Skip to main content

Hacking ATMs: No Malware Required

Hacking ATMs: No Malware Required
Two researchers have demonstrated how ATMs could be hacked - without installing malware - by connecting a tiny computer to a port inside of the machine, bypassing the ATM's own computer, and instructing the cash dispenser to begin giving out money.
At last week's Black Hat Europe conference in Amsterdam, Russian penetration-testing experts Alexey Osipov and Olga Kochetova described how they tested the attack method on several ATMs. They say they successfully programmed a credit-card-sized Raspberry Pi computer, which can be connected to the inside of an ATM, for use as a "hardware sniffer" as well as a malicious controller. The device can, for example, intercept PIN codes, as well as send directions directly to different components inside the ATM enclosure, telling them to dispense cash or open the safes in which the cash is stored.
The recent rise in ATM malware attacks has led to warnings from law enforcement agencies that ATM operators must beef up the physical security of their money machines. The LINK Scheme, for example, which is the U.K.'s interbank network of ATMs operators, maintains physical security recommendations for ATM operators, and recommends a variety of countermeasures that could help thwart malware - or the proof-of-concept Raspberry Pi attacks. Those include replacing the default locks issued by most vendors and monitoring ATMs with cameras.

Direct Control of ATM Components

The researchers' proof-of-concept attack relies, in part, on a set of standard programming interfaces, or APIs, that are built into most ATM host computers and components, including text displays, card readers, PIN pads and the dispenser units. These APIs are known as XFS - which stands for "extensions for financial services" - and are used by many manufacturers' components to communicate with each other.
By using these APIs, however, an attacker could bypass the ATM's own host computer, and communicate directly with the different peripherals installed inside the ATM enclosure, Osipov tells Information Security Media Group, speaking on the condition that his employer not be identified. Likewise, any vulnerabilities present in the ATM's operating system might also be exploited.

Raspberry Pi: Easy to Disguise

The researchers chose the Raspberry Pi computer for the testing of the ATM hacking technique, Ospirov says, because "we wanted something small that we could add to an ATM and it would work within it, and [to] give ... financial IT security guys the knowledge that some device could be inserted into ATMs in such a way that it won't be noticed by the service engineers who exchange cassettes."
The Russian researchers ran their tests on an ATM machine they purchased from a smaller ATM manufacturer, as well as machines for which they'd been hired - by ATM operators - to conduct penetration testing. While the researchers say they have disclosed related vulnerabilities directly to ATM manufacturers, they declined to specify the machines they tested, or the vendors involved. But they noted that one vendor replied that because it was no longer producing the vulnerable piece of hardware, it didn't plan to issue a related fix, despite the hardware still being used in the field.

Physical Security Concerns

Before a computer can be installed inside an ATM, however, an attacker needs to gain physical access to the enclosure itself, and then plug their device into an Ethernet, USB or RS-232 port. But as recent malware attacks in Eastern Europe and Western Europe have shown, criminals are getting better at not just locating unattended ATMs, but also procuring the keys required to access ATM enclosures, plugging in a USB drive that installs malware on the targeted system, and then rapidly dispensing as much money as possible.
If attackers wanted to instead intercept all of the card numbers and PIN codes used at the machine, however, they would want to install a device, disguise it and then get away as quickly as possible. To test that scenario, the researchers timed how long it took them to install their computer inside the device and then lock it up. "We [know] that in several minutes, there will be an alarm in the processor that the ATM is not working, that it's been opened, and [the operator] will issue a security-response team that will go to the ATM and find anything that happened," Osipov says.
From start to stop, however, the researchers say they were able to unlock the ATM enclosure, install their computer and bring it online, then re-lock the ATM enclosure, in just two minutes. "You can be recorded on the [ATM's] video feed, but the video feed could be managed, exactly the same way as other devices [inside] the ATM," Osipov says.

How To Secure ATMs

What's required to address the potential new ATM hacking threat, the researchers say, is for vendors to begin conducting penetration tests of their devices, as well as for ATM operators to improve the physical security of their machines. They also recommend that the ATM industry collaborate on a new, open specification for the components inside an ATM to communicate securely with each other, as well as authenticate each other. Using such a system, any instructions received from an unauthorized computer that was connected to an internal ATM port could be ignored.
"Hacking ATMs with a small computer like Raspberry Pi should be impossible, but it isn't," Osipov says.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.

Comments

Popular posts from this blog

IMPORTANCE AND ADVANTAGES OF SIWES

STUDENTS INDUSTRIAL WORK EXPERIENCE SCHEME (SIWES) The Industrial Training/Students Industrial Work Experience Scheme, IT/SIWES is a new Directorate under the Vice-Chancellor’s Office.  It was established on 20th April, 2012 The Students Industrial Work Experience Scheme (SIWES) is a skills training programme designed to expose and prepare students of universities and other tertiary institutions for the Industrial Work situation they are likely to meet after graduation.  It is also a planned and structured programme based on stated and specific career objectives which are geared towards developing the occupational competencies of participants (Mafe, 2009).  Consequently, the SIWES programme is a compulsory graduation requirement for all Nigerian university students offering certain courses. The Students Industrial Work Experience Scheme (SIWES), is the accepted training programme, which

How to Reset HP Elitebook 8460p BIOS/Administrator Password

Have you  forgotten HP Elitebook 8460p password , bios or administrator account password? How to do if both of them lost? It seems hard though there may be lots of ways that can solve it. But if we talk about it separately, such as in two parts,  HP elitebook password reset  would be not so difficult. Part 1: Reset HP Elitebook 8460p BIOS password Part 2: HP Elitebook 8460p Administrator password recovery Part 1: How to Reset Forgotten HP Elitebook BIOS Password? Generally, there are two ways to  reset forgotten BIOS password .  One  is forcing BIOS/CMOS to reset itself to its stored defaults by removing all power from it.  The other  is to use a program to either locate or identify the password, and reveal it to you or erasing the password clearly. And the most easiest and convenient method for erasing dynamic BIOS/CMOS settings is to remove battery directly from the motherboard. However, it applies to most motherboards besides HP Elitebook BIOS. Fortunately, HP Eliteb

Ethical Hacking - TCP/IP Hijacking

TCP/IP Hijacking is when an authorized user gains access to a genuine network connection of another user. It is done in order to bypass the password authentication which is normally the start of a session. In theory, a TCP/IP connection is established as shown below − To hijack this connection, there are two possibilities − Find the seq which is a number that increases by 1, but there is no chance to predict it. The second possibility is to use the Man-in-the-Middle attack which, in simple words, is a type of network sniffing . For sniffing, we use tools like Wireshark or Ethercap . Example An attacker monitors the data transmission over a network and discovers the IP’s of two devices that participate in a connection. When the hacker discovers the IP of one of the users, he can put down the connection of the other user by DoS attack and then resume communication by spoofing the IP of the disconnected user. Shijack In practice, one of the best TCP/IP hijack too