double as invites to the freakshow party by the way so so so yeah you can pop up the menu by the card but also both entering the special key sequence and okay can we go back to the computer again so you've found this ATM but you of course you have no idea where a part where it is so that's where we can retrieve the ATM settings again uses the authentication bypass okay it's received a setting saved into disk so at the top here you can see the master passwords for my ATM Barnaby's ATM I actually don't live a 1-2-3 Kiwi streets by the way but yeah so it has the your location the master password as well as the phone numbers and also the IP address now so far all of these attacks have actually required someone to be at the ATM and I require a volunteer from the audience now ah is Brandon actually here I think he has a specific card created for this by the way it was just about any volunteers where they had all their credit card details displayed on the on the screens you have to be careful before you raise your hands yes that's actually another interesting point so they are they build the cameras you can have the cameras built into these machines but via this remote management you can actually turn off the cameras or retrieve the images or even replace the images so it's just do you get your car back okay so I assume Brandon knows how to use an ATM so he's just the enter discard okay we stay on the computer once it so now I should be able to remotely pull the track data so this should have captured anyone's card it's been entered in there okay now you can see our had captured the gimme dilute card which was my original one to to pop up the menu brandon's cards dr. Reed of the Buster cardi I've never seen a credit card this is lately lately lately lately lately before fair plain okay if we go back to the ATM again please now of course you can't you have to add the remote jackpot or just be rude not to really so let's try that one it's connecting sending that where you have a winner and go down to the dispenser but say yeah oops ah so I'll talk about that briefly at the end if I have time but yes okay so Oh actually I almost forgot about the other atm I'm sorry so you remember that the attack on the other ATM I should let me just make sure I have the correct firmware on one sec okay so as you remember the attack on the other ATM is to simply pop up in the compartment with your master key and set the USP that has a correct firmware I'm not very good at this takes me a while but should hopefully be in within three signal so so that's the attack essentially carried out on that one and if we could if we could zoom in on that one actually that that's probably about perfect there takes a while to boot ARM processors you know our most onto fastest now now you're going to have to forgive me because this was this was tailored originally for blackhat so there might be a bit of um you'll see it was also tailored for Vegas as well which you're all season okay so so let's just the are the black hat logo is a floater on the screen and it's just doing this as the ATM's actually initializing so right now this is actually my firmware running on the device takes a little while to Walter put up these are the fastest machines in the world unfortunately any quick questions while this is happening what's up I would say a year here on and off you know it's more of a hobby sort of a nighttime job and the figure I think it has a better effect if I just open that first cabinet yeah it'll keep doing that um I'm just gonna disconnect the sound because it's kind of bugging me a bit ah yeah if you just go back to the computer again so countermeasures so the obvious physical countermeasure of course is to prevent the walk-up attack is to offer upgrade options on the physical locks that's we have a unique key for each locks of course you want to take this into your own hands you could just the you know drill a hole and put a padlock on or something if we trusted environment setup which allows only signed executive was to be run its would have prevented the original attack and although I wouldn't have pretended the attack vector of the remote would have added a next to another barrier for uploading these rogue executives now unfortunately Windows CE 5 implementing the trust environment is industry for as it should be code has to be introduced into the build and I think the option to implement a secure environment should be made a lot easier but what can do to prevent the remote attack disable our ms high chances are you're not using that functionality disable it and that can be done from the operator menu and finally it's time to give these devices a proper rehaul there hasn't been a secure development methodology and from the get-go I said it's dis tighten that you need to pay catch-up at this stage have the code audited penetration tests implement these best practices from here on out you know there's been a noticeable surge in the community I've seen to research these proprietary devices like ATMs and the simple fact is these companies who manufacture these vices you know then they're not Microsoft they haven't had 10 plus years and continued attacks against their software which is for secure development without me where they are today so I think it's important we dig in research these devices find vulnerabilities find solutions and oldson ultimately ensure a more secure future so thank you you
Info
Channel: DEFCONConference
Views: 46,558
Rating: 4.9285712 out of 5
Keywords: Presentations
Id: FkteGFfvwJ0
Channel Id: undefined
Length: 39min 55sec (2395 seconds)
Published: Fri Nov 08 2013
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.