- Hi everyone, my name is Roy
Davis and welcome to my talk, "No Key? No PIN? No Combo? No Problem! P0wning ATMs for Fun and Profit." Shout out to all my homeys
at DC612 in Minnesota. And for anybody that wants
to get ahold of me about the content of this presentation, my contact information is
all on the screen there. Before we get too far into this, I've got to say this content
is provided for educational and entertainment purposes only. Unauthorized access of other
people's ATMs is illegal. Don't do it. Don't do it. You're gonna go to jail. Secondly, this presentation is not associated with my employer in any way,
except to say they've been very supportive of this opportunity and of me. And I really appreciate that. So why ATMs? There's several answers to this question. The first being when I was a kid, I used to go to the grocery
store with my mom and she'd walk up to this machine once in a while that said instant cash on the front. And I thought, man, this is great. How do I get a piece of this action? I want instant cash. And you know, a long time
went by, I graduated college, I got into security and
I got into pin testing. I never forgot about that childhood dream. I always wanted to learn how
those things work inside, How can they can be
configured or misconfigured? What does their network traffic look like, and how secure is that vault? In my opinion, cash is not
going away anytime soon. Cash still provides a level of anonymity to people who use it, that
cards just don't give you. They leave a paper trail. ATMs are everywhere all over the world and increasing in numbers,
as you can see in this chart between 2008 and 2019,
doubling of the number of ATMs. A lot of people think, that
own these machines in bars and restaurants and wherever,
that as long as this thing keeps working, it's good, right? The low levels of security
maintenance adoption for these machines is incredible. If you think it's hard
to get PC users or like an InfraOps team to apply
patches in production, imagine trying to get bar owners to update their ATM software. It's really, really difficult. Also a lot of ATM security seems to me, based on obscurity and lack
of design transparency. They're missing huge
amounts of documentation. Try searching in the internet
sometime for communications protocols or encryption implementations or main board pin layouts. It's really difficult to
find anything about that. This is a document I found from 2002, discussing the Triton com protocol. It's a preliminary
release and it's missing a lot of current info. I also believe that if honestly,
researchers continue to expose vulnerabilities in these devices, the increased awareness can
only serve to encourage the manufacturers of these devices
to make them more secure, which makes all of us
safer in the long run. The last reason I'm interested
in this kind of research, is really all of these folks. A huge shout out and thank you
to these pioneers in the ATM and electronic lock research field. They paved the way to
establishing safe harbor for ATM vulnerability research. And I greatly appreciate and
have enjoyed all of their work. I highly recommend watching
these previous presentations if you want to learn more
about things like ATM history, network attacks, firmware
attacks, power analysis, and spike attacks and malware attacks. All of these previous
researchers are brilliant. And in my estimation, most
of it is probably beyond the capabilities of your average criminal. Today, we're going to look
at something a bit more on the physical side of attacks on ATM. So our agenda here is all
about how I acquired my ATM. We'll look at some damage,
some ways people damage these things trying to get the
money, some general ATM info, how I became a licensed operator and how that went in, and why I did that. We're also gonna be
picking the ATM case lock, resetting the ATM password and bypassing the electronic vault block. And then at the end, we'll
have some time for Q and A. All right, so what was my goal? It was a fully functioning ATM in my home, which I had complete access to. It'll process ATM transactions,
just like in the wild. And I want to research and understand the entire tax surface,
including the network traffic, the internal serial comms,
the data stored on the device, the vault and the cash dispensing unit. And so what I have here
behind me is that device. It came true, and I'm going
to tell you how that happened. These things are expensive, right? How did I get this thing? If you look on the internet, this thing, probably $4,000 new. Couple of grand, two, 3000 used. That's too much for me if
I'm gonna do some research. So things like Craigslist
and eBay are your friends. I'd been looking for
an ATM for a long time, when I found this one in 2018. The set, 100 bucks for
both seemed like a deal. I quickly started researching
how they worked and what was inside them and how to
duplicate the attacks, Barnaby Jack had done in 2010. One of the things I found right away, default locks on these
machines are garbage, commonly available locks and
easy to pick with a rake. Also among other issues, I
found that the audit logs in these ATM's contain
a wealth of information, including full debit card
numbers and names of previous users in clear text and dates
and amounts of transactions. That was sort of surprising to me. And so I got bored of these
things as time went by. I really was interested in
getting my hands on an ATM that ran some flavor of Windows,
'cause Windows fun to hack and lots of known vaults. This saved search had an
alert that was turned on. Any auction or ATMs for sale in Minnesota. Lo and behold, I got a hit. So here's this auction
in Cambridge, Minnesota, about an hour and a half north of me. And they were selling
everything in this restaurant and gas station. This ATM was up for bid, and
this is all the details I got. If you've ever been on auctions like this, you know that there's a very
limited amount of information. I called the place and
inquired about the condition of the ATM asking, what does
unknown working condition mean? They had no idea. Everything is being sold as is. It's at foreclosure
auction, is all they said. I did ask if there was any money
in it, just kind of joking. The replies surprised me. There very well may be. This place got shut down
with food on the shelves, drinks in the coolers
and gas in the tanks. So at this point I have no idea. I think they're just trying
to get me to bid, right? Tell me whatever I want to hear. I bid a dollar. Now, I am quite competitive
when it comes to auctions and I don't like to lose. So of course I won with a bit
of a $220 at the last second. This is the first time I learned, this email, I learned that I won. I also learned there's
no code for the cash box. I assume they mean the vault. Well, what's going on here? I have no idea. What's this thing actually worth? Is it worth anything? Am I gonna be able to get into? Is it doesn't even work. Who knows? So I did a little digging and
found out that first of all, these machines are worth 10
times what I paid for them. It's a score, but maybe not
if I can't get into the vault and I can't get this thing working. Well, where did this thing come from? A gas station barbecue
sounded sort of interesting. Here's the place that was
auctioning off everything. It opened in 2018, February
1st, less than two years before I won this auction. Very strange. They're gonna have Dickey's Barbecue. If you've ever had it, it's fantastic. I highly recommend it. March 18, kind of a review of the place. But uh oh, just a little while later, assets 43K, liabilities 1.5 million. That's probably not
gonna work out long-term for any business owner. Things are starting to make sense here. So I hop in the car, hour
1/2 north to Cambridge, and this is what the place
looked like when I got there to pick up my ATM, a lot
different than opening day. I walk in and I'm at
check-in and I'm talking to the lady there, and I
say, what happened here? How did this place go
out of business so fast that you couldn't get the ATM
pin for the vault or the top? And she says, as I understand
it, there were some legal issues and the lender foreclosed
and shut the place down. Okay. I don't know anything about all that, but you know, that's what you say. So I go back over to the ATM. Let's get this thing going. Let's just get this thing in
the Jeep and get out of here. I was not anticipating that
it was going to be literally bolted to the floor and
completely immovable. Okay. So I can't get into the vault
to remove the nuts that are obviously holding this
thing down to the floor. It's in cement. So I call a locksmith and I said, hey, I'm at this gas station. I won this auction. Could you please come over and
help me break into this ATM to help me move it? The answer was a resounding no, no. So I asked the lady, how am I gonna get this thing out of here? What's gonna happen to this place? She said, I don't care. You gotta have that
thing outta here today. I don't care what you do to get it out. I said, what if I have
to damage the floor? No problem. They're going to bulldoze this
place at some point later. I don't care. I'm just here to auction stuff off. Okay. All right. Well, I want this thing on
damaged because I want to do research on it, and afterwards
I may want to use this thing and start a business, make
some money with an ATM. Who knows. So the only thing I can think
of is go down to Home Depot and rent this guy, the Bosch Brute Turbo. Up to this point, I'd never
used a jackhammer in my life, but how hard could it be, right? I've seen it done in cartoons. (chuckles) Well, so I start jackhammering
and hitting the ATM a couple of times there and jackhammering some more and I'm getting a little
further and jackhammering more. And it finally starts to come
out and lean a little bit. It finally did fall over and
I removed the concrete slab from the bottom, again,
with the jackhammer. For anyone wondering, it takes
a novice jackhammer user, roughly 40 minutes or so to get a ATM fully extracted from a cement floor. All right, here it is out on the curb. Into the Jeep it goes, and
magically now it's back that afternoon in my office. Mission accomplished. I plugged it in, booted it up and said, I'm staring at this thing
like, okay, so now what? What do I have to do to make
this thing fully operational? I want to stick my card in this thing and have it give me money. I have no idea. I have no idea what to do. Time to research. First thing I noticed
when I put this thing up is it's running Windows CE. That's pretty interesting to me. What could possibly go wrong? I was looking for a Windows box. So the next thing I do is
hook it up to my local LAN and run an Nmap scan. Now, you'll see on the
left here that I posted the Nmap scan, that Trey and Brenda So, Brenda did last year of Trey Gowden. Keown, sorry, and Brenda
So at last year's DEFCON. So they had a lot of open
ports on this exact same model. I only had 5555 open, which
I learned from their talk is the remote management agent. I did install the remote
management software and connect to it, but
I did not do any sort of penetration testing
against that end point. It was very intriguing and
very attractive to do that, but it was not the focus
of my research at the time. Trey and Brenda also
demonstrated an overflow attack against this port that allowed
modification of settings within the ATM. I would love to learn more about that and try that attack here. Okay, so here is the screen
when I boot up the machine, when I first boot it up. Apologies for the terrible photo. After booting, I get this thing. It says the encrypted
pin pad has gone bad. I have no idea what that means. It needs to be replaced, I learned. Error is codes 97999 EPP Error. Alright, what's this going to cost me? So 320 bucks later, I've
got a refurbished one and things are getting
a little bit expensive. And so at this point,
I've got to install an EPP in a machine that I've
never really taken apart or worked on, but at least I
know how to get into the top, which we'll see here shortly. First thing I needed to
do was a little research on the inside of this machine. And along the way, I kind
of put together this, a few slides about how ATMs work. So before we get too far, let's just take a couple of minutes here. So there's two main categories of ATM's, with the distinguishing factors
being the level of security the housing provides for the
electronics and the money. The banking features available
to users and the amount of money with in the machine itself. Drive up ATMs are typically
associated directly with banks and are mounted in an
external wall of a bank, especially built enclosure like this one, or as a standalone unit,
like out in a parking lot. There's really no easy access to the money or the electronics and
the front of this machine. You really have to get into
the building or get, you know, into the back somehow. A stealthy, undetectable,
access takes time, knowledge, and skill or granted
access as an employee. The second type of ATM is
the one you're probably most familiar with, and it's the
type I bought for my research. These are much less expensive
and there's far less security built into them because they're
designed to be installed where people are present and are working, like gas stations and such. They usually are not directly associated with any sort of bank, but
they're owner operated. So the gas station owner probably
owns that machine as well. It changes the threat model
a little bit here because there's much less oversight
to detect modifications to the ATM software housing
or network connection. If this thing is
installed in a hotel lobby or a big long hallway at
a hotel conference center or somewhere, you know, a bowling
alley, maybe where there's not a lot of supervision. As we've seen, these things can be bolted directly to the floor, but
many times they're not because it's a temporary use location
or it's going to be a limited time there or they move it around a lot, or for whatever reason, maybe
they just can't do that. They can't bolt it to the floor. People trying to get access to
the money in these machines, do a lot of damage, typically
with various devices like blow torches, crowbars. This is actually the
same machine I bought. And this one, this Triton 9100 looks like, somebody used some sort of a cutting tool. I'm not sure why they chose that spot. You can't actually get to the money going through the side there. So they were probably very
disappointed or caused more damage to the CDU unit in there. So during my research,
I see all this damage and I'm thinking, is this
really what it takes to get into one of these things? Can you do it any other way,
and can you do it in a way that doesn't leave obvious evidence? Maybe the answer is no. I don't know. So this one's my personal favorite because I like 4th of July. And so, anytime you go with
explosives, I'm gonna watch. I'm not attracting any
attention here for sure. So here we stick the
incendiary device in the output of where the cash comes out,
which is an interesting choice. And it just basically
destroys the entire top, but the cash box remains intact. So that is not a good way
to try and get into an ATM. I would be really surprised if anyone here has never used an ATM. So I'm sure you're all familiar
with these external parts that I've highlighted here. We're gonna go past this. All of the ATM's that you'll
see essentially have the same internal parts and external parts. One thing you can see
here is the false door, the safe door cover. That is protected by a cylinder lock, which is typically keyed
the same as the lock that protects the electronics. Behind that false door is the electronic lock key pad and the lock bolt handle. And you can see a wire
coming out of the door here. That's a power cable for the
light over the cash dispensing portal on the vault's door. All right, so let's take
a look inside the vault. Here, we can see the door
where the money comes out, and dust below that. We can see the bolt action
lever that lifts these huge teeth that interlock
with the frame to keep the safe door shut. The safe door, by the
way is about 70 pounds. It weighs more than anything
else on the machine. There's a look at the electric
lock inside and there is what's called the cash dispensing unit. Mounted on the cash dispensing
unit is also a reject bin. And then there is the cash cassette, which plugs basically into a
slot underneath the reject bin. So we're going to take a look, a closer look at all of
these different things. Inside here, you can see the
belt-driven device that brings the money up and out of
the cash dispensing unit. All right. So the next thing we're
going to look at here is the reject bin. Not very exciting, but
I thought you guys might just like to look in there. This is where, you know,
crumpled money goes, things that can't go through the CDU. Oh, this is the back of the CDU. You can see the serial interface
that goes up to the main board and also the power
supply, which also goes up to the power supply in
the main compartment. This here is the cash cassette. It also is locked with a
tubular key to the lock. And inside, we can see the
pressure driven dispenser. It's spring loaded. You can see a few bills in there. This is where a 1000 bills
can fit, if you so desire. Now this same machine that I
have, even though it right now is configured with one cassette, it can be configured with three cassettes. So, the module just plugs right in. It's really not a big deal. Giving this machine a
cash capacity of $300,000 because each cassette can be
configured to hold hundreds. So as we're going to see, you know, you make the call at the
end of this presentation, do you think that the locks
and everything that are protecting 300,000, you
know, potentially $300,000, do you think they're adequate or not? Moving onto the top of the
device, this lock is like I said, usually keyed the same as the front and as mentioned can be picked. I'm showing you there that
the lock is indeed locked and I'm showing you there
a cylinder lock pick. So these, these cylinder locks
have seven or eight pins. This one's particularly has eight pins. So I insert the pick and I start
jiggling it back and forth, which moves the pics up
into the right position, which moves the pins
into the right position and unlocks the lock. So it didn't take very long at all. You could also just buy this key on eBay. So if you are lucky enough
to get your hands on an ATM, like I did for cheap, and
you don't have the key, here you go. Go buy a key. Okay. Now let's have a look
inside here, inside the top. Not many people get to look in here. I figured I'd give you
a look here as well. Here are all the wires
that go down to the CDU, and these come up and
there's the printer module. There's the power supply,
straight five-volt power supply, I believe, to the board and
12 volts everywhere else. Here is the receipt printer. It has its own board
and a serial connection and power cables there. All of these cables come
up through a junction, right at the base of the main unit, and there we see the main board. The main board here has an SD card, a lot of DIP switches that change modes and do various things. And we see any HDMI cable connector and a couple of USB ports. And then over here on the other side, we will see all of the different
serial ports that drive the different pieces and
parts of the ATM itself. There's the ethernet cable. There's the modem and the printer port. And down here, we have the card reader. That's where all the money
comes out and right below there is the electronic, the encrypting pin pad, the EPP that I replaced. All right, wonderful. So we see the inside and I
mentioned the ethernet port. So this thing is obviously
talking to the internet and it's obviously somehow
doing transactions. So how does that work? Well, whether it's through a
modem or it's through a NIC or something, we get an
internet connection to the PPH, the payment processing
host using something called the Triton Protocol. And then from there, we're
going to go to what's called the interbank network. So what is that? First of all, the processing
host provides the connection information and encryption
keys, which are configured in the ATM computer. They take a small percentage,
the processor does of the transaction fee, which you know, is determined by the owner and charged to the user for each transaction. There's hundreds of processing
companies to pick from. I just threw up a few brands here. An interbank network. The next step is also
known as the ATM consortium or the ATM network. And it's a computer network
that enables ATM cards that are issued by a financial
institution that is a member of the network to be used in
ATM's that belong to another member of that same ATM consortium. And so the way that the banking
industry came up in America, was very fragmented. So there was a lot of
little mom and pop shops and a lot of little networks everywhere. In the 2000s, of like 2003, by then we had a consolidation resulting in three major interbank networks. And now about 70% of the
volume in the United States goes over those three networks. Past talks on ATM hacking have
discussed building a dummy backend for the ATM network
for the ATM to connect to, that would pretend to be
the payment processing host. But I really wanted to see
what the real thing was like. So to do this, I had to become
a licensed ATM operator. So why did I do that? Well, I really want the
full, real experience. I want to understand
exactly what does it take to take an ATM to full
functioning and operate it after the fact. After my research has done, I
want to put this thing in use. Minnesota is about to legalize weed, so maybe I'll put it at a dispensary. I don't know. So why do I have to be licensed? Well, the primary reason these
laws exist in these licenses exists is to prevent money
laundering and funding of nefarious activities. This is really tied to
the Patriot Act of 2001. So you can imagine what I
mean by nefarious activities. The licensing is done through NMLS or the National Multistate
Licensing System. I provide, you know,
processor information. There's a background check. I have to fill out a bunch of paperwork. I have to show them my bank statements and let my bank know what I'm doing. I have to pay a couple hundred
and license fees and it takes about four weeks or so, and
you're gonna do something wrong because no matter what you
do, you're gonna do it wrong and fill out the paperwork
wrong, and you're gonna to have to do it back and forth a
few times and sit on hold with the state and whatever,
but sooner or later, you will become a licensed
financial terminal owner. All right, so I've got
this thing on the network. I have my license. I can connect to the ATM
network, the real thing. How am I going to do that? Well, I'm going to use a LAN tap because I want to do
this very transparently. And not in any way that somebody
can know what I'm doing. There's no opportunity for
traffic manipulation here. It's really just sniffing, and
I'm sniffing my own traffic. So as I run my own
transactions with my own card, I can see what's happening. Now, the way a land tap works
is there's a pass-through that goes directly
through and is transparent to the server and the client. These other two ports that you can see are outbound from the ATM. So outbound traffic,
which goes to my laptop and then inbound traffic
coming inbound to the ATM, also goes to my laptop. And so if I spin up
Wireshark and attach to both of those ethernet devices,
I can see both way traffic. The problem is, it's
encrypted with TLS 1.2. But the ATM provides you a
way to upload your own signing certificate, which I
found very interesting. If you put a self-signed cert
on a USB and stick it into the back where we saw before,
and you go to this screen, it says, download cert from USB. So I'm not really sure
how that all makes sense, but it's there. All right. So we've taken a little
look at the inside. We've taken a look at the network. With EPP replaced, I can
now successfully boot the ATM and insert some data. One side note here. Anytime I see a big red
thing that says warning, and then do not, you know, do something. I always pay special attention to that. I like to do things that
I'm not supposed to do. So this one says, don't remove the cover. Bad things will happen. At some point, I'm gonna
go look exactly into what that bad stuff is and
see how this is implemented. It sounds like a really
interesting research project. So anyway, booting this time, I get this great error
message says, FFFFFF. That means that I need to
to provide some more set up information into the machine. All right. So to access the admin screen, I'll do enter, clear,
cancel, one, two, three. All right. And so this gives me this
nice enter password UI, right? But I don't know the password. This is the pin I need to
get to the admin interface. I tried multiple times to
reach anyone associated with the previous owner. Still no luck. So I have no idea. The pin is stored in memory
somewhere on that board. I have no idea how to get to it. I don't know if it's encrypted. It's good to note that
this password is different than the safe combination. The safe vault lock does
not have any idea that this interface or this computer even exists. They're completely separate. This is just to get access to
the admin operator interface. The default password here is 555555. I know that because it's
in their documentation, but unfortunately for
me, that didn't work. I tried and I tried and I
tried, and I was up very late. The UI does give you three chances to enter the correct password,
but then it'll send you back to the start screen again,
and then you have to do enter, clear, cancel, one, two, three. After a few days of guessing
and falling asleep in my chair, after guessing I gave up
and looked for other ways. So it turns out after a lot
of Googling and reading, I found that in recent
versions of the software, Hyosung has implemented a security feature where the operator function
passwords cannot be reset to factory default unless
performed during the machines first boot after reloading the software. If there's any way around
this, I have no idea. I couldn't find it. The search continues. All right, so how does the
software re-install work? Well, various versions of
the ATM software available if you search around. I found this one and downloaded it. I would love to find some
older versions of this. If anybody knows where I can
get my hands on some older versions of the software
for the Triton 2700 CE, I would really appreciate it. This set that I found was, I
think the most recent version. And so I put it on an SD card. There's various files here. If you want to know what
they do, I think Brenda So talked about that in last year's talk. I did delve into the
update folder where I found a master zip file, and
opening that is super fun. There's lots of fun
stuff to play with here. I'm not sure if the bat files
or some of these other files, the icons and the backgrounds
have any sort of CRC associated with them, if
there's anything run on those, if you can modify those and
put them back on this disc and stick it in the machine
and have it do some fun stuff. That's a another research topic
altogether that I wish I had time for and we'll
probably do in the future. So my SD card goes in this slot. I have to push down
DIP switch number four, to make it boot into diagnostic mode. And this is where the computer
will do all kinds of fun stuff and read things off the SD card. So pick SD card, and now
we're doing a software update. This takes about 10 minutes or so. That's what this install looks like. And after you do that, it will reboot, and now you'll get the same screen, and we can reset the master password. All right, so here's how we do that. We reboot again, and during
the initializing screen, we get out our old Nintendo
fingers and do left, right, clear, left, right, clear,
clear, cancel clear, left, right, clear, clear, cancel. If successfully recognized,
the machine will ask you if you want to reset the master password. And then it will be set back to 555555. There's one caveat to this. It's not gonna happen unless
the safe door is open. If the safe door's not
open, you're just gonna get back to this screen. And so, at this point,
the safe door is not open, but I need to open it. I need to open it and to
complete the password reset for the computer, and I
need to get into it to see if there's any cash in there, right. I really don't want to destroy
the door in the process. I've already explained why. So the first question
that I have is, you know, how does this computer
know the door's closed? There must be a sensor somewhere in there connected to the door,
connected to the main board. I have access to the main board. I should be able to do this. So I reached for my favorite
tool, the borescope. This here is a DEPSTECH unit. Five megapixels, HD resolution,
the rechargeable battery, wireless connectivity, it's great. Wired is rigid. You can bend it around corners, you know, and it's 50 bucks on Amazon. How could you go wrong? As we'll see later in this
talk, I did use this other tool, this other smaller scope
called an otoscope. It's made to stick in your ear. This has a diameter of 5.5 millimeters, much smaller than the previous one. It's about 50 bucks for
this camera as well. So I got the scope inside
the ATM using the corners of the cash dispensing
tray, and also that hole where the wire came off
of the lining of the door. This is what I see inside. It's the reject bin. I can see the lock, the
electronic safe lock down there. I can also see some wires
over far down there. If I turn the borescope a
little bit, I can see a rigid. I can see the wire, or I
can see the safe switch, the momentary switch is
the word I was looking for. This momentary switch which
is connected to the door and the door is pushing it
in, and it's basically telling the computer the door is open or closed. Following this wire up away
from the momentary switch and across through some
portion of the ATM, it finally does surface through this hole, up to where the main board is. It comes over to this junction where it's conveniently labeled front. And then it goes on over to the board where it's labeled CN16. So if I unplugged this, the question is, does it fail open or closed? Well, let's do an experiment to find out. I recorded this demo after
I had the vault door open and the ATM was all
set up and operational. But the results are the same
because the door's closed now, and the ATM is operational
because of the door is closed. If I pull the door sensor plug, then the computer should think
that the door is open and it should become not operational. So what happens is, I pull
out the plug and it says, the door is open, the ATM is
temporarily out of service. But it's not, right? We just saw the doors closed, but this is exactly what
we needed in this case. So I pull out the plug, I reboot. And while initializing,
we do clear, left, right, clear, clear, cancel. And we get to this screen,
Reset Master Password. Reset master password. Click, yes. All right. It reboots one more time. I get here, I do 555555. And here I am as an administrator
inside the computer. All right. So at least one of you is wondering what was that QR code back there? Well, it's nothing. I'm not sure why that's there. It does not seem to be
something that is alterable through the configuration
and it just leads to nothing. A Google search, I guess. I have no idea. Alright, so now the password's reset. I can get to the ATM. Inside, I can configure it as I wish, but we really need to get into
the safe to make this thing fully operational and, well,
see what's in there, right? So, how? Well, first things first. What lock is this thing? Back to the borescope for some recon. I can see the lock. I can see some writing on it. It turns out with a little Googling, I find that all the ATMs,
all of this particular type of ATM uses this LaGard
LG Basic Electronic Lock, and this is what it looks like. Now, in 2016 at DEFCON 24,
Plourde did a great talk about side channel attacks on this type of lock. He used the side channel
attacks to deduce the correct combination of this Sargent
& Greenleaf Titan PivotBolt, very similar to the lock that I have, the LaGard Basic, but
not exactly the same one. However, this YouTube
video by EEVBlog attempting the same attack on LaGard
lock, but without success. So I decided to come up with another way. To figure out how these
things work, I ordered one. And I also found out that
there's another option, which I assume works the same sort of way, along the same lines as Plourde's attack. This is called a Little Black Box, and this device as well
as this Phoenix device, they basically can reset the safe combo. So you take the cord
that goes into the safe from the key pad and you
hook it up to this device. It determines what lock
you have hooked up to, and then you click reset. And what it's gonna do now
is some sort of an attack against the lock itself. I believe it basically
guesses every combination in less than 15 minutes. And once it guesses the combination, I guess somehow it resets it. I really don't know how this thing works. You can only buy this if
you're law enforcement or if you own a bank or
are a licensed locksmith. So it costs about $3,000, and
I don't know that much money, so I need a another way. So I take off the cover. We see the circuit board. If you take the circuit board out, then you can see like the
lock mechanism with the bolt and the rotation axis of the bolt. The main volt handle
forces down and rotates it in a clockwise direction. There is an anti force mechanism here. There's a spring and a notch on the lock. And the bolt, if you push down too hard, that notch basically engages
and you can't push anymore. If we are able to rotate
that lock fully clockwise, then it will push that secondary
bolt over into the notch, into that linchpin. Now that linchpin will stop
the secondary bolt from going over there, unless we
type in the correct code, which then provides a nine
volt DC charge to the little motor attached to the linchpin. The motor runs, the linchpin is moved and we can open the lock. All right. So now we know how this thing works. Here's a closeup of the
DC motor in the linchpin. And again, if we, if we
apply a charge to the motor, then it'll open. So basically all the money
in this vault, $300,000 potentially is protected
by the lack of voltage to this DC motor. So is there a way from the
outside of the vault to get voltage to this DC motor,
without anyone knowing, or without destroying the
lock or destroying the vault, or just throwing the case? Let's have a look. This is a short video
of the lock-in action. Look in the middle of the
lock at that linchpin, and you'll see, after I type
in the code, the motor turns, the linchpin goes up, which
would allow the bolt to turn and the lock to open. All right, so here's
a look at the key pad. And another interesting thought
that I had was, you know, there's a lot of space inside
this keypad thing that mounts on the front, and it doesn't
appear to me just doing some cursory research that there's
any encryption of the numbers that are pressed on the
keypad as it's being sent into the lock. And so what you see here
is a small experiment with an Arduino Nano in which
I'm hitting keypad presses on, pressing on the keypad and
recording the key presses into an Arduino Nano, and then passing that back on out to the lock. Very interesting research
can be done here. I believe this is a successful
man-in-the-middle attack against this particular lock. So, yeah, moving on from
that, we can see that I wasn't gonna be able to use that attack to get into my safe. I had to continue on. Here are the power wires. They pass directly under the circuit board on the door side of the lock. So the metal you see in this
picture would be actually against the door, and the
locks sits directly behind this keypad and the keypad is removable. And if we do remove the keypad, we can see through the hole
where the wire goes to the lock, that it is indeed the back of the lock. And it gives us this little
nice landmark to know exactly where on the lock we are
because of this little silver, solid silver dial. I have no idea what it
does, why it's there, but it is there and it
gives us a landmark. That little red X you see is
exactly where those wires are that we need to get access to. All right. So I need the right tool for
the job to get access to this. Something I've always wanted, an electromagnetic drill press. All right, so you're probably
saying, wait a second, this is cheating, right. Well, hear me out, hear me out. I figure if I can just get
a visual on those wires from the outside, I can come up with a way to supply current to them. And there just happens to be
an existing hole in the door from the factory that
allows for a different orientation of the keypad if you want. The hole is a quarter inch in diameter, and it's exactly where I needed to be. And it's there from the factory. I need this to be a little
bit bigger, but not too much. I went with a half inch carbide bit. So I made the hole diameter
a quarter inch bigger. All right. Well, I put this bit in and
I get my drill hooked up. Now this drill has a
binding capacity of about 3000 pounds per square inch. It's not going anywhere
once you turn it on. And the RPMs of this drill is about 1200. A carbide tipped drill bit, really no match for this safe door. It really only takes a couple
of minutes to get in there. It takes me a little bit longer, 'cause I'm not exactly
sure what the depth is. But suffice to say, I
get into the lock without damaging it in any way. And now we can see the wires of interest. And now keep in mind if
I put the keypad back on, our mischief is fully concealed
and nobody is the wiser. All right, so the last
piece of the puzzle. How do I get power to these
wires through this half-inch hole without breaking the lock? After a lot of thinking
and digging around, I figured out that there's this tool called a puncture probe. It's exactly what I needed. This is how it works. The idea, you retract the
probe, the puncture pin, you get the wire in there
and you release the pin into the wire and you have connectivity and you can connect a wire
down at the base of the probe. So this is kind of what that looks like. I built my own probes because those plastic ones were far too big. So what I'm doing here is I've
punctured these wires on my work bench and I'm applying
a nine volt charge to them, and you can see that it is opening. Again, the problem was
that these were way too big for the access port that I had drilled, and I certainly didn't
want to cheat anymore by making the hole bigger. So I designed something smaller. At the time I used this
little piece of wire with a hook on the end. And here you can see that, you know, this is what it looks
like when it's all set up. I hooked up the nine-volt
battery and nothing happened. I was a little worried that
my nine-volt battery was bad, so I hooked it up to a DC power supply, and I gave it 17 volts, just, you know, in case it needed a
little more extra juice. Here's the full scene
when the vault was opened for the first time back in, I believe, the end of March, early April. And yeah, so you can see the scope there, and you can see my tool,
the tool that I use, the puncture probe. You can see the wire tool that I created, the inside through the borescope. And then here we go, the door
is open for the first time and we can see inside. So here's a demo of what just happened. As you can see, the lock is
locked as I pushed down on it and attaching the probes
and applying voltage, and the lock opens. I'm gonna skip forward
because I'm running out of, I'm a little bit,
running out of time here. So we're just gonna go pass this one to... Again, if I put the keypad in place, there is no evidence of intrusion. And as an added bonus, if you
want to go the extra mile, you can cover the access hole with this half inch plastic cover. Barely noticeable, right, right? All right. So again, not as satisfied
with the smaller probe. There must have been a way
to do it with a smaller hole. So I started taking these pros apart. I pulled off the plastic sheeting
and saw the probe inside. I went and grabbed a stainless
steel, three mil tube. I put a little notch in it,
in the end and heated up the tube to melt into
the plastic of the probe. And this is what it looks
like when it's all together. And it's a lot smaller. It's 6.2 mil versus 2.9. So a lot smaller, which means
I can now do this attack with a much smaller hole. All right, some loose ends quickly. I sent dormakaba this
letter to let them know some pre disclosure, pre-talk disclosure. I never got any response from this. Here is my email to
security at Hyosung America. I never got a response to this one either. So I got a delivery
failure notice, instead. As far as the money, there
was money in the ATM. I'm a trusted source, advice. I am not gonna tell you
exactly how much it was. I will not disclose that, but
there was enough to pay for the research project and the
ATM and a little bit leftover. All right, some follow up research. ATM Wi-Fi, really cool, I think. The vault lock,
man-in-the-middle I showed, ATM software modifications
we talked about. Maybe the USD and SD card
could be fun to mess with. Internal serial comms between
the top and the bottom, right between the CDU and the computer. Can we capture and replay? How about EPP deconstruction analysis? That warning message we saw. All of those topics, I
think are fascinating, and I will continue research. If anybody else wants to join
me, please reach out to me. So in conclusion, no key, no
pin, no combo, no problem. Thanks for watching. Have a great day. And I hope you have a fabulous DEFCON. Bye-bye.
