Jackpotting ATM's (Automated Teller Machines) - Its easier than you might think - Alexander Forbes

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] [Music] good evening everybody my name is Alexander Forbes I'm with IBM's x-force read otherwise known as our penetration testing or ethical hacking team I'm here tonight to talk about penetration testing of ATMs automated teller machines otherwise known this presentation is Jack potting ATMs it's easier than you might think I'll try and get the the corporates filled out very quickly or what I talked about here IBM does not endorse please don't go in attack ATMs unless you have a signed contract and you know what you're doing hopefully you'll you'll learn quite a lot about how we go about attacking an ATM and also the weaknesses that exist in the industry and where the industry needs to go to start improving the security of these devices big warning in advance the things that I talk about here do tend to go badly if you're doing them in public even if even if people are aware that you're going to be doing them if you're doing a pen test of an ATM somewhere in the wild at a shopping mall at a bank branch even if it's all fully signed off you do tend to get people with guns turning up even if even if it's legitimate that being said even if you don't have permission it's also a very bad idea again people with guns do tend to turn up and they tend to not be too happy I'll talk a bit towards the end about if you want to get away with it what you might need to consider before having a go without that the main main agenda I'll cover a brief history of ATMs this is important because to understand how the technologies developed and how the vulnerabilities have been added over time it's kind of critical to understand where the technology has grown from I'll talk about what is a modern ATM the components that consists of and the architecture that has evolved around dispensing cash to end consumers and providing the functionality that you see in a modern ATM I'll cover attack surfaces how we can attack them what different strategies you can take and the defense's that are already in place and how you can bypass them and how they are being evolved to try and protect against the kinds of attacks that I'll talk about later finally I'll give a brief discussion on what you you think about if you are attacking an ATM and how to get away with doing it please be careful with the knowledge and finally lessons learned if you are responsible for managing a network of ATMs or you work with clients who are what sort of things they should be considering and what sort of attack models they need to be aware of so briefly a history of how automated teller machines have been developed historically there were devices that people could use to access their account and do something well before what we know as an ATM was developed there's argument over who developed those and what they were some Delarue job another another vendors but what's defined as the modern ATM that is something with a card reader a pin entry pad probably a receipt printer of some kind and the ability to dispense cash was invented depending on which historian you ask why either IBM or docutel back in the 1960s historically back in and then that time though those systems were very specific to the organization they were part of so the backend banking infrastructure was generally quite custom and each ATM deployment was custom to that customer over time there's been a lot more standardization and consolidation whereas even as late as their mid to mid to late 1990s there were many ATM vendors in the fields Phillips Olivetti Hitachi Diebold Winkle Nixdorf Siemens nowadays there are very few major players this has gotten so bad that in some countries now regulatory authorities are getting involved to say actually there are too few vendors and too few suppliers in this space as a pen tester however this is fantastic news if you know that you have an attack that works on one particular vendors model and there are only three vendors widely used then you've generally got a portable attack that scales to many many devices often in many many countries and regions of the world these days for the UK specifically roughly a 99 percent market share is split between Diebold Nixdorf previously wink or Nixdorf Siemens Nixdorf and eyeballed merging NCR or national cash register and Triton in other countries the mix is slightly different but there's very very few other players in the market at this time I mentioned earlier that standardization had happened quite quite significantly over the time period to where we are today this mostly started back in the early 90s with something called XFS or extensions for financial services and the reason for this was driven by the banks they didn't want vendor lock-in with the ATM manufacturers so what's happened over time is you now have a middleware layer that abstracts the banking UI that they get to control and customize from the hardware of the ATMs that is interacted with by that application and that XFS api so a lot of the attacks that we see target this abstraction layer it's not particularly badly designed but it does have some fairly significant flaws which I will hopefully get to later but anyway in brief ATMs these days are fairly homogeneous they're very very common very very similar functionality most of them are built off the same fundamental platform and adhere to the same standards there are lots of discrepancies in various different models but fundamentally if an attack works on one ATM it's generally portable to all the others that you see out there so what a modern atm looks like pretty much it's a standard machine traditionally we know even traditionally across all of the ATMs that we mostly deal with they're running a relatively standard 32-bit machine often running Windows historically Windows XP nowadays windows 7 sometimes windows a some vista ones but i've not really seen any windows 10 yet there are a few and I stress for you a very small percentage of the market that are Windows EE based but again it's getting much and much more rare because as banks move to more complex ATM devices where people can say top-up their mobile phone or do other online banking tasks transfer money onto cards and do prepay systems those those features and capabilities are much more difficult to port to window seee simply due to lack of market support but anyway fundamentally you have a 32-bit system and connected to that system are the various pieces of peripherals referrals and pieces of equipment that make it an ATM a receipt printer is just like a normal USB printer in most ATMs it plugs in thermal printer exact the same thing you would find in most point-of-sale systems the pin entry pad is again a sort of self-contained unit that connects in most ATMs via USB some of them use touchscreens some of um use buttons alongside some of them support both capabilities the other key peripheral that you tend to find beyond the card reader and the cash dispenser there's some kind of security options you normally find sensors it's very very common for ATMs these days to have an integrated camera sometimes there are till and motion sensors and tamper switch is to identify when the casing has been been opened most of you will have seen something that looks like this ignore the brown splotches the brown splotches are there just to make sure we don't get sued but this this is a relatively modern common ATM model that you might see around you'll notice at the top that large black panel behind there is a camera in many models you'll also find a microphone there and depending on the configuration of the ATM it may do things like take pictures every 10 seconds every minute or only take pictures when a card is inserted and put the card number into the picture that it saves the two mirrors that you see in the top left and right are there for a good reason I'll talk about that later but it's not just there to protect the ATM it's there to take the use case of someone using an ATM the other facilities that you can see there are all the core essential bits at the bottom of this picture you'll see a thick thick line that separates the top part of the ATM from the bottom part the top part known as the top box is where most of the electronic components are kept everything pretty much except the cash the bottom part is almost entirely taken up by a safe and that safe contains cassettes which hold the cash itself and the dispensing unit that dispenses the cash which is almost always completely contained within the safe other than the connection via USB and power to the top box this particular model has a sensor that you can see on the far left which shows which allows the the system to detect if somebody's forgotten to take their cash out of the machine after requesting it which is a surprisingly common issue that you see inside an ATM this is a different model but if you take the model before we slide front panel open we see something like this you can see the receipt printer here on the inside the camera up in the top right of there so I top left excuse me the air vents allow the the computer to vent hot air outside behind next to the camera you'll see there a latching mechanism and if you're able to see it it's a very very small silver dot in the top left of that of that picture that's where the locking mechanism to allow it to open and close is to the to the front of that you'll see that the PIN pad here is directly below the screen and again it's shielded so they've invested a little bit more in trying to shield shoulder surfing attacks in this particular model but fundamentally a computer and a bunch of peripherals plug together looking down into into the inside there you can see the receipt printer on the right of the picture below and on the left there's the card reader where your card gets put in every card reader I have seen has the capability to keep and retain cards whether they do so whether the software is configured to ever retain cards is something that the the vendor twos is the bank chooses and generally that may depend on whether the ATM is located in a bank facility or if it's somewhere else in this particular model that this picture is of the computing unit is integrated effectively with the screen it's one of the small form-factor machines and if we look towards the screen which you'll see in the picture on the right there it is behind a USB expansion board just a standard intel 32-bit computer running Windows 7 older ATMs sometimes have a tower form factor machine at the back rotated by 90 degrees but fundamentally the architecture is SATA connections or IDE connections USB or powered USB 4 for the peripherals and sometimes some custom components such as GPIO stuff for tamper switches here's an example looking you can see the extension board from the previous picture in the bottom right of this picture and above it you can see standard caddies for for small form-factor hard drives and above a connector that links it to the touchscreen pretty pretty simple for so they have made some efforts in most of these designs too hard in this platform everyone probably familiar that x86 has quite a lot of fundamental problems with its architecture when it comes to security so do all the operating systems and in this case the connections being standard USB or GPIO or others can be intercepted so there has been some work to try and harden these basic platforms on a on a high level if it's a windows-based system almost always the shell is in launched into is a custom one sometimes they have customer authentication providers good organizations will remove these certificates from the certificate trust store except for those for obviously Windows components that need Windows updates and digital signatures the people who manufacture the ATM and their own their own software or software they've installed aftermarket such as white listing protection software it's very common to see either McAfee solid call gmv ATM security Symantec critical system protection or other other system hardening utilities those are generally used in a lot of other use cases beyond ATMs that they're if configured properly they're very very good that being said they're not always configured properly there is also some things that the manufacturers of the ATMs customized with the hardware it's quite common to see customized biases and these are normally there to prevent you doing basic attacks such as booting from an external media some of them have options for using things like TPM chips for things like call driving ssin but it's quite uncommon to see them being implemented properly although the hardware may support those security capabilities adoption is pretty low so ATM attack surfaces ATM designers need to be aware of more than just the actual ATM itself because it's part of a much more complex system you have the backend environment that it needs to talk to the banking infrastructure that authenticates and authorizes transactions that are being attempted through an ATM therefore generally these ATMs are also designed with a software loading to triumph against a compromise of the backend to some extent so if somebody gets on the ATM network ideally you don't want them being able to port scan all your ATMs see they're running standard Windows 7 and tri standard Windows 7 exploits against them or any other particular operating system the way that the the way that ATMs are designed to be maintained to be loaded with cash and unloaded is designed to prevent certain kinds of attacks so for example an ATM maintainer when they open an ATM normally can't access any the underlying functionality of the operating system when they open the ATM there is a physical switch they can press that switch sends a commands to the operating system which says change the on screen application to this other permitted on screen application but in theory they should have no access to the underlying for example Explorer shell or other applications on the system and indeed if configured properly the application whitelisting stuff shouldn't allow anything else to be started and again shouldn't allow anything else all the applications that are whitelist did to do things they are not whitelisted to do so for example if the maintenance application isn't supposed to open UDP sockets they shouldn't prevent shouldn't allow them to do that so there are protections against those kinds of threats somewhat trusted user threats they also have to obviously protect against physical threats cash-in-transit robbery and also a threat threats that attack the end user of the device so things to try and prevent things like shoulder surfing skimming attacks or simply somebody coming up and threatening someone so in that picture I mentioned earlier the two mirrors in the corner they are there to try and help people identify maybe I shouldn't be using this ATM right now the point being of this particular slide is to demonstrate when you're designing an ATM you need to consider a significant more than the security of the kiosk itself the positioning of the kiosk is often quite important making sure it's covered by CCTV normally you want it somewhere where people are going to be able to see it and use it and interact with it you want it in places where people will need money and will be getting money to spend so they're not normally in the middle of nowhere hopefully you also put them in places where people will report if something's going wrong they'll call the police if they see somebody tampering with it those sorts of things but as part of the overall system these factors are actually very important to securing an ATM predominantly cuz it limits the time an attacker has we to be able to pull off an attack so physical attack surfaces and network attack surfaces attacking the embedded ATM computer and attacking the ATM hardware that connects to it are all issues that you need to consider when you're constructing your ATM or deploying it so when we first first look at ATMs when when we're asked to assess one the first thing we look at is what is the physical security like so what would an attacker potentially look at what's the easiest way of getting the money out of this machine attacks that have been pulled off successfully against ATMs mostly tend to be brute force in nature most of the successful attacks that have gotten significant amounts of cash out tend to involved explosives heavy equipment trucks dragging them around so the way they mitigate against this is ATMs are very heavy they have a large safe in them they're often anchored or concreted into things that being said somebody with enough motivation and resources to and willingness to do those sorts of attacks generally has the opportunity to do so the location thing that I mentioned earlier where they're located that tends to again matter if they're located behind security bollards that stop them being Ram raided those sorts of protections can can help networking attacks are again things that you need to be particularly aware of with ATM generally ATMs are deployed to be available and reliable you don't want the network to be offline that means that a lot of banks and a lot of ATM owners are reluctant to patch and update the operating system that's particularly acute when it comes to networking issues a lot of the networking configuration that we see in ATMs is relatively weak and the reason for the weaknesses is partly because they don't have the deep systems knowledge of architecting secure end-to-end solutions they think this is on a secure network it's on the ATM network and that's not connected to the Internet so we don't necessarily need to think about these sorts of attack vectors and threat vectors universally this has proven to be a very terribly bad assumption I'll talk later of we've been able to man in the middle attack a lot of ATMs without without any significant challenges the ones that do it very well you can almost always eventually man in the middle to it if you're able to get any form of access into that top box the other things be aware of here is a lot of the traffic and the services that are exposed if you are able to review that traffic you can often intercept what's going to the back end in terms of logging data or auditing data so for example Tampa switches and some of those ancillary security devices don't use encrypted or authenticated connections so if an attacker is able to intercept and interact with a network link they can potentially reduce your ability to detect attacks are happening the embedded ATM computer being a fundamentally an x86 machine with Windows if you get root on the system well you can pretty much do anything you like there are some protection software so things like the the main what I mentioned earlier like solid core and other application whitelisting systems can be used to help in some of these areas but in reality once somebody's managed to get in that operating system all bets are off this is how most successful attacks tend tend to play out finally if you have access to the ATM attacking the hardware components is an option some of you may be familiar that back in 2015 we started seeing groups of hacker of hackers taking custom hardware so raspberry PI's or things that they've they've customized themselves written their own you written their own interface to the the ATM components and by connecting them in they can send commands directly these attacks have since evolved now they're no longer so stupid enough just to try and dump all the cache but they'll sniff all the data of the card users first for a for a fair number of weeks so they can sell that data and then dump the cache afterwards so I talked about some of the new threat models I mentioned for ATMs physically they're heavy if you are pen testing an ATM be careful when you're rocking a thing around because if it falls you're not gonna stop it falling that being said and a motivated attacker couple of strong people and some as you can normally get one you can normally move one without too much threat again defending against them put them into busy places try and make sure that they are covered by CCTV but be aware again part of the threat model a lot of these places aren't frequented at night if you go after an ATM at 3 in the morning that's probably not gonna be anyone there for a good hour or two some of the concerns with a physical security is that the casing of most of these ATMs is actually really really weak the fascia is normally just clear plastic the immediately behind that you may have some some thin sheet metal and that means that physically getting in if you can get round to the sides or the back of the ATM or even at the front you can get into it without a huge amount of amount of huge amount of force or challenge to do so the keys that I mentioned earlier and you saw in where some of the pictures of ATMs are universally terrible I'll show you on the next slide just just what I mean by universally terrible I can buy copies of these off eBay of some dark markets in tour and a family bar bar people will quite happily sell me keys for various ATM models and a lot of the physical security of these ATMs doesn't view that sort of attack vector with the right level of scrutiny so for example the model that I show here I was able to break into this ATM with a piece of wire going through one of the air vents to hook over that latch to pull it back to gain access to the top box for those of you that went to the lock-picking village or anybody here who knows about physical lock security which isn't it's not my field that key is not a particularly complex key and that's used by a current generation model of a widely deployed ATM to access the internals of it yeah you can buy those of Alibaba you can buy those off off tour and if you can get to an ATM you can pull open the insides when the physical security of ATM also extends to being linked to the network security of it so for example here is a relatively common kind of problem we find with ATM installations this ATM you can see on the right hand side is the big white box and it's within this cage that you can see on the left hand picture the person who was responsible for replacing the till roll the receipt roll in this atm had did not have the keys at one point so just decided to force a lock open but it kind of shows you the level of physical security that were the went into so the furniture of this particular atm even worse if your ask you and you look in the right picture at the bottom you'll hopefully see that there is a gap between the blue frame here and the floor there there wasn't there was no attachment of this frame to the floor we could just literally slide the frame back away from the ATM and access everything inside the back of it no thought whatsoever had gone into into the furniture in the deployment and that's actually a relatively common problem particularly with freestanding ATMs but also those that appear to be in bill but have nothing more than a tiny piece of plaster board or wood between them and another another atm the reason I mention this matters for network security is if you look here all those network cables are fully exposed this particular ATM connected straight into an LTE router so from here we were able to access the antenna for the LTE router fortunately they were sensibly enough to put the LTE router in the ATM itself but in other ones you sometimes find modems routers and other critical equipment that provide the connectivity outside of the ATM enclosure which gives you an immediate way into the networking stack of of that particular ATM it's a good installation we'll make sure that none of this stuff is accessible normally you would ideally want it to be a separate room that is physically locked and concreted in but a lot of real-world deployments just don't have that flexibility when it comes to the networks good practice and if this is rare but good practice tends to mean that you have multiple layers of encryption or authentication across it so if it's a deployed ATM and it's not using a physical connection you're using a private APN network verb for connectivity on top of that regardless of your connection you should be using a robust VPN and over the VPN you should be using at least TLS 1.2 with mutual verification of keys across the board and a good processor and making sure that those keys are sensibly updated and managed that being said 30% of the ATMs that we look at don't authenticate their back-end properly so for example I go to let Singh to generate myself a certificate for what he's supposedly the legitimate back-end and do a man-in-the-middle based on that and that attack simply works on 30% that allows me to authorize any transaction that supposedly comes from the ATM as long as I've done a little bit of work to reverse-engineer their particular protocol all those 30% that don't say authenticate the backend properly again a lot of them don't use any application encryption at all so your card data and the entire transaction goes completely not only in the clear but without any form of authentication to protect it universally with relatively few exceptions we find the roots are in networking gear that connects ATMs is pretty abysmal three or four different ones that we've looked at we found zero days in the in the either the router that they're using to provide uplink connectivity or in the networking architecture that connects that ATM to its back end there are there is best practice it is easy to avoid but a lot of vendors and a lot of banks don't don't implement it properly doing a good job of the networking security generally firewalling the ATM is off making sure they can't see others putting them into their own virtual LANs or making sure there is good firewall rules in the case of ipv6 is something that we just don't see being done well enough when you're seeing Windows machines exposing port four or five you're seeing them exposing other services because somebody's decided the bank image should install TeamViewer and Adobe Acrobat Reader on it allows for a much larger attack surface so there is in theory most organizations have a monitoring capability they have a security operation center maybe using tools like curator or arc site or elasticsearch that was mentioned in the previous presentation in reality most of those who are not monitoring the ATMs themselves they are monitoring the banking back-end system so if you connect the ATM network and then attack the bank's back-end they all know about it very quickly but if you connect in and attack the ATM there's a good chance you won't be detected because in many of the cases the ATMs are not providing logging data up to their abs their SOC short outages also aren't necessary followed-up machines get rebooted somebody trips over a power cable so when an ATM goes offline and comes back online it often doesn't trigger any form of alert that's normally something though there should be should be investigated somebody should consider do I need to check that ATM hasn't hasn't had any compromise when it comes back online but it's very rarely actually done in practice from what we've seen this is an example you probably won't be able to see what's happening in that in the top and bottom screenshots there but this is me just doing a man-in-the-middle interception on the TLS connection of a channel there below the s tunnel thing you see in the top screenshot there is a standard Wireshark dump just showing it on the one that you see to be right the that's a standard DSL modem it's a small face home office modem I found nothing for patching no other firmware the vendor that the manufactures it seemed to wash their hand we at the moment they kicked it out the door and we see that with other deployments as well when it comes to attacking the embedded systems although there has been some hardening done a lot of a lot of that can be bypassed or isn't isn't adopted properly so for example although the biopsies are set to not allow booting from external media in some brands and some models around 20% of the deployed ones don't have this BIOS level installed so the function is there but it's never been never been updated to use it swapping the hard drive out is trivial if you have physical access and this is probably the most critical problem that the ATMs have and aren't defending against at the moment whole disk encryption would defend against the majority of Jack botting attacks that we see currently if somebody isn't able to get in through the backend banking Network and they are doing their attack physically with the ATM if they're doing the rest of things with best practice that the whole disk encryption would pretty much stop everything it would stop the theft of data it would stop the ability for cache to be kicked out through services like XFS all the drivers of the manufacturer themselves that being said I have literally never seen it in the wild it is recommended if you go to NCR and get their documentation and recomendation practices today boy if you go to die bald and look at them there is recommendations from the vendors use hole disk encryption I've never seen it and from speaking to my peers there's less we believe less than 10% of the deployed ATM s they actually use it problem there as I mentioned earlier the ubiquity of very common and very similar systems means that once you can develop an attack for one that attack is portable too to most of the others so what why people are able to attack one ATM if they can get a hard drive image out they can then create a new image to attack any other ATM of a similar model or design good IT hygiene would protect against a lot of the attacks that go on to embedded systems things like patching things like making sure that a good application whitelisting is is properly locked down but again back to the risk-averse nature of these organizations a lot of them their ATMs working let's not mess with it there there are organizations within banks that's job it is to maintain and build ata an ATM images and some of them are actually pretty good now at patching the OS after some of them were popped through things like eternal blue and previous zero exploits allowed them to totally take over the operating system banks began to learn quite quickly that perhaps patching Windows was a good idea that being said they often forget to patch all the other ancillary services amusingly this was not done by myself but them I this was done by an IBM company in some research they did they attacked the application whitelisting services themselves so McAfee solid-core gmv and we've done some subsequent work on those attacking attacking the system application whitelisting software given these tend to run as kernel drivers or as kernel level services tends to give you quite a unrestricted access to the machine in that particular instance an absolutely beautiful attack impersonate the system that provides the policy and use that to take over and take over the ATM of course big failure there the the whitelisting solution wasn't configured to properly validate it was talking to a legitimate update server so pulling out a hard drive from an ATM if it's not an encrypted drive which is almost always the case you will see something like this it's a relatively standard Windows when Windows disk image and in an attack that we did very very quick to do pulled the drive out were edited the registry offline to disable the application whitelisting services so we could run our own code extracted the passwords and usernames just in case we wanted to use them and replace the shell with something that we would use to kick to instruct the instance of the ATM to keep cash out to us good fun the ATM hardware so if you're not attacking the the ATM embedded machine you're not coming in through the network to attack a machine or attacking the back ends to allow the ATM to do things that otherwise it wouldn't be permitted to do your other option is to attack the ATM hardware there are some good defenses in place to protect ATM hardware so for example there's mutual authentication capability between the cash dispenser and the ATM software that runs to tell it to do dispensed cash this is part of the XFS standard to some extent but it only applies to cash dispensing so if you want to take over an ATM just to sniff people's card data and pull their pin out of the PIN pad those attacks are still perfectly viable because very few vendors have anything to do reach authentication beyond the cash dispenser in fact I don't know of any currently deployed models that actually allow you to configure that a lot of the other ancillary services that I mentioned so things like tamper switch is drilling sensors another another hardware like the camera for example again almost universally have no have no form of very verification of that they are trusted components that being said with the ATM hardware you have all of the problems of an x86 hardware stack and USB and and in some cases GPIO based interfaces I personally think that USB was a pretty bad choice for this it's a it's a standard it's quite easy to use but it's very difficult to reliably pull a secure secure transport mechanism on top the fact they're using x86 is all so in issue it opens it up to all of the attacks that we know apply to the x86 platform Spectre meltdown all the other issues that you see appliance windows the other big problem you find with ATM hardware is internally as you may if I shoot back to some of these earlier pictures you may see in here there's a lot of space towards the back of the other device so if I do want to leave things in there there's normally a significant amount of room even if my components aren't relatively small in this particular model you can easily see where the brown splotches to the right where the screen is I could comfortably glue a mobile phone there or any other piece of hardware and attach things into the USB data lines to sniff those okay so the only successful bakbox attacks we've seen have been well reported on this is a picture of one of the devices from Krebs on security in most cases that mutual authentication is designed to protect against it but a large number of organizations simply don't use it they don't configure it they don't turn it on beyond that there are also weaknesses in the implementation of those so for example I know one of the cash dispensers although it fully supports mutually or think authentication it will quite happily expect plaintext instructions that aren't authenticated and still run them anyway so using sending your commands whether they're authenticated not is entirely optional even though supposedly it should only act on authenticated commands there are also protocol weaknesses so for example in the key negotiation phase if you can tamper with the data stream some of the crypto implementation is weak and you can abuse the traffic flow over the USB bus there to prevent them negotiating secure keys in some cases I've seen attack where it's possible to prevent them negotiating a key anything other than a null key so these sorts of attacks are practical and they're used but again they require physical access inside the other class of attacks that I haven't spent a lot of time talking on are ones that where people have attacked the back end and the ATM is just a way of extracting cash out I'll talk about this one with with successful attacks we've seen now so most ATM robberies most ATM extraction of cash involves a physical penetration of the ATM at some level either still the brute-force way of using large hammers explosives or what have you is the largest successful group of customers of attacks that we see more sophisticated attacks these days do target the embedded PC or the ATM hardware that being said the most successful attack in terms of extracting money from an ATM network involved the attackers attacking the backend banking infrastructure removing the daily withdrawal limits from that account and giving the account and unlimited overdraft late so somebody could then go up to an ATM and rather than having the 300 or 400 or whatever number of euros a day limit could keep withdrawing cash out and because they'd updated the banking system to allow them unlimited overdraft they were able to continue to withdraw until they had to leave the ATM I'll talk about there this person got caught by the way all this group got caught and the reason for that is it actually takes quite a lot of time to get money out of an ATM the more sophisticated attacks that we see generally involve access to the top box very rarely do we see people actually targeting the safe itself predominantly because it's simply not the weakest link in the chain there are probably about 20 active malware families for ATMs and many variants of them they call that middleware layer I talked about to instruct the dispenser to kick cash out you can of course write malware that talks the drivers directly by the vendor but why make your life difficult if you're writing a piece of malware for ATMs you might as well write the industry standard stuff that will work everywhere the black box attacks that I mentioned that the black box attacks I mentioned here again simple thing but again if the ATM is configured properly you shouldn't be able to use these sorts of mechanisms but flaws in the implementation and the fact that it's often not properly configured and not being used means that these attacks do work one of the ways I've seen this being used and the reason you see this one with a mobile phone is this particular implant had SMS capability so the your attacker could walk up the ATM with their mobile phone issue a command through an SMS message and that would allow that would instruct this piece of hardware to tell the dispenser to kick money out this also meant that it was very quick and they could avoid CCTV so they could send the message whilst watching the ATM when the monies appeared they could walk straight past and avoid CCTV cameras but of course using Sims and phone means that the phone data can be triangulated and of course if you can get them on CCTV at one point the police have something to follow them on but quite a good attack that one so of the successful attacks the the mode the most successful that we currently have are still the physical ones but the more sophisticated attacks are much more portable and they normally involve a lot of components they're not just attacking the ATMs they're also attacking the backend so whilst I've only got a few minutes left I will cover again with another warning here what I'm about to say you probably shouldn't do please don't go pen testing pen testing at ATM without the owner's permission and be aware that if you do getting away with it can be difficult that being said if you wish to go and attack an ATM these are things you probably think about beforehand knowing when the ATM is refilled with cash is kind of important it's all good and dandy when you turn up to do your jackpot again ATM and then figure out it's only got four hundred and twenty euros in it lovely crafted attack that's all been done but when you turn up and it's not been reloaded with cash you're potentially burning quite a valuable quite a valuable attack quite early on banks will notice having just filled an ATM with four hundred thousand euros that ATM is dead and empty of in the next day that will generally be noticed so again not dumping the entire ATM of cash is probably something if you're trying an attack not to do ideally know what it's getting refilled with cash and dump a small fraction of it and multiply that over many different ATMs you will get caught by CCTV a lot in almost any Western country you'll be caught by row traffic cameras the cameras inside the ATM the cameras that are positioned around the locations where those ATMs are you will get caught or audio sensors a lot of the ATMs having bill microphones and they'll record when the proximity sensors get triggered be aware of that police services will care they will come after you just turning up on site and starting to play around with an ATM does elicit a response sometimes even if you're fully approved and authorized to do so physically if your ATM is load you with a lot of cash a cash cassette is roughly this big about this long holds 2500 notes so probably about 50,000 euros at most you know in a full cassette that's actually quite bulky so if you're trying 20 an ATM of cash you have a stack of cash about yay big and yay wide that you then have to physically get out of the work out of the place and of course laundering that amount of cash can be a challenge also I hear so the average ATM has four to six cassettes five is quite common you always have one cassette reserved cassette is always kept explicitly aside for notes that are ejected so dispensing that's failed in some cases people who've forgotten to take money when it's been issued and in cases where miss counting has happened or there's been an error in the hardware briefly how much cash is in the ATM depends on where the ATM is located if it's in an affluent area you might find it's mostly 50 euro notes and 20-year notes if it's in a student area you might find it's more twenties and tens in an airport some ATMs will only stock 50s depending on the country or in those denominations will change anyway depending on the loading you may have anywhere from two hundred thousand four hundred fifty thousand euros if you're doing an attack that instructs the dispenser so you're going after the ATM or you're going ATM in Betty computer or you're going after the dispenser directly those dispensers have a limits of how much cash they can give out at any one time typically it's 50 notes depending on the manufacturer it also takes that dispensing device somewhere between 17 and 20 seconds for most models to count those 50 notes and then give them to you which means in the best case if you want to empty a cassette of 2500 notes you're going to be standing in front of it whilst it spits cash out every 20 seconds for somewhere around 15 minutes an entire ATM with with five cassettes there is 85 minutes that may be a bit suspicious detection does happen out of service ATMs do get reported and somebody's standing in front of an ATM spitting out money does tensed your attention so just just consider being aware of that okay so if you are responsible for defending ATMs if you are banking institution if you're somebody who's asked to advise about this or you want to get into this field of testing ATMs and devising clients what what sort of things should you be doing well a lot of it comes down to basic IT hygiene and just doing the fundamentals properly making sure you're using encryption properly making sure you are following the best practice guidance from the vendor who makes that machine that fundamentally listen to experts who know what they're doing that might be a bit self-serving but but yeah if you're deploying these pay experts whoever they happen to be and remember that it's not just the ATM you need to protect you need to protect the entire complex system around the banking infrastructure behind it the people who write the image and the people who develop and maintain that operating system image that goes to the ATM is something that needs a lot of scrutiny before you ever deploy it pay attention to the vendors and their guidance so networking gear is universally bad for a lot of ATM deployments there are very few banking clients that I've had the privilege of working with who have spent decent money in securing their transport the ATM people deploy the ATM and then they tell networks email we need to speak to this computer out in this location and they then go and spend the grand sum of $15 in buying something like a cheap Chinese LTE router or some terrible Taiwanese DSL router the big four ATM vendors that I mentioned earlier so try an NCR Diebold Nixdorf and Hitachi know about all these attacks a lot of this stuff isn't new and they do have recommendations to mitigate against some of them maybe not all of them but if you don't bother following that best practice then you're you're leaving yourself exposed to those attacks for your ATM installations my personal advice and stuff that often isn't properly covered in make sure the physical installation is really up to snuff most of the sophisticated technical attacks and nearly all the physical attacks require a reason about a physical access to the machine so if the thing is properly concreted into a wall and not plasterboard it on the side if the furniture is nailed into the floor and the cables go directly down from the ATM and not out the back song where you dramatically limit the scope for somebody's pull off an attack make sure it's covered by CCTV make sure that you have a process around how you manage detecting attacks on that ATM so if the sensors are triggered make sure it goes through a security operation center that has a checklist they follows make sure for the love of God use full disk encryption store the keys in TPM module store them on the network but use some kind of full disk encryption that will prevent an awful lot of attacks again registering your machine not only to kick money out but it will also prevent a lot of compromise of your back end so revealing sort of keys IP addresses and other things for the ATM system images if they're being if they're being crafted in-house and most of them are minimized the software follows general good practice guidance about turning off unnecessary services don't install junk there is no reason for PowerPoint to be installed on an ATM image I have seen this there is no point for Adobe Reader or Team Viewer to be installed I have seen this I have even seen computer games installed in some images that were pushed out to ATMs it's not a good idea so follow good best practice around minimizing those sorts of things and make sure that that software is regularly patched and updated have a testing function to do that and have a small series of testing ATMs that you test that image on before deploying it across the entire network encryption should be used everywhere for everything all of the backend traffic all our traffic that comes from that atm with the possible exception of it looking for our printing of that nature in which case it should be using a static IP and it should be shutting itself down and not doing anything if it's detecting art poisoning yes some ATMs are vulnerable to art poisoning using the encryption ubiquitously for everything is kind of key and making sure it's mutually verified don't just trust a certificate from a trusted store make sure it's a pin certificate to your back-end and finally although there are flaws of application whitelisting init is not a panacea if you do a good policy if you do a tight a policy for for your ATM and you make sure the only trusted services can run combined with whole disk encryption that prevent that being turned off you incredibly well limit the scope for any kind of external attack based off the network or on any local compromise from being able to escalate okay folks an awful lot about this I'll summarize briefly concerns that are going to apply in the future and then I will Alfre open for questions right now there needs to be some work on the standard that middleware layer that XFS that allow is portable attacks doesn't have enough focus on security there is some work being done to try and extend for example mutual authentication to other components but fundamentally pentesters ethical hackers and people who know about security have not focused too much on on this standard in the past the standard does need some work to invent to harden it there is some suggestion that they're going to try and make sure software has to authenticate itself to call this but I don't know how practical that that's actually is going to be default passwords are still endemic for a lot of them admittedly to be able to even use them you often need some kind of physical access but again there is no excuse in any production system for default passwords to be used the maintained opinion for some of them is still set to eight zeros although that may not allow although that may mean that they've already got some kind of physical access if you have used whole drive encryption and and your attacker hasn't got any other way of getting into another application other than the other than the normal use land application if you leave a default password in place something like for example the default maintainer pin they suddenly now have access to an entirely new application that gives an awful lot more capability and then to interact with the system and also it tends to be a trusted applications they can bypass other system protections in place none of the attacks I've talked about here are a new none of them are specific 20 ATM they're all particularly portable with that the banks should look into whether whether that makes sense to be locked down into a more just one or specific vendor there may need to be more heterogeneous deployments if you're looking at wide scale reliability and security final point a lot of people do tend to think we're moving away from cache and it's true in many economies we are moving away from cached based transactions so touch pay credit card transactions is still is gaining more and more traction that being said ATMs are evolved with this ATMs these days top-up mobile phones you can make charity donations to some of them some of them you can be used now to buy gift cards various shops and other things so the cash is still very important and ATMs are still very much a target not just in places like in Asia in South America and Latin America but we're also seeing I mean Europe being actively targeted as well the biggest preventer of attacks being done in Europe is that we tend to have reasonably good police forces that aren't corrupt that being said that they're still being targeted so thank you very much I appreciate that was a

Info

Channel: Disobey

Views: 63,128

Rating: 4.8333335 out of 5

Keywords:

Id: ThPJrPf7O2s

Channel Id: undefined

Length: 49min 59sec (2999 seconds)

Published: Wed Feb 13 2019