Leave ATM Forever Alone
- 2. Experts@PHD:~# WhoAmI
•Positive Hack Days Team
•Speakers at many IT events
•Pentesters of various systems
•Authors of multiple articles,
researches, advisories
•CLUB-MATE addicts
- 8. ATM Fraud Attacks Effects
'Unlimited' Withdrawals and Sensitive Data Theft with:
Black Box and Malware attacks (PINPAD Malware, Malware
to jackpot dispenser, Malware through USB ports; also
criminals gain physical access to ATMs to load malware
through USB devices)
Diagnostics tests
Safe lock code compromise
Database Theft
Skimming
Internal attack (employees)
- 9. Malware
• Skimer.A -2008
• ……………………………………
• Backdoor.Ploutus – 2013-2014
• Backdoor.Padpin – 2014
• Macau Malware – 2014
• Backdoor.Tyupkin – 2014
• Trojan.Skimmer (new) – 2015
Subtotal = 16 < variants of malware
- 12. “Average Bill”
Typical ATM contains 4 cassettes
with ~2500 notes in each one.
(5+10+20+50)= US$ or € 212 500
(100+500+1000+5000)= ₽16 500 000
could be stolen from ATM
during single incident.
- 14. How It Works: Tyupkin & So On
•Access
•Infection
•Control
•Theft
- 15. How It Works: XFS
Network
communication
Windows-based
application
Configuration
information
Unit #1
Service
provider #1
Unit #2 Unit #3
Service
provider #2
Service
provider #3
Unit #4
Service
provider #4
Unit #5 Unit #6
Service
provider #5
Service
provider #6
XFS API
XFS SPI
XFS manager
COM USB
Customer/Service
mode
- 16. How It Really Works: XFS Insecurity
Network
communication
Windows-based
application
Configuration
information
Unit #1
Service
provider #1
Unit #2 Unit #3
Service
provider #2
Service
provider #3
Unit #4
Service
provider #4
Unit #5 Unit #6
Service
provider #5
Service
provider #6
XFS API
XFS SPI
XFS manager
COM USB
Customer/Service
mode
- 17. XFS, Cash Dispenser Device
•Cash withdrawal
without
authorization
•Cassette and cash
control
•Software safe
opening
- 18. XFS, Identification Card Device
•Read/write data
•Insert/eject/retain
cards
•EMV reader (one can
access payment
history stored in
chip)
- 19. XFS, PIN Keypad Device
• Export of the key is not
available
• Open mode and secure mode
read data
(for stealing PIN: an ATM
software sets “secure mode”
for entering PIN, and intruder
changes it to “open mode” to
capture the PIN)
- 23. Windows XP Still Alive
•Early 2014 – 95%
of ATMs run on
Windows XP
•Support killed
off in April
•>9000
vulnerabilities
- 24. Demo: MS 07-068 Strikes Again
http://www.youtube.com/watch?v=Uxd0TRdE6sw
- 25. How It Works: Black Box Attacks
• Dispenser
• Card reader
• Encrypted
PIN-pad
• Sensors
- 26. How It Works: Physical Interfaces
COM/USB
Network
communication
Windows-based
application
Configuration
information
Unit #1
Service
provider #1
Unit #2 Unit #3
Service
provider #2
Service
provider #3
Unit #4
Service
provider #4
Unit #5 Unit #6
Service
provider #5
Service
provider #6
XFS API
XFS SPI
XFS manager
COM USB
Customer/Service
mode
- 27. How It Really Works: COM/USB
Insecurity
Network
communication
Windows-based
application
Configuration
information
Unit #1
Service
provider #1
Unit #2 Unit #3
Service
provider #2
Service
provider #3
Unit #4
Service
provider #4
Unit #5 Unit #6
Service
provider #5
Service
provider #6
XFS API
XFS SPI
XFS manager
COM USB
Customer/Service
mode
- 30. Typical serial protocol
•No good tools for analysis
•No flow control
•No host loss detection
•Packets
• Fixed size
• Start/stop bytes
• Length prefix + data
- 35. Card Reader/ Writer/ Skimmer
Sensitive data disclosure,
e.g. track data in plaintext,
is possible with reading
command sending to COM/USB
port directly. This attack is
possible with ATM's computer
or with any external device,
which is connected to the card
reader's COM/USB port.
- 36. What Big Vendors Think
The vulnerabilities are essentially
normal specifications of the card readers
and not unexpected. As long as the ATM is
running within normal parameters, these
problems cannot possibly occur.(c)
However this vulnerability is inherent in
the USB technology and is expected be
mitigated by the use of appropriate
physical controls on access to the ATM
top box.(c)
- 44. Advantages Of COM/USB
•Direct device control
• Command execution mitigating all host-
based checks, e.g. cash withdrawal
without notes counter checks
• 02 30 / 10 03 – start-stop sentinels
• XX XX– op-code
• XX – Unknown
• 01 01 … – data
• 42 – CRC8
02
30
XX
XX
X
X
01 01
02 00
03 00
04 00
05 00
06 00
10
03
42
- 45. Quick Cash And Full Control
Control cash dispenser module
by unauthorized application
or user. An attacker has
possibility to control cash
dispenser by sending command
to COM/USB port directly,
including dispensing and
presenting commands. This
attack is possible with ATM's
computer or with any external
device, which is connected to
the dispenser's COM/USB port.
- 47. What Big Vendors Think
“We regret informing you that we had
decided to stop producing this model
more than 3 years ago and warranties
for our distributors been expired.”
- 49. Achievement Unlocked
Dispenser High Security
Level:
Dispenser Upgrade Pack is
released and available from
the vendor_name download
center, and it will be
included as standard in the
next release of XFS.(c)
- 50. We Had Two Libs Of Python, 35
USD, Power Bank And Wi-Fi Dongle
- 54. Conclusions
• Service zone is important
• Current methods of protection is
not enough
• Using execution prevention
software without OS patches – is
wrong
- 55. Proposals
• Implement mutual authentication both
for ATM computer and it’s devices
• Make peer review of XFS
standard/communication protocols
• Service zone is as important as safe
• Trust environment is not about ATMs
• Implement regular security
assessments and pentest of ATMs