This is surprisingly easy. Look for the defcon talk "atm jackpotting".
The summary is there there are only a few vendors of ATMs and ATM software. They often have a tubular lock with a small number of lock combinations. You open it, and there's the main board. USB (some with auto-play still enabled), CF card (main storage), everything. Plug in what you want. Some insist on code-signing of the CF card to boot, but it can be bypassed.
Often they are exposed to the internet, and as of the talk at least one vendor had a pre-login vulnerability to an internet-exposed port (which the speaker reported, so that particular one is probably fixed now, but goodness knows if the sites in the real world are patched).
Once you have your code running, it's game over. Open the cash drawer, record stripe data (and phone it to yourself whenever you like), rootkit the device to make yourself undetectable.
He bought several ATMs of the most popular model to experiment, right off the internet, some from the vendors themselves. Nobody questioned him.
Hmm, just read on this Jack guy. What was that thing? He was 35 years old and wasn't sick or obese.
Now, for people who believe the generally good nature of states (and/or Santa) this might not even raise an eyebrow, but for people who have read their history, well...
1. The attackers knew there was a USB port on these devices that would auto-play, or at least trigger the auto-play dialog.
2. The attackers knew all of the software internals of the machines before they started. You don't just write code that works with any old ATM software.
3. The article stated that 'the organisers displayed "profound knowledge of the target ATMs"'. "Profound knowledge" seems to be an understatement. That's the kind of knowledge that you get when you work for a company that designs and builds ATMs.
Really, I don't see this as anything more than something to chuckle at. It's like if a restaurant was robbed by someone that knew the code for the back door and that a spare key to the safe was taped to the underside of the desk in the back room. If you know what you're doing, of course you can break in.
Oh, yeah. And the first character after the first * wasn't whitespace, it was another *, so HN ate them both and inserted an italicized zero length string.
Why not its always private atm's (you know the ones with ripoff charges) at mom and pop stores that seem to be the ones getting hacked not ones embedded in the walls of a bank.
Making ATM's only available to organizations with a full banking license might help and some body define proper security standards Bruce Schenier's looking for a new job maybe he might want to take this on?
I find it much more likely they'd skimp on hardening, the bad guys would still find ways to get them but white hats would have an extremely hard time working on the problem, and we'd be in an even worse situation.
Sort of like the problems we have right now with locks.
Autoplay isn't required for these kinds of attacks. I'll confess that I did not watch the actual talk (linked elsewhere), so I don't know if that route was used in this case. I do know, however, that autoplay is not actually required.
Here's a video of a demonstration given back in November of a system (Crossing Guard) being developed at Dartmouth (under the Trustworthy Cyber Infrastructure for the Power Grid). The attack takes advantage of lower level USB operation and does not rely on autoplay.
1. You can find both pictures of the machines and the ATMs themselves on the internet.
2. Most likely it's (and old) windows. You don't need to write special code for any old ATM software. They could even just use autoplay once to test the grounds and copy anything they could back to the USB for analysis.
3. Ok, I'm not saying the profound knowledge / inside job was not involved... but people have done much more crazy and advanced attacks on black boxes with next to no knowledge. Once they knew they have access to software inside with auto-play they could do anything. Even connect the box to wifi via usb and do everything else remotely.
So why in the name of "bruce" was an ATM ever shipped with a USB port in the firstplace. The firmware update process should be locked down.
what needs to happen is that all the executives of the ATM company and the bank concerned (going back 15 years or so) need to be banned for life from ever being directors and b from ever working in the finance industry
USB port or no, once you have physical access to the internal electronics then the game is over. It seems to me the failure was using materials that could be quickly breached and then patched.
Do you have unique experience to justify up your vitriol?
"once you have physical access to the internal electronics then the game is over"
Common... Someone used an X-acto knife to plug in an USB stick on a PC configured to auto-play it and we should take it as a proof that "physical access to the internal electronics then the game is over"?
Companies like Brinks are using special sprays that renders bills unusable in case someone tries to break in the safes if I'm not mistaken.
What about an ATM where any tentative of opening it to physically access the internal electronics would result in the ATM bricking and all the bills getting instantly sprayed as to render them unusable?
What about spraying the bills and rendering them unusable in case the ATM is powered down and making it impossible to install new software without powering the machine down? (so that when you come with your new harddisk and access the internal to plug it in, you're SOL). This would even have the benefit of rendering attacks of the type: "I come with a truck and steal the part of the wall that contains the ATM" impractical (yes, people have done these).
And where the only way to prevent that, for example during legitimate maintenance, would be to first enter a token generated by the ATM company and communicated to the (legit) employee doing the maintenance when he's working on the machine?
I've never worked on ATMs and I'm sure it shows, but that's not the point.
Honestly I find it quite sad that simply plugging in an USB stick allows to steal money from the machine.
I find it also very sad that several people here consider that "nothing can be done against a rogue employee" or that "nothing can be done if you have physical access to the internal electronics".
And I do honestly hope that people working on ATMs will start thinking about how to better secure their ATMs and which kind of trust systems can be put in place so that rogue employees (and other thieves) have a much harder time attacking ATMs.
"It seems to me the failure was using materials that could be quickly breached and then patched."
That is just one failure. The attacker exploited several holes and the answer from ATM companies should be more complex than just putting duct tape on one of the holes.
With regards to the "spraying of bills", the bills themselves are usually in a safe, which is separated from the electronics (computer & peripherals). But I do agree that when a machine is breached it should halt immediately. Having said that, financial institutions are not going to take this route for a variety of reasons, one of which is just general maintenance. If the case is breached, do you suspect that the intruders had access to everything? If so you want need to brick the entire device, to prevent any data from leaking back to the intruders.
Your suggestion with regards to maintenance is indeed a valid one, but again the increase in cost is simply to big. Most financial institutions in my country and region (western europe) actually see ATM purely as a cost, and install them simply because they want customers to get a hold of their money. It is that simple. So why would they increase the costs?
I think, and I don't want to start any flamewars or anything, that reconsidering the use of Windows in its current form is a valid route. If you were to start from an extremely limited & stripped down version sure, but not in the way companies are currently using it (for those that might wonder, yes full installs of windows happen all the time).
Anyway, I'm glad this is in the open. The more people talk about it, the more things will change.
> With regards to the "spraying of bills", the bills themselves are usually in a safe, which is separated from the electronics (computer & peripherals).
I used to work in a supermarket with the 'self service' checkouts. The cash dispenser internals looks to be exactly the same as that in basic ATMs [0]. Without going into too many details, in our case the security was minimal and there was no tamper proofing. If you really wanted to get inside it wouldn't have been particularly hard. ATMs may by different as they are slightly more portable than a checkout though :)
Basic ATMs found in gas stations and liquor stores are different. All the ATMs in big banks have a safe at the bottom that houses the case made of 1/4 inch or so steel plates.
Yep looked at doing secure paperless direct debit back in 2000 or so it is quite practical to build ATM's securely and to have atm update procedures that are much much more secure requiring a two man approach for edxample.
for physical access Having ATM'S that self destruct on tampering woudl be another possibility like the iron key USB sticks and bank grade key stores
They're shipped with a USB port because they just have a standard computer motherboard. Everything in the ATM that makes it different from the computer you're sitting at right now is just a peripheral.
The point is that ATMs shouldn't be proverbially taping the proverbial spare key to the underside of the proverbial desk.
A well-designed system can withstand the attacker knowing all of its details aside from the secret key chosen by the owner. That's the whole point of avoiding "security through obscurity".
I have about a year of industry knowledge working with ATMs. NCR and Diebold hold a huge portion of the North American ATM market and likely European too. All of the NCR and Diebold machines I worked on were running locked down Windows XP as of a couple of years ago. The PC hardware is fairly standard. Most of the peripherals like cash dispensers connect via USB to the PC in the ATM.
I haven't had a chance to look at the exploit but I'd assume it didn't necessarily use auto-play. The OS images that are loaded on these machines are highly customized and would likely prevent auto-loading a usb driver. However, either it auto-loaded or they exploited some other USB bug in Windows.
Once they could load code then they would have been able to manipulate the cash dispenser using an XFS app[0]. This would let them dispense bills from the safe to the customer facing throat. However, once the machine was restocked the bill counts would be off and the banks backend should detect the tampering.
Based on the story it sounds like they were able to load code into the banking application to allow activating their hack from the pin pad. To me that seems to indicate either a former engineer of NCR/Diebold or someone who got their hands on a used ATM and spent a lot of time reverse engineering the application software and chassis.
I've also made the assumption that this was done on a free-standing ATM[1]. Wall mount ATMs that you see at most banks are mostly behind the wall and would be extremely difficult to get access to a USB port.
I also have a little bit of (indirect) experience with software dev for ATMs, although it was in south east Asia. They were running Windows XP, and once you opened up the case you could just plug in a keyboard and mouse.
From what I remember, don't want to be specific for obvious reasons, the screens in the ATM program are defined by a configuration file which is distributed from a central server. If you could intercept or modify that configuration, then you could get the atm to show whatever you want without having to reverse engineer the whole software.
All the NCR machines I encountered post-ADA upgrades were running Windows XP and still had the standard admin backdoor passwords on them. There's only two different ones to try.
For what it's worth, there's a fair number of Windows-based ATMs in the US and around the globe. You can find articles as old as 2003 about exploiting Windows-based ATMs. My favorite was the machine that had a Paint program enabled by an intrepid hacker. Every year without fail the ATMs of the hotels surrounding DEFCON get owned multiple times, sometimes advertising it. ("Dumb" ATMs are often much easier to attack using default passwords, but harder to install malware on)
Depends on what you mean by "harder to install malware on". Most of these machines are regular Windows, and inherit the default risk associated with such machines. The only difference is that some might have better hardening.
The windows CE and OS/2 are getting rare. those I have tested all had win XP and win 7. (I have tested nearly every major financial institution in my country)
Whenever I come across a green-screen ATM running decent old software I practically leap for joy. Why? I can get my money in 5 seconds. The new ones, that I guess are running Flash on top of MSIE on top of WinXP, are unbelievably slow.
My favorite are the ones where the developer got the resolution of the screen wrong, and both the horizontal & vertical scrollbars are present. The touch screen is emulating a mouse, so you can drag the bars a little ways.
from experience (I was a security assessment professional and I have looked at multiple of these ATM machines in the past from a hackers point of view), these machines are almost always windows XP SP3 or the newer once are running windows 7. A number of usb devices are added like the pinpad, keyboard, printer, smartcard reader, cash dispenser, ... Next the entire thing is managed using XFS. (http://www.cen.eu/cen/Sectors/Sectors/ISSS/Activity/Pages/WS...) So even tho it might appear the researcher had a large amount of knowledge, this is not so uncommon.
That's also in the article, they left auto-play running.
I'd bet they use standard PC motherboards. The only unusual things the thiefs knew where where to open the hole, and how to use the cash dispenser (altough, I'm quite sure one'd be able to get the entire dispenser documentation from Google).
Knowing that they are Windows machines, why don't people attack the ATMs by the network?
I'm vaguely surprised they bothered to cut a hole to do this. When I was working on ATMs, none of my clients ever bothered to have they ATMs uniquely keyed. I had a keyring of about 30 keys that could open pretty much any ATM I came across.
Most ATMs are in running on Windows 7 with PC hardware. The hardware is probably custom made but still very similar to what you would find in a desktop.
As far the network, you cant access ATMs from the Internet at least in the US. Most of the providers have leased lines to a central server somewhere and then leased lines to whatever 3rd parties they talk to. US banks arent too crazy on letting people remotely service ATMs that are having software problems.
The sad part is that BBC takes this random fact and completely missed the important ones about the more massive problem that the NSA and complacent / blackmailed government represent...
The summary is there there are only a few vendors of ATMs and ATM software. They often have a tubular lock with a small number of lock combinations. You open it, and there's the main board. USB (some with auto-play still enabled), CF card (main storage), everything. Plug in what you want. Some insist on code-signing of the CF card to boot, but it can be bypassed.
Often they are exposed to the internet, and as of the talk at least one vendor had a pre-login vulnerability to an internet-exposed port (which the speaker reported, so that particular one is probably fixed now, but goodness knows if the sites in the real world are patched).
Once you have your code running, it's game over. Open the cash drawer, record stripe data (and phone it to yourself whenever you like), rootkit the device to make yourself undetectable.
He bought several ATMs of the most popular model to experiment, right off the internet, some from the vendors themselves. Nobody questioned him.
Watch the talk, it was great.