SlideShare a Scribd company logo

Leave ATM Forever Alone

Olga Kochetova
Olga Kochetova

This document discusses various methods that criminals use to attack ATMs, including malware, black box attacks, and physical access. It describes specific malware like Tyupkin and attacks on protocols like XFS that allow unauthorized control of ATM components over USB/COM ports. Issues discussed include lack of authentication in XFS, vulnerabilities in Windows XP, and insecurity of physical locks and interfaces. The document calls for improvements like mutual authentication, secure protocols and regular security testing to help address these ATM attack methods.

Related slideshows

EntroWatch V1.2 (1)
EntroWatch V1.2 (1)EntroWatch V1.2 (1)
EntroWatch V1.2 (1)
 
[CB19] Hardware Wallet Security
[CB19] Hardware Wallet Security[CB19] Hardware Wallet Security
[CB19] Hardware Wallet Security
 
Atm card skimming & pin capturing awareness
Atm card skimming & pin capturing awarenessAtm card skimming & pin capturing awareness
Atm card skimming & pin capturing awareness
 
1 of 56
Download to read offline
Leave ATM Forever Alone
Experts@PHD:~# WhoAmI •Positive Hack Days Team •Speakers at many IT events •Pentesters of various systems •Authors of multiple articles, researches, advisories •CLUB-MATE addicts
Leave ATM Forever Alone
Rob The Bank
BOOOoooring
Based On True Stories
Volume Of European ATM Crime
ATM Fraud Attacks Effects 'Unlimited' Withdrawals and Sensitive Data Theft with: Black Box and Malware attacks (PINPAD Malware, Malware to jackpot dispenser, Malware through USB ports; also criminals gain physical access to ATMs to load malware through USB devices) Diagnostics tests Safe lock code compromise Database Theft Skimming Internal attack (employees)
Malware • Skimer.A -2008 • …………………………………… • Backdoor.Ploutus – 2013-2014 • Backdoor.Padpin – 2014 • Macau Malware – 2014 • Backdoor.Tyupkin – 2014 • Trojan.Skimmer (new) – 2015 Subtotal = 16 < variants of malware
Black Box Attacks •Directly control ATM
Hijacking ATM Control/Processing Host •Carbanac – 2015 •MitM – 2015
“Average Bill” Typical ATM contains 4 cassettes with ~2500 notes in each one. (5+10+20+50)= US$ or € 212 500 (100+500+1000+5000)= ₽16 500 000 could be stolen from ATM during single incident.
Tyupkin: Around The World In 412 Days
How It Works: Tyupkin & So On •Access •Infection •Control •Theft
How It Works: XFS Network communication Windows-based application Configuration information Unit #1 Service provider #1 Unit #2 Unit #3 Service provider #2 Service provider #3 Unit #4 Service provider #4 Unit #5 Unit #6 Service provider #5 Service provider #6 XFS API XFS SPI XFS manager COM USB Customer/Service mode
How It Really Works: XFS Insecurity Network communication Windows-based application Configuration information Unit #1 Service provider #1 Unit #2 Unit #3 Service provider #2 Service provider #3 Unit #4 Service provider #4 Unit #5 Unit #6 Service provider #5 Service provider #6 XFS API XFS SPI XFS manager COM USB Customer/Service mode
XFS, Cash Dispenser Device •Cash withdrawal without authorization •Cassette and cash control •Software safe opening
XFS, Identification Card Device •Read/write data •Insert/eject/retain cards •EMV reader (one can access payment history stored in chip)
XFS, PIN Keypad Device • Export of the key is not available • Open mode and secure mode read data (for stealing PIN: an ATM software sets “secure mode” for entering PIN, and intruder changes it to “open mode” to capture the PIN)
XFS Authentication •Authentication? What authentication? •Exclusive access to XFS manager/service provider? Exists, but not intended to be used for security
XFS Authentication •Authentication? What authentication? •Exclusive access to XFS manager/service provider? Exists, but not intended to be used for security
Hacker, Porter And The Chamber Of Secrets
Windows XP Still Alive •Early 2014 – 95% of ATMs run on Windows XP •Support killed off in April •>9000 vulnerabilities
Demo: MS 07-068 Strikes Again http://www.youtube.com/watch?v=Uxd0TRdE6sw
How It Works: Black Box Attacks • Dispenser • Card reader • Encrypted PIN-pad • Sensors
How It Works: Physical Interfaces COM/USB Network communication Windows-based application Configuration information Unit #1 Service provider #1 Unit #2 Unit #3 Service provider #2 Service provider #3 Unit #4 Service provider #4 Unit #5 Unit #6 Service provider #5 Service provider #6 XFS API XFS SPI XFS manager COM USB Customer/Service mode
How It Really Works: COM/USB Insecurity Network communication Windows-based application Configuration information Unit #1 Service provider #1 Unit #2 Unit #3 Service provider #2 Service provider #3 Unit #4 Service provider #4 Unit #5 Unit #6 Service provider #5 Service provider #6 XFS API XFS SPI XFS manager COM USB Customer/Service mode
DinosauRS232 •Standard interface •No specific drivers •No authorization •Insecure proprietary protocols (just sniff and replay)
Difficulties • Protocols bloat • Specific method of integrity control • Short timeouts • Endless polling • New firmware version = new protocol
Typical serial protocol •No good tools for analysis •No flow control •No host loss detection •Packets • Fixed size • Start/stop bytes • Length prefix + data
Advantages Of COM/USB •Direct device control •Execution of undocumented functions •Intercept unmasked sensitive data
Really Big Sale
Really Big Fail
Advantages Of COM/USB •Possibility of producing hardware sniffer, which can’t be detected by visual examination
Card Reader/ Writer/ Skimmer Sensitive data disclosure, e.g. track data in plaintext, is possible with reading command sending to COM/USB port directly. This attack is possible with ATM's computer or with any external device, which is connected to the card reader's COM/USB port.
What Big Vendors Think The vulnerabilities are essentially normal specifications of the card readers and not unexpected. As long as the ATM is running within normal parameters, these problems cannot possibly occur.(c) However this vulnerability is inherent in the USB technology and is expected be mitigated by the use of appropriate physical controls on access to the ATM top box.(c)
Top Lock For The Top Box
Unlockpickable
Locks is not about security
How It Really Works: ATM Cabinet Locks
ATM is locked
Demo: Unlockpickable? http://www.youtube.com/watch?v=KijIzHUtLjU
Secure Your ATMs
Advantages Of COM/USB •Direct device control • Command execution mitigating all host- based checks, e.g. cash withdrawal without notes counter checks • 02 30 / 10 03 – start-stop sentinels • XX XX– op-code • XX – Unknown • 01 01 … – data • 42 – CRC8 02 30 XX XX X X 01 01 02 00 03 00 04 00 05 00 06 00 10 03 42
Quick Cash And Full Control Control cash dispenser module by unauthorized application or user. An attacker has possibility to control cash dispenser by sending command to COM/USB port directly, including dispensing and presenting commands. This attack is possible with ATM's computer or with any external device, which is connected to the dispenser's COM/USB port.
Demo: iCash http://www.youtube.com/watch?v=ksEmXuV324I
What Big Vendors Think “We regret informing you that we had decided to stop producing this model more than 3 years ago and warranties for our distributors been expired.”
What About Cryptography Dispenser “Half” Security Level: Any use of cryptography – is NOT equal to good use of cryptography
Achievement Unlocked Dispenser High Security Level: Dispenser Upgrade Pack is released and available from the vendor_name download center, and it will be included as standard in the next release of XFS.(c)
We Had Two Libs Of Python, 35 USD, Power Bank And Wi-Fi Dongle
Cheap-and-Pi •Minimal price •Small •Capable of using multiple interfaces
ATMs In Internet
No More SSL •OpenSSL in ATM/POS software •Misconfiguration •PCI/PA DSS v.3.1 SSL >> TLS
Conclusions • Service zone is important • Current methods of protection is not enough • Using execution prevention software without OS patches – is wrong
Proposals • Implement mutual authentication both for ATM computer and it’s devices • Make peer review of XFS standard/communication protocols • Service zone is as important as safe • Trust environment is not about ATMs • Implement regular security assessments and pentest of ATMs
Leave ATM Forever Alone

More Related Content

Leave ATM Forever Alone

  • 2. Experts@PHD:~# WhoAmI •Positive Hack Days Team •Speakers at many IT events •Pentesters of various systems •Authors of multiple articles, researches, advisories •CLUB-MATE addicts
  • 6. Based On True Stories
  • 7. Volume Of European ATM Crime
  • 8. ATM Fraud Attacks Effects 'Unlimited' Withdrawals and Sensitive Data Theft with: Black Box and Malware attacks (PINPAD Malware, Malware to jackpot dispenser, Malware through USB ports; also criminals gain physical access to ATMs to load malware through USB devices) Diagnostics tests Safe lock code compromise Database Theft Skimming Internal attack (employees)
  • 9. Malware • Skimer.A -2008 • …………………………………… • Backdoor.Ploutus – 2013-2014 • Backdoor.Padpin – 2014 • Macau Malware – 2014 • Backdoor.Tyupkin – 2014 • Trojan.Skimmer (new) – 2015 Subtotal = 16 < variants of malware
  • 11. Hijacking ATM Control/Processing Host •Carbanac – 2015 •MitM – 2015
  • 12. “Average Bill” Typical ATM contains 4 cassettes with ~2500 notes in each one. (5+10+20+50)= US$ or € 212 500 (100+500+1000+5000)= ₽16 500 000 could be stolen from ATM during single incident.
  • 13. Tyupkin: Around The World In 412 Days
  • 14. How It Works: Tyupkin & So On •Access •Infection •Control •Theft
  • 15. How It Works: XFS Network communication Windows-based application Configuration information Unit #1 Service provider #1 Unit #2 Unit #3 Service provider #2 Service provider #3 Unit #4 Service provider #4 Unit #5 Unit #6 Service provider #5 Service provider #6 XFS API XFS SPI XFS manager COM USB Customer/Service mode
  • 16. How It Really Works: XFS Insecurity Network communication Windows-based application Configuration information Unit #1 Service provider #1 Unit #2 Unit #3 Service provider #2 Service provider #3 Unit #4 Service provider #4 Unit #5 Unit #6 Service provider #5 Service provider #6 XFS API XFS SPI XFS manager COM USB Customer/Service mode
  • 17. XFS, Cash Dispenser Device •Cash withdrawal without authorization •Cassette and cash control •Software safe opening
  • 18. XFS, Identification Card Device •Read/write data •Insert/eject/retain cards •EMV reader (one can access payment history stored in chip)
  • 19. XFS, PIN Keypad Device • Export of the key is not available • Open mode and secure mode read data (for stealing PIN: an ATM software sets “secure mode” for entering PIN, and intruder changes it to “open mode” to capture the PIN)
  • 20. XFS Authentication •Authentication? What authentication? •Exclusive access to XFS manager/service provider? Exists, but not intended to be used for security
  • 21. XFS Authentication •Authentication? What authentication? •Exclusive access to XFS manager/service provider? Exists, but not intended to be used for security
  • 22. Hacker, Porter And The Chamber Of Secrets
  • 23. Windows XP Still Alive •Early 2014 – 95% of ATMs run on Windows XP •Support killed off in April •>9000 vulnerabilities
  • 24. Demo: MS 07-068 Strikes Again http://www.youtube.com/watch?v=Uxd0TRdE6sw
  • 25. How It Works: Black Box Attacks • Dispenser • Card reader • Encrypted PIN-pad • Sensors
  • 26. How It Works: Physical Interfaces COM/USB Network communication Windows-based application Configuration information Unit #1 Service provider #1 Unit #2 Unit #3 Service provider #2 Service provider #3 Unit #4 Service provider #4 Unit #5 Unit #6 Service provider #5 Service provider #6 XFS API XFS SPI XFS manager COM USB Customer/Service mode
  • 27. How It Really Works: COM/USB Insecurity Network communication Windows-based application Configuration information Unit #1 Service provider #1 Unit #2 Unit #3 Service provider #2 Service provider #3 Unit #4 Service provider #4 Unit #5 Unit #6 Service provider #5 Service provider #6 XFS API XFS SPI XFS manager COM USB Customer/Service mode
  • 28. DinosauRS232 •Standard interface •No specific drivers •No authorization •Insecure proprietary protocols (just sniff and replay)
  • 29. Difficulties • Protocols bloat • Specific method of integrity control • Short timeouts • Endless polling • New firmware version = new protocol
  • 30. Typical serial protocol •No good tools for analysis •No flow control •No host loss detection •Packets • Fixed size • Start/stop bytes • Length prefix + data
  • 31. Advantages Of COM/USB •Direct device control •Execution of undocumented functions •Intercept unmasked sensitive data
  • 34. Advantages Of COM/USB •Possibility of producing hardware sniffer, which can’t be detected by visual examination
  • 35. Card Reader/ Writer/ Skimmer Sensitive data disclosure, e.g. track data in plaintext, is possible with reading command sending to COM/USB port directly. This attack is possible with ATM's computer or with any external device, which is connected to the card reader's COM/USB port.
  • 36. What Big Vendors Think The vulnerabilities are essentially normal specifications of the card readers and not unexpected. As long as the ATM is running within normal parameters, these problems cannot possibly occur.(c) However this vulnerability is inherent in the USB technology and is expected be mitigated by the use of appropriate physical controls on access to the ATM top box.(c)
  • 37. Top Lock For The Top Box
  • 39. Locks is not about security
  • 40. How It Really Works: ATM Cabinet Locks
  • 44. Advantages Of COM/USB •Direct device control • Command execution mitigating all host- based checks, e.g. cash withdrawal without notes counter checks • 02 30 / 10 03 – start-stop sentinels • XX XX– op-code • XX – Unknown • 01 01 … – data • 42 – CRC8 02 30 XX XX X X 01 01 02 00 03 00 04 00 05 00 06 00 10 03 42
  • 45. Quick Cash And Full Control Control cash dispenser module by unauthorized application or user. An attacker has possibility to control cash dispenser by sending command to COM/USB port directly, including dispensing and presenting commands. This attack is possible with ATM's computer or with any external device, which is connected to the dispenser's COM/USB port.
  • 47. What Big Vendors Think “We regret informing you that we had decided to stop producing this model more than 3 years ago and warranties for our distributors been expired.”
  • 48. What About Cryptography Dispenser “Half” Security Level: Any use of cryptography – is NOT equal to good use of cryptography
  • 49. Achievement Unlocked Dispenser High Security Level: Dispenser Upgrade Pack is released and available from the vendor_name download center, and it will be included as standard in the next release of XFS.(c)
  • 50. We Had Two Libs Of Python, 35 USD, Power Bank And Wi-Fi Dongle
  • 53. No More SSL •OpenSSL in ATM/POS software •Misconfiguration •PCI/PA DSS v.3.1 SSL >> TLS
  • 54. Conclusions • Service zone is important • Current methods of protection is not enough • Using execution prevention software without OS patches – is wrong
  • 55. Proposals • Implement mutual authentication both for ATM computer and it’s devices • Make peer review of XFS standard/communication protocols • Service zone is as important as safe • Trust environment is not about ATMs • Implement regular security assessments and pentest of ATMs