DEF CON 29 - Roy Davis - No Key No PIN No Combo No Problem Pwning ATMs For Fun and Profit

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
- Hi everyone, my name is Roy Davis and welcome to my talk, "No Key? No PIN? No Combo? No Problem! P0wning ATMs for Fun and Profit." Shout out to all my homeys at DC612 in Minnesota. And for anybody that wants to get ahold of me about the content of this presentation, my contact information is all on the screen there. Before we get too far into this, I've got to say this content is provided for educational and entertainment purposes only. Unauthorized access of other people's ATMs is illegal. Don't do it. Don't do it. You're gonna go to jail. Secondly, this presentation is not associated with my employer in any way, except to say they've been very supportive of this opportunity and of me. And I really appreciate that. So why ATMs? There's several answers to this question. The first being when I was a kid, I used to go to the grocery store with my mom and she'd walk up to this machine once in a while that said instant cash on the front. And I thought, man, this is great. How do I get a piece of this action? I want instant cash. And you know, a long time went by, I graduated college, I got into security and I got into pin testing. I never forgot about that childhood dream. I always wanted to learn how those things work inside, How can they can be configured or misconfigured? What does their network traffic look like, and how secure is that vault? In my opinion, cash is not going away anytime soon. Cash still provides a level of anonymity to people who use it, that cards just don't give you. They leave a paper trail. ATMs are everywhere all over the world and increasing in numbers, as you can see in this chart between 2008 and 2019, doubling of the number of ATMs. A lot of people think, that own these machines in bars and restaurants and wherever, that as long as this thing keeps working, it's good, right? The low levels of security maintenance adoption for these machines is incredible. If you think it's hard to get PC users or like an InfraOps team to apply patches in production, imagine trying to get bar owners to update their ATM software. It's really, really difficult. Also a lot of ATM security seems to me, based on obscurity and lack of design transparency. They're missing huge amounts of documentation. Try searching in the internet sometime for communications protocols or encryption implementations or main board pin layouts. It's really difficult to find anything about that. This is a document I found from 2002, discussing the Triton com protocol. It's a preliminary release and it's missing a lot of current info. I also believe that if honestly, researchers continue to expose vulnerabilities in these devices, the increased awareness can only serve to encourage the manufacturers of these devices to make them more secure, which makes all of us safer in the long run. The last reason I'm interested in this kind of research, is really all of these folks. A huge shout out and thank you to these pioneers in the ATM and electronic lock research field. They paved the way to establishing safe harbor for ATM vulnerability research. And I greatly appreciate and have enjoyed all of their work. I highly recommend watching these previous presentations if you want to learn more about things like ATM history, network attacks, firmware attacks, power analysis, and spike attacks and malware attacks. All of these previous researchers are brilliant. And in my estimation, most of it is probably beyond the capabilities of your average criminal. Today, we're going to look at something a bit more on the physical side of attacks on ATM. So our agenda here is all about how I acquired my ATM. We'll look at some damage, some ways people damage these things trying to get the money, some general ATM info, how I became a licensed operator and how that went in, and why I did that. We're also gonna be picking the ATM case lock, resetting the ATM password and bypassing the electronic vault block. And then at the end, we'll have some time for Q and A. All right, so what was my goal? It was a fully functioning ATM in my home, which I had complete access to. It'll process ATM transactions, just like in the wild. And I want to research and understand the entire tax surface, including the network traffic, the internal serial comms, the data stored on the device, the vault and the cash dispensing unit. And so what I have here behind me is that device. It came true, and I'm going to tell you how that happened. These things are expensive, right? How did I get this thing? If you look on the internet, this thing, probably $4,000 new. Couple of grand, two, 3000 used. That's too much for me if I'm gonna do some research. So things like Craigslist and eBay are your friends. I'd been looking for an ATM for a long time, when I found this one in 2018. The set, 100 bucks for both seemed like a deal. I quickly started researching how they worked and what was inside them and how to duplicate the attacks, Barnaby Jack had done in 2010. One of the things I found right away, default locks on these machines are garbage, commonly available locks and easy to pick with a rake. Also among other issues, I found that the audit logs in these ATM's contain a wealth of information, including full debit card numbers and names of previous users in clear text and dates and amounts of transactions. That was sort of surprising to me. And so I got bored of these things as time went by. I really was interested in getting my hands on an ATM that ran some flavor of Windows, 'cause Windows fun to hack and lots of known vaults. This saved search had an alert that was turned on. Any auction or ATMs for sale in Minnesota. Lo and behold, I got a hit. So here's this auction in Cambridge, Minnesota, about an hour and a half north of me. And they were selling everything in this restaurant and gas station. This ATM was up for bid, and this is all the details I got. If you've ever been on auctions like this, you know that there's a very limited amount of information. I called the place and inquired about the condition of the ATM asking, what does unknown working condition mean? They had no idea. Everything is being sold as is. It's at foreclosure auction, is all they said. I did ask if there was any money in it, just kind of joking. The replies surprised me. There very well may be. This place got shut down with food on the shelves, drinks in the coolers and gas in the tanks. So at this point I have no idea. I think they're just trying to get me to bid, right? Tell me whatever I want to hear. I bid a dollar. Now, I am quite competitive when it comes to auctions and I don't like to lose. So of course I won with a bit of a $220 at the last second. This is the first time I learned, this email, I learned that I won. I also learned there's no code for the cash box. I assume they mean the vault. Well, what's going on here? I have no idea. What's this thing actually worth? Is it worth anything? Am I gonna be able to get into? Is it doesn't even work. Who knows? So I did a little digging and found out that first of all, these machines are worth 10 times what I paid for them. It's a score, but maybe not if I can't get into the vault and I can't get this thing working. Well, where did this thing come from? A gas station barbecue sounded sort of interesting. Here's the place that was auctioning off everything. It opened in 2018, February 1st, less than two years before I won this auction. Very strange. They're gonna have Dickey's Barbecue. If you've ever had it, it's fantastic. I highly recommend it. March 18, kind of a review of the place. But uh oh, just a little while later, assets 43K, liabilities 1.5 million. That's probably not gonna work out long-term for any business owner. Things are starting to make sense here. So I hop in the car, hour 1/2 north to Cambridge, and this is what the place looked like when I got there to pick up my ATM, a lot different than opening day. I walk in and I'm at check-in and I'm talking to the lady there, and I say, what happened here? How did this place go out of business so fast that you couldn't get the ATM pin for the vault or the top? And she says, as I understand it, there were some legal issues and the lender foreclosed and shut the place down. Okay. I don't know anything about all that, but you know, that's what you say. So I go back over to the ATM. Let's get this thing going. Let's just get this thing in the Jeep and get out of here. I was not anticipating that it was going to be literally bolted to the floor and completely immovable. Okay. So I can't get into the vault to remove the nuts that are obviously holding this thing down to the floor. It's in cement. So I call a locksmith and I said, hey, I'm at this gas station. I won this auction. Could you please come over and help me break into this ATM to help me move it? The answer was a resounding no, no. So I asked the lady, how am I gonna get this thing out of here? What's gonna happen to this place? She said, I don't care. You gotta have that thing outta here today. I don't care what you do to get it out. I said, what if I have to damage the floor? No problem. They're going to bulldoze this place at some point later. I don't care. I'm just here to auction stuff off. Okay. All right. Well, I want this thing on damaged because I want to do research on it, and afterwards I may want to use this thing and start a business, make some money with an ATM. Who knows. So the only thing I can think of is go down to Home Depot and rent this guy, the Bosch Brute Turbo. Up to this point, I'd never used a jackhammer in my life, but how hard could it be, right? I've seen it done in cartoons. (chuckles) Well, so I start jackhammering and hitting the ATM a couple of times there and jackhammering some more and I'm getting a little further and jackhammering more. And it finally starts to come out and lean a little bit. It finally did fall over and I removed the concrete slab from the bottom, again, with the jackhammer. For anyone wondering, it takes a novice jackhammer user, roughly 40 minutes or so to get a ATM fully extracted from a cement floor. All right, here it is out on the curb. Into the Jeep it goes, and magically now it's back that afternoon in my office. Mission accomplished. I plugged it in, booted it up and said, I'm staring at this thing like, okay, so now what? What do I have to do to make this thing fully operational? I want to stick my card in this thing and have it give me money. I have no idea. I have no idea what to do. Time to research. First thing I noticed when I put this thing up is it's running Windows CE. That's pretty interesting to me. What could possibly go wrong? I was looking for a Windows box. So the next thing I do is hook it up to my local LAN and run an Nmap scan. Now, you'll see on the left here that I posted the Nmap scan, that Trey and Brenda So, Brenda did last year of Trey Gowden. Keown, sorry, and Brenda So at last year's DEFCON. So they had a lot of open ports on this exact same model. I only had 5555 open, which I learned from their talk is the remote management agent. I did install the remote management software and connect to it, but I did not do any sort of penetration testing against that end point. It was very intriguing and very attractive to do that, but it was not the focus of my research at the time. Trey and Brenda also demonstrated an overflow attack against this port that allowed modification of settings within the ATM. I would love to learn more about that and try that attack here. Okay, so here is the screen when I boot up the machine, when I first boot it up. Apologies for the terrible photo. After booting, I get this thing. It says the encrypted pin pad has gone bad. I have no idea what that means. It needs to be replaced, I learned. Error is codes 97999 EPP Error. Alright, what's this going to cost me? So 320 bucks later, I've got a refurbished one and things are getting a little bit expensive. And so at this point, I've got to install an EPP in a machine that I've never really taken apart or worked on, but at least I know how to get into the top, which we'll see here shortly. First thing I needed to do was a little research on the inside of this machine. And along the way, I kind of put together this, a few slides about how ATMs work. So before we get too far, let's just take a couple of minutes here. So there's two main categories of ATM's, with the distinguishing factors being the level of security the housing provides for the electronics and the money. The banking features available to users and the amount of money with in the machine itself. Drive up ATMs are typically associated directly with banks and are mounted in an external wall of a bank, especially built enclosure like this one, or as a standalone unit, like out in a parking lot. There's really no easy access to the money or the electronics and the front of this machine. You really have to get into the building or get, you know, into the back somehow. A stealthy, undetectable, access takes time, knowledge, and skill or granted access as an employee. The second type of ATM is the one you're probably most familiar with, and it's the type I bought for my research. These are much less expensive and there's far less security built into them because they're designed to be installed where people are present and are working, like gas stations and such. They usually are not directly associated with any sort of bank, but they're owner operated. So the gas station owner probably owns that machine as well. It changes the threat model a little bit here because there's much less oversight to detect modifications to the ATM software housing or network connection. If this thing is installed in a hotel lobby or a big long hallway at a hotel conference center or somewhere, you know, a bowling alley, maybe where there's not a lot of supervision. As we've seen, these things can be bolted directly to the floor, but many times they're not because it's a temporary use location or it's going to be a limited time there or they move it around a lot, or for whatever reason, maybe they just can't do that. They can't bolt it to the floor. People trying to get access to the money in these machines, do a lot of damage, typically with various devices like blow torches, crowbars. This is actually the same machine I bought. And this one, this Triton 9100 looks like, somebody used some sort of a cutting tool. I'm not sure why they chose that spot. You can't actually get to the money going through the side there. So they were probably very disappointed or caused more damage to the CDU unit in there. So during my research, I see all this damage and I'm thinking, is this really what it takes to get into one of these things? Can you do it any other way, and can you do it in a way that doesn't leave obvious evidence? Maybe the answer is no. I don't know. So this one's my personal favorite because I like 4th of July. And so, anytime you go with explosives, I'm gonna watch. I'm not attracting any attention here for sure. So here we stick the incendiary device in the output of where the cash comes out, which is an interesting choice. And it just basically destroys the entire top, but the cash box remains intact. So that is not a good way to try and get into an ATM. I would be really surprised if anyone here has never used an ATM. So I'm sure you're all familiar with these external parts that I've highlighted here. We're gonna go past this. All of the ATM's that you'll see essentially have the same internal parts and external parts. One thing you can see here is the false door, the safe door cover. That is protected by a cylinder lock, which is typically keyed the same as the lock that protects the electronics. Behind that false door is the electronic lock key pad and the lock bolt handle. And you can see a wire coming out of the door here. That's a power cable for the light over the cash dispensing portal on the vault's door. All right, so let's take a look inside the vault. Here, we can see the door where the money comes out, and dust below that. We can see the bolt action lever that lifts these huge teeth that interlock with the frame to keep the safe door shut. The safe door, by the way is about 70 pounds. It weighs more than anything else on the machine. There's a look at the electric lock inside and there is what's called the cash dispensing unit. Mounted on the cash dispensing unit is also a reject bin. And then there is the cash cassette, which plugs basically into a slot underneath the reject bin. So we're going to take a look, a closer look at all of these different things. Inside here, you can see the belt-driven device that brings the money up and out of the cash dispensing unit. All right. So the next thing we're going to look at here is the reject bin. Not very exciting, but I thought you guys might just like to look in there. This is where, you know, crumpled money goes, things that can't go through the CDU. Oh, this is the back of the CDU. You can see the serial interface that goes up to the main board and also the power supply, which also goes up to the power supply in the main compartment. This here is the cash cassette. It also is locked with a tubular key to the lock. And inside, we can see the pressure driven dispenser. It's spring loaded. You can see a few bills in there. This is where a 1000 bills can fit, if you so desire. Now this same machine that I have, even though it right now is configured with one cassette, it can be configured with three cassettes. So, the module just plugs right in. It's really not a big deal. Giving this machine a cash capacity of $300,000 because each cassette can be configured to hold hundreds. So as we're going to see, you know, you make the call at the end of this presentation, do you think that the locks and everything that are protecting 300,000, you know, potentially $300,000, do you think they're adequate or not? Moving onto the top of the device, this lock is like I said, usually keyed the same as the front and as mentioned can be picked. I'm showing you there that the lock is indeed locked and I'm showing you there a cylinder lock pick. So these, these cylinder locks have seven or eight pins. This one's particularly has eight pins. So I insert the pick and I start jiggling it back and forth, which moves the pics up into the right position, which moves the pins into the right position and unlocks the lock. So it didn't take very long at all. You could also just buy this key on eBay. So if you are lucky enough to get your hands on an ATM, like I did for cheap, and you don't have the key, here you go. Go buy a key. Okay. Now let's have a look inside here, inside the top. Not many people get to look in here. I figured I'd give you a look here as well. Here are all the wires that go down to the CDU, and these come up and there's the printer module. There's the power supply, straight five-volt power supply, I believe, to the board and 12 volts everywhere else. Here is the receipt printer. It has its own board and a serial connection and power cables there. All of these cables come up through a junction, right at the base of the main unit, and there we see the main board. The main board here has an SD card, a lot of DIP switches that change modes and do various things. And we see any HDMI cable connector and a couple of USB ports. And then over here on the other side, we will see all of the different serial ports that drive the different pieces and parts of the ATM itself. There's the ethernet cable. There's the modem and the printer port. And down here, we have the card reader. That's where all the money comes out and right below there is the electronic, the encrypting pin pad, the EPP that I replaced. All right, wonderful. So we see the inside and I mentioned the ethernet port. So this thing is obviously talking to the internet and it's obviously somehow doing transactions. So how does that work? Well, whether it's through a modem or it's through a NIC or something, we get an internet connection to the PPH, the payment processing host using something called the Triton Protocol. And then from there, we're going to go to what's called the interbank network. So what is that? First of all, the processing host provides the connection information and encryption keys, which are configured in the ATM computer. They take a small percentage, the processor does of the transaction fee, which you know, is determined by the owner and charged to the user for each transaction. There's hundreds of processing companies to pick from. I just threw up a few brands here. An interbank network. The next step is also known as the ATM consortium or the ATM network. And it's a computer network that enables ATM cards that are issued by a financial institution that is a member of the network to be used in ATM's that belong to another member of that same ATM consortium. And so the way that the banking industry came up in America, was very fragmented. So there was a lot of little mom and pop shops and a lot of little networks everywhere. In the 2000s, of like 2003, by then we had a consolidation resulting in three major interbank networks. And now about 70% of the volume in the United States goes over those three networks. Past talks on ATM hacking have discussed building a dummy backend for the ATM network for the ATM to connect to, that would pretend to be the payment processing host. But I really wanted to see what the real thing was like. So to do this, I had to become a licensed ATM operator. So why did I do that? Well, I really want the full, real experience. I want to understand exactly what does it take to take an ATM to full functioning and operate it after the fact. After my research has done, I want to put this thing in use. Minnesota is about to legalize weed, so maybe I'll put it at a dispensary. I don't know. So why do I have to be licensed? Well, the primary reason these laws exist in these licenses exists is to prevent money laundering and funding of nefarious activities. This is really tied to the Patriot Act of 2001. So you can imagine what I mean by nefarious activities. The licensing is done through NMLS or the National Multistate Licensing System. I provide, you know, processor information. There's a background check. I have to fill out a bunch of paperwork. I have to show them my bank statements and let my bank know what I'm doing. I have to pay a couple hundred and license fees and it takes about four weeks or so, and you're gonna do something wrong because no matter what you do, you're gonna do it wrong and fill out the paperwork wrong, and you're gonna to have to do it back and forth a few times and sit on hold with the state and whatever, but sooner or later, you will become a licensed financial terminal owner. All right, so I've got this thing on the network. I have my license. I can connect to the ATM network, the real thing. How am I going to do that? Well, I'm going to use a LAN tap because I want to do this very transparently. And not in any way that somebody can know what I'm doing. There's no opportunity for traffic manipulation here. It's really just sniffing, and I'm sniffing my own traffic. So as I run my own transactions with my own card, I can see what's happening. Now, the way a land tap works is there's a pass-through that goes directly through and is transparent to the server and the client. These other two ports that you can see are outbound from the ATM. So outbound traffic, which goes to my laptop and then inbound traffic coming inbound to the ATM, also goes to my laptop. And so if I spin up Wireshark and attach to both of those ethernet devices, I can see both way traffic. The problem is, it's encrypted with TLS 1.2. But the ATM provides you a way to upload your own signing certificate, which I found very interesting. If you put a self-signed cert on a USB and stick it into the back where we saw before, and you go to this screen, it says, download cert from USB. So I'm not really sure how that all makes sense, but it's there. All right. So we've taken a little look at the inside. We've taken a look at the network. With EPP replaced, I can now successfully boot the ATM and insert some data. One side note here. Anytime I see a big red thing that says warning, and then do not, you know, do something. I always pay special attention to that. I like to do things that I'm not supposed to do. So this one says, don't remove the cover. Bad things will happen. At some point, I'm gonna go look exactly into what that bad stuff is and see how this is implemented. It sounds like a really interesting research project. So anyway, booting this time, I get this great error message says, FFFFFF. That means that I need to to provide some more set up information into the machine. All right. So to access the admin screen, I'll do enter, clear, cancel, one, two, three. All right. And so this gives me this nice enter password UI, right? But I don't know the password. This is the pin I need to get to the admin interface. I tried multiple times to reach anyone associated with the previous owner. Still no luck. So I have no idea. The pin is stored in memory somewhere on that board. I have no idea how to get to it. I don't know if it's encrypted. It's good to note that this password is different than the safe combination. The safe vault lock does not have any idea that this interface or this computer even exists. They're completely separate. This is just to get access to the admin operator interface. The default password here is 555555. I know that because it's in their documentation, but unfortunately for me, that didn't work. I tried and I tried and I tried, and I was up very late. The UI does give you three chances to enter the correct password, but then it'll send you back to the start screen again, and then you have to do enter, clear, cancel, one, two, three. After a few days of guessing and falling asleep in my chair, after guessing I gave up and looked for other ways. So it turns out after a lot of Googling and reading, I found that in recent versions of the software, Hyosung has implemented a security feature where the operator function passwords cannot be reset to factory default unless performed during the machines first boot after reloading the software. If there's any way around this, I have no idea. I couldn't find it. The search continues. All right, so how does the software re-install work? Well, various versions of the ATM software available if you search around. I found this one and downloaded it. I would love to find some older versions of this. If anybody knows where I can get my hands on some older versions of the software for the Triton 2700 CE, I would really appreciate it. This set that I found was, I think the most recent version. And so I put it on an SD card. There's various files here. If you want to know what they do, I think Brenda So talked about that in last year's talk. I did delve into the update folder where I found a master zip file, and opening that is super fun. There's lots of fun stuff to play with here. I'm not sure if the bat files or some of these other files, the icons and the backgrounds have any sort of CRC associated with them, if there's anything run on those, if you can modify those and put them back on this disc and stick it in the machine and have it do some fun stuff. That's a another research topic altogether that I wish I had time for and we'll probably do in the future. So my SD card goes in this slot. I have to push down DIP switch number four, to make it boot into diagnostic mode. And this is where the computer will do all kinds of fun stuff and read things off the SD card. So pick SD card, and now we're doing a software update. This takes about 10 minutes or so. That's what this install looks like. And after you do that, it will reboot, and now you'll get the same screen, and we can reset the master password. All right, so here's how we do that. We reboot again, and during the initializing screen, we get out our old Nintendo fingers and do left, right, clear, left, right, clear, clear, cancel clear, left, right, clear, clear, cancel. If successfully recognized, the machine will ask you if you want to reset the master password. And then it will be set back to 555555. There's one caveat to this. It's not gonna happen unless the safe door is open. If the safe door's not open, you're just gonna get back to this screen. And so, at this point, the safe door is not open, but I need to open it. I need to open it and to complete the password reset for the computer, and I need to get into it to see if there's any cash in there, right. I really don't want to destroy the door in the process. I've already explained why. So the first question that I have is, you know, how does this computer know the door's closed? There must be a sensor somewhere in there connected to the door, connected to the main board. I have access to the main board. I should be able to do this. So I reached for my favorite tool, the borescope. This here is a DEPSTECH unit. Five megapixels, HD resolution, the rechargeable battery, wireless connectivity, it's great. Wired is rigid. You can bend it around corners, you know, and it's 50 bucks on Amazon. How could you go wrong? As we'll see later in this talk, I did use this other tool, this other smaller scope called an otoscope. It's made to stick in your ear. This has a diameter of 5.5 millimeters, much smaller than the previous one. It's about 50 bucks for this camera as well. So I got the scope inside the ATM using the corners of the cash dispensing tray, and also that hole where the wire came off of the lining of the door. This is what I see inside. It's the reject bin. I can see the lock, the electronic safe lock down there. I can also see some wires over far down there. If I turn the borescope a little bit, I can see a rigid. I can see the wire, or I can see the safe switch, the momentary switch is the word I was looking for. This momentary switch which is connected to the door and the door is pushing it in, and it's basically telling the computer the door is open or closed. Following this wire up away from the momentary switch and across through some portion of the ATM, it finally does surface through this hole, up to where the main board is. It comes over to this junction where it's conveniently labeled front. And then it goes on over to the board where it's labeled CN16. So if I unplugged this, the question is, does it fail open or closed? Well, let's do an experiment to find out. I recorded this demo after I had the vault door open and the ATM was all set up and operational. But the results are the same because the door's closed now, and the ATM is operational because of the door is closed. If I pull the door sensor plug, then the computer should think that the door is open and it should become not operational. So what happens is, I pull out the plug and it says, the door is open, the ATM is temporarily out of service. But it's not, right? We just saw the doors closed, but this is exactly what we needed in this case. So I pull out the plug, I reboot. And while initializing, we do clear, left, right, clear, clear, cancel. And we get to this screen, Reset Master Password. Reset master password. Click, yes. All right. It reboots one more time. I get here, I do 555555. And here I am as an administrator inside the computer. All right. So at least one of you is wondering what was that QR code back there? Well, it's nothing. I'm not sure why that's there. It does not seem to be something that is alterable through the configuration and it just leads to nothing. A Google search, I guess. I have no idea. Alright, so now the password's reset. I can get to the ATM. Inside, I can configure it as I wish, but we really need to get into the safe to make this thing fully operational and, well, see what's in there, right? So, how? Well, first things first. What lock is this thing? Back to the borescope for some recon. I can see the lock. I can see some writing on it. It turns out with a little Googling, I find that all the ATMs, all of this particular type of ATM uses this LaGard LG Basic Electronic Lock, and this is what it looks like. Now, in 2016 at DEFCON 24, Plourde did a great talk about side channel attacks on this type of lock. He used the side channel attacks to deduce the correct combination of this Sargent & Greenleaf Titan PivotBolt, very similar to the lock that I have, the LaGard Basic, but not exactly the same one. However, this YouTube video by EEVBlog attempting the same attack on LaGard lock, but without success. So I decided to come up with another way. To figure out how these things work, I ordered one. And I also found out that there's another option, which I assume works the same sort of way, along the same lines as Plourde's attack. This is called a Little Black Box, and this device as well as this Phoenix device, they basically can reset the safe combo. So you take the cord that goes into the safe from the key pad and you hook it up to this device. It determines what lock you have hooked up to, and then you click reset. And what it's gonna do now is some sort of an attack against the lock itself. I believe it basically guesses every combination in less than 15 minutes. And once it guesses the combination, I guess somehow it resets it. I really don't know how this thing works. You can only buy this if you're law enforcement or if you own a bank or are a licensed locksmith. So it costs about $3,000, and I don't know that much money, so I need a another way. So I take off the cover. We see the circuit board. If you take the circuit board out, then you can see like the lock mechanism with the bolt and the rotation axis of the bolt. The main volt handle forces down and rotates it in a clockwise direction. There is an anti force mechanism here. There's a spring and a notch on the lock. And the bolt, if you push down too hard, that notch basically engages and you can't push anymore. If we are able to rotate that lock fully clockwise, then it will push that secondary bolt over into the notch, into that linchpin. Now that linchpin will stop the secondary bolt from going over there, unless we type in the correct code, which then provides a nine volt DC charge to the little motor attached to the linchpin. The motor runs, the linchpin is moved and we can open the lock. All right. So now we know how this thing works. Here's a closeup of the DC motor in the linchpin. And again, if we, if we apply a charge to the motor, then it'll open. So basically all the money in this vault, $300,000 potentially is protected by the lack of voltage to this DC motor. So is there a way from the outside of the vault to get voltage to this DC motor, without anyone knowing, or without destroying the lock or destroying the vault, or just throwing the case? Let's have a look. This is a short video of the lock-in action. Look in the middle of the lock at that linchpin, and you'll see, after I type in the code, the motor turns, the linchpin goes up, which would allow the bolt to turn and the lock to open. All right, so here's a look at the key pad. And another interesting thought that I had was, you know, there's a lot of space inside this keypad thing that mounts on the front, and it doesn't appear to me just doing some cursory research that there's any encryption of the numbers that are pressed on the keypad as it's being sent into the lock. And so what you see here is a small experiment with an Arduino Nano in which I'm hitting keypad presses on, pressing on the keypad and recording the key presses into an Arduino Nano, and then passing that back on out to the lock. Very interesting research can be done here. I believe this is a successful man-in-the-middle attack against this particular lock. So, yeah, moving on from that, we can see that I wasn't gonna be able to use that attack to get into my safe. I had to continue on. Here are the power wires. They pass directly under the circuit board on the door side of the lock. So the metal you see in this picture would be actually against the door, and the locks sits directly behind this keypad and the keypad is removable. And if we do remove the keypad, we can see through the hole where the wire goes to the lock, that it is indeed the back of the lock. And it gives us this little nice landmark to know exactly where on the lock we are because of this little silver, solid silver dial. I have no idea what it does, why it's there, but it is there and it gives us a landmark. That little red X you see is exactly where those wires are that we need to get access to. All right. So I need the right tool for the job to get access to this. Something I've always wanted, an electromagnetic drill press. All right, so you're probably saying, wait a second, this is cheating, right. Well, hear me out, hear me out. I figure if I can just get a visual on those wires from the outside, I can come up with a way to supply current to them. And there just happens to be an existing hole in the door from the factory that allows for a different orientation of the keypad if you want. The hole is a quarter inch in diameter, and it's exactly where I needed to be. And it's there from the factory. I need this to be a little bit bigger, but not too much. I went with a half inch carbide bit. So I made the hole diameter a quarter inch bigger. All right. Well, I put this bit in and I get my drill hooked up. Now this drill has a binding capacity of about 3000 pounds per square inch. It's not going anywhere once you turn it on. And the RPMs of this drill is about 1200. A carbide tipped drill bit, really no match for this safe door. It really only takes a couple of minutes to get in there. It takes me a little bit longer, 'cause I'm not exactly sure what the depth is. But suffice to say, I get into the lock without damaging it in any way. And now we can see the wires of interest. And now keep in mind if I put the keypad back on, our mischief is fully concealed and nobody is the wiser. All right, so the last piece of the puzzle. How do I get power to these wires through this half-inch hole without breaking the lock? After a lot of thinking and digging around, I figured out that there's this tool called a puncture probe. It's exactly what I needed. This is how it works. The idea, you retract the probe, the puncture pin, you get the wire in there and you release the pin into the wire and you have connectivity and you can connect a wire down at the base of the probe. So this is kind of what that looks like. I built my own probes because those plastic ones were far too big. So what I'm doing here is I've punctured these wires on my work bench and I'm applying a nine volt charge to them, and you can see that it is opening. Again, the problem was that these were way too big for the access port that I had drilled, and I certainly didn't want to cheat anymore by making the hole bigger. So I designed something smaller. At the time I used this little piece of wire with a hook on the end. And here you can see that, you know, this is what it looks like when it's all set up. I hooked up the nine-volt battery and nothing happened. I was a little worried that my nine-volt battery was bad, so I hooked it up to a DC power supply, and I gave it 17 volts, just, you know, in case it needed a little more extra juice. Here's the full scene when the vault was opened for the first time back in, I believe, the end of March, early April. And yeah, so you can see the scope there, and you can see my tool, the tool that I use, the puncture probe. You can see the wire tool that I created, the inside through the borescope. And then here we go, the door is open for the first time and we can see inside. So here's a demo of what just happened. As you can see, the lock is locked as I pushed down on it and attaching the probes and applying voltage, and the lock opens. I'm gonna skip forward because I'm running out of, I'm a little bit, running out of time here. So we're just gonna go pass this one to... Again, if I put the keypad in place, there is no evidence of intrusion. And as an added bonus, if you want to go the extra mile, you can cover the access hole with this half inch plastic cover. Barely noticeable, right, right? All right. So again, not as satisfied with the smaller probe. There must have been a way to do it with a smaller hole. So I started taking these pros apart. I pulled off the plastic sheeting and saw the probe inside. I went and grabbed a stainless steel, three mil tube. I put a little notch in it, in the end and heated up the tube to melt into the plastic of the probe. And this is what it looks like when it's all together. And it's a lot smaller. It's 6.2 mil versus 2.9. So a lot smaller, which means I can now do this attack with a much smaller hole. All right, some loose ends quickly. I sent dormakaba this letter to let them know some pre disclosure, pre-talk disclosure. I never got any response from this. Here is my email to security at Hyosung America. I never got a response to this one either. So I got a delivery failure notice, instead. As far as the money, there was money in the ATM. I'm a trusted source, advice. I am not gonna tell you exactly how much it was. I will not disclose that, but there was enough to pay for the research project and the ATM and a little bit leftover. All right, some follow up research. ATM Wi-Fi, really cool, I think. The vault lock, man-in-the-middle I showed, ATM software modifications we talked about. Maybe the USD and SD card could be fun to mess with. Internal serial comms between the top and the bottom, right between the CDU and the computer. Can we capture and replay? How about EPP deconstruction analysis? That warning message we saw. All of those topics, I think are fascinating, and I will continue research. If anybody else wants to join me, please reach out to me. So in conclusion, no key, no pin, no combo, no problem. Thanks for watching. Have a great day. And I hope you have a fabulous DEFCON. Bye-bye.
Info
Channel: DEFCONConference
Views: 30,185
Rating: 4.9468751 out of 5
Keywords: DEF, CON, DEFCON, DEF CON, hacker conference, security conference, information security conference, information security, conference speakers, hackers, hacking, hacking videos, security research, Roy davis, ATMs, DEF CON 29, DC29, DEF CON 2021
Id: 9cG-JL0LHYw
Channel Id: undefined
Length: 47min 13sec (2833 seconds)
Published: Thu Aug 05 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.