Revisiting atm vulnerabilities for our fun and vendor’s
4 likes9,120 views
The document discusses vulnerabilities in ATM systems that can allow attackers to steal cash or users' financial information. It provides examples of past malware attacks on ATMs and describes technical methods attackers have used to gain unauthorized access and control of ATM components like card readers, cash dispensers, and PIN pads. The authors argue that current security measures are insufficient and that vendors prioritize profits over fixing issues. They call for implementing stronger authentication of ATM devices and transactions to help address ongoing threats.
![RS232 vs USB-HID
# ls /dev/tty*
import serial
ser = serial.Serial('/dev/ttyUSB0')
ser.write("0230XXXXXX01010200
0300040005000600100342“.deco
de(‘hex’))
ser.close()
# lsusb
import hid
h = hid.device(0x????, 0x20)
h.write([0x80] + map(ord,
"0230XXXXXX0101020003000400
05000600100342“.decode(‘hex’)))
h.close()](https://image.slidesharecdn.com/revisitingatmvulnerabilitiesforourfunandvendors-150619163116-lva1-app6892/85/Revisiting-atm-vulnerabilities-for-our-fun-and-vendor-s-43-320.jpg)
Revisiting atm vulnerabilities for our fun and vendor’s
- 1. Revisiting ATM vulnerabilities for our fun and vendor’s profit Alexey Osipov & Olga Kochetova
- 2. Experts@Security:~# WhoAmI • Positive Hack Days Team • Speakers at many IT events • Pentesters of various systems • Authors of multiple articles, researches, advisories
- 3. Agenda •Overview • What makes us roll •Short stories •Vendors losses •Our frustration •Conclusions
- 5. ATM Cabinet
- 8. Software Stack Host • MS Windows • Device control middleware and kiosk • Some AV/integrity control • Video surveillance/Radmin/Old flash player and other crap Devices • RTOS on strange microcontrollers
- 9. Windows XP Still Alive •Early 2014 – 95% of ATMs run on Windows XP •Support killed off in April 2014 •>9000 vulnerabilities
- 10. Rob The Bank
- 11. BOOOoooring
- 12. Alternative News
- 13. “Average Bill” Typical ATM contains 4 cassettes with ~2500 notes in each one. (5+10+20+50)x2500= US$/€ 212 500 could be stolen from ATM during single incident.
- 14. DO NOT REPEAT IT AT HOME
- 15. Main Parts Of Everything
- 16. True Story #1
- 17. Malware • Skimer.A -2008 • …………………………………… • Backdoor.Ploutus – 2013-2014 • Backdoor.Padpin – 2014 • Macau Malware – 2014 • Backdoor.Tyupkin – 2014 • Trojan.Skimmer (new) – 2015 Subtotal = 16 < variants of malware
- 18. Tyupkin: Around The World In 435 Days
- 19. How It Works: Jackpotting Malware •Access •Infection •Control •Theft
- 20. How It Works: XFS Network communication Windows-based application Configuration information Unit #1 Service provider #1 Unit #2 Unit #3 Service provider #2 Service provider #3 Unit #4 Service provider #4 Unit #5 Unit #6 Service provider #5 Service provider #6 XFS API XFS SPI XFS manager COM USB Customer/Service mode
- 21. How It Really Works: XFS Insecurity Network communication Windows-based application Configuration information Unit #1 Service provider #1 Unit #2 Unit #3 Service provider #2 Service provider #3 Unit #4 Service provider #4 Unit #5 Unit #6 Service provider #5 Service provider #6 XFS API XFS SPI XFS manager COM USB Customer/Service mode
- 22. XFS, Cash Dispenser Device •Cash withdrawal without authorization •Cassette and cash control •Software safe opening
- 23. XFS, Identification Card Device •Insert/eject/retain cards •Read/write data •EMV reader (one can access payment history stored in chip)
- 24. XFS, PIN Keypad Device • Export of the key is not available • Open mode and secure mode read data (for stealing PIN: an ATM software sets “secure mode” for entering PIN, and intruder changes it to “open mode” to capture the PIN)
- 25. PIN Device Flow
- 26. PIN Device Flow -If entering PIN/encryption keys -Authenticate host on currently used keys -Send empty button press events -Send PIN block to host -If entering open string -Send all button press events with button values to host
- 27. PIN MITM Attack
- 28. PIN Device MITM Attacks -Request open mode from PIN pad when user is going to insert PIN code -Acknowledge host about button presses -Send erroneous PIN block (we don’t know keys) -Host refuses transaction, but attacker knows client PIN code -Next transaction will be unmodified
- 29. XFS Authentication •Authentication? What authentication? •Exclusive access to XFS manager/service provider? Exists, but not intended to be used for security
- 30. XFS Authentication •Authentication? What authentication? •Exclusive access to XFS manager/service provider? Exists, but not intended to be used for security
- 32. XFS specification •Where? •“We don’t know yet” (c) but try google “XFS ATM”
- 33. True Story #2
- 35. Black Box Attacks •Directly control ATM
- 36. How It Works: Black Box Attacks •Dispenser •Card reader •Encrypted PIN-pad •Sensors
- 37. How It Works: Physical Interfaces COM/USB Network communication Windows-based application Configuration information Unit #1 Service provider #1 Unit #2 Unit #3 Service provider #2 Service provider #3 Unit #4 Service provider #4 Unit #5 Unit #6 Service provider #5 Service provider #6 XFS API XFS SPI XFS manager COM USB Customer/Service mode
- 38. How It Really Works: COM/USB Insecurity Network communication Windows-based application Configuration information Unit #1 Service provider #1 Unit #2 Unit #3 Service provider #2 Service provider #3 Unit #4 Service provider #4 Unit #5 Unit #6 Service provider #5 Service provider #6 XFS API XFS SPI XFS manager COM USB Customer/Service mode
- 39. DinosauRS232 •Standard interface •No specific drivers •No authorization •Insecure proprietary protocols (just sniff and replay)
- 40. Advantages Of COM/USB •Direct device control •Execution of undocumented functions •Intercept unmasked sensitive data •Possibility of producing hardware sniffer, which can’t be detected by visual examination
- 41. Advantages Of COM/USB •Direct device control • Command execution mitigating all host- based checks, e.g. cash withdrawal without notes counter checks • 02 30 / 10 03 – start-stop sentinels • XX XX– op-code • XX – Unknown • 01 01 … – data • 42 – CRC8 02 30 XX XX X X 01 01 02 00 03 00 04 00 05 00 06 00 10 03 42
- 42. We Had Two Libs Of Python, 35 USD, Power Bank And Wi-Fi Dongle
- 43. RS232 vs USB-HID # ls /dev/tty* import serial ser = serial.Serial('/dev/ttyUSB0') ser.write("0230XXXXXX01010200 0300040005000600100342“.deco de(‘hex’)) ser.close() # lsusb import hid h = hid.device(0x????, 0x20) h.write([0x80] + map(ord, "0230XXXXXX0101020003000400 05000600100342“.decode(‘hex’))) h.close()
- 45. True Story #3
- 46. Hijacking ATM Control/Processing Host •Carbanac – 2015 •MitM – 2015
- 47. Possible connections to processing center •VPN (Hardware/Software) •SSL •MAC-authentication •Firewall •IDS
- 48. ATMs In Internet Pakistan 1458 Russia 571 Venezuela 28 Tajikistan 20 Ukraine 16 Armenia 11 Brazil 1 Zambia 1 Sierra-Leone 1 Thailand 1
- 49. Who Cares
- 50. Card Reader/ Writer/ Skimmer Sensitive data disclosure, e.g. track data in plaintext, is possible with reading command sending to COM/USB port directly. This attack is possible with ATM's computer or with any external device, which is connected to the card reader's COM/USB port.
- 51. What Big Vendors Think The vulnerabilities are essentially normal specifications of the card readers and not unexpected. As long as the ATM is running within normal parameters, these problems cannot possibly occur.(c) However this vulnerability is inherent in the USB technology and is expected be mitigated by the use of appropriate physical controls on access to the ATM top box.(c)
- 52. Quick Cash And Full Control Control cash dispenser module by unauthorized application or user. An attacker has possibility to control cash dispenser by sending command to COM/USB port directly, including dispensing and presenting commands. This attack is possible with ATM's computer or with any external device, which is connected to the dispenser's COM/USB port.
- 53. What Big Vendors Think “We regret informing you that we had decided to stop producing this model more than 3 years ago and warranties for our distributors been expired.”
- 54. What About Cryptography Dispenser “Half” Security Level: Any use of cryptography – is NOT equal to good use of cryptography
- 55. Achievement Unlocked Dispenser High Security Level: Dispenser Upgrade Pack is released and available from the vendor_name download center, and it will be included as standard in the next release of XFS.(c)
- 56. No More SSL •OpenSSL in ATM/POS software •Misconfiguration •PCI/PA DSS v.3.1 SSL >> TLS
- 57. How Live With All This
- 58. Conclusions • Current vulnerabilities in ATMs are low hanging fruits, that are ready for criminals • Vendors are not that interested in fixing. Increase cost, decrease profit • Banks are not that competent to know what to do
- 59. Proposals • Implement mutual authentication both for ATM computer and it’s devices • Make peer review of XFS standard/communication protocols • Authenticated dispense from processing center • Trust environment is not about ATMs • Implement regular security assessments and pentest of ATMs
- 60. Kudos Alexander Tlyapov, @_Rigmar_ And all other guys worth mentioning
- 61. Questions? Alexey Osipov @GiftsUngiven, GiftsUngiv3n@gmail.com Olga Kochetova @_Endless_Quest_, Olga.v.Kochetova@gmail.com