ATM Compromise with and without Whitelisting
- 2. Agenda
1. whoami
2. Application
Whitelisting
3. Threat
-‐
ATM
Jackpotting
malware
4. Software
mitigations
have
improved
but
we
still
see
weaknesses
5. Recommendations
23/06/15 2© FortConsult
- 3. whoami
Alexandru
Gherman
Head
of
Research
|
Principal
Security
Consultant
FortConsult
Denmark
|
NCC
Group
Reverse
engineering
*
Firmware
*
UEFI
*
Finding
Bugs
*
Malware
analysis
@alexgherman
23/06/15 © NCC Group 3
- 4. What
we
do
@FortConsult
Ø Reverse
engineering
Ø Penetration
Testing
Ø ATM
security
testing
(Physical
and
Software
attacks)
Ø Security
assessments
Ø Audits
*
Source
Code
Review
*
Static
and
dynamic
analysis
Ø Hardware
security
testing
-‐
ATM
controllers,
CCTV,
Bluetooth,
Smart
TV,
Physical
Security
and
other
smart
devices
Ø Malware
analysis
Ø Threat
analysis
and
research
*
Incident
Response
*
Forensics
23/06/15 © NCC Group 4
- 5. Application
Whitelisting
23/06/15 5© FortConsult
♦ Appropriate
for
ATM
devices
♦ It
blocks
each
load/execute
attempt
(hooks
into
Windows
APIs
such
as
LoadLibrary,
WinExec,
CreateProcess)
♦ Unique
way
to
secure
against
unauthorized
software
♦ Reduces
the
risk
but
does
not
make
the
solution
infallible
to
buffer
overflow
type
of
attacks
- 6. However
there
is
still
a
risk
23/06/15 6© FortConsult
Only one of these
has to be
vulnerable …
So that a system
could be
compromised!
Why?
Still buffer
overflows and
other development
errors…
- 9. Tyupkin
Malware
–
Backdoor.MSIL.Tyupkin
♦ What
is
Tyupkin
?
♦ Stage
1
§ Physical
access
to
the
ATM
§ Insert
bootable
CD
§ Once
the
ATM
is
rebooted
the
infected
ATM
is
under
control
♦ Stage
2
§ Infinite
loop
waiting
for
a
command
§ Only
accepts
commands
at
specific
times
23/06/15 © FortConsult 9
- 13.
23/06/15 13© FortConsult
Bypassing
Whitelisting
can
lead
to
jackpotting
Ø FortConsult
performed
a
lot
of
research
and
developed
own
XFS-‐
compliant
code
Ø Although
we
worked
with
ATM
emulated
environments,
what
we
developed,
seems
to
work
on
any
XFS
compliant
ATM!
Ø Administrative
privilege
is
not
necessarily
required
to
jackpot
Ø Let
us
try
it
with
your
setup
?
J
- 15.
All
this
can
happen
while
offline
and
without
network
connectivity!
Without
being
monitored…
On
a
priority
scale,
you
don't
need
O-‐day
detection,
you
need
compromise
detection
first.
Knowing
how
you
were
compromised
is
less
important
than
knowing
that
you
were.
23/06/15 © NCC Group 15
- 16. The
path
to
the
risk
♦ In
every
application
there
are
design/development
Errors
♦ It
takes
only
“whitelisted”
vulnerable
applications
and
other
underlying
components
to
compromise
a
system
♦ “Buffer
overflow
detections”
don’t
work
always
as
advertised
♦ Exploitation
§ Develop
exploit
§ Control
EIP
§ Gain
arbitrary
code
execution
23/06/15 16© FortConsult
- 17.
23/06/15 17© FortConsult
Unlike Tyupkin’s
Physical Access, we
used a buffer
overflow in a
Whitelisted
Application!
An attacker would
always look for a
door that allows a
bypass!
- 18. Software
Development
♦ Software
mitigations
introduced
in
Windows
Vista/7/8
are
good,
but
they
are
not
invincible
23/06/15 18© FortConsult
ASLR in Windows!
- 20. Recommendations
?
Probably
not
Uninstall/Disable.
It’s
still
one
of
the
Only!
If
not,
probably
the
best
right
now!
Ø Thorough
application
inventory
review
of
all
the
applications
installed
on
the
ATM
Ø Internet
Explorer
Ø Java/Flash
Runtime
engines
Ø Image
renderers,
Virtual
Browsers
Ø Communications
and
message
parsers
Ø ATM
security
test
(Blackbox/Greybox)
Ø Physical
attacks
Ø Network
attacks
Ø Application
attacks
Ø Source
Code
review
of
the
custom
applications
installed
23/06/15 20© FortConsult
- 21. Recommendations
?
Probably
not
Uninstall/Disable.
It’s
still
one
of
the
Only!
If
not,
probably
the
best
right
now!
Ø Build
a
Lockdown
Suite
of
Security
Controls
formed
out
of
a
corroboration
of
Ø Windows
Security
Features
(through
use
of
ASLR;
DEP,
Stack
Canaries)
Ø Disk
Encryption
Ø Whitelisting
Ø And
other
security
controls
which
we
usually
see
Unleveraged!
Ø We
can
help
you
Here!
23/06/15 21© FortConsult
- 22. Europe
Manchester
-‐
Head
Office
Amsterdam
Cheltenham
Copenhagen
Edinburgh
Leatherhead
London
Luxembourg
Milton
Keynes
Munich
Zurich
Sweden
Vilnius
Portugal
North
America
Atlanta
Austin
Chicago
New
York
San
Francisco
Seattle
Sunnyvale
Australia
Sydney
Russia
Moscow
- 23.
A
very
special
thank
you
to
the
expert
team
at
KAL
ATM
Software,
they
are
one
of
the
only
companies
worldwide
who
support
advanced
testing
and
research.
23/06/15 © NCC Group 23