Schneier on Security
A blog covering security and security technology.
« Security Vulnerabilities of Smart Electricity Meters |
| Doomsday Shelters »
July 30, 2010
Hacking ATMs to spit out money, demonstrated at the Black Hat conference:
The two systems he hacked on stage were made by Triton and Tranax. The Tranax hack was conducted using an authentication bypass vulnerability that Jack found in the system's remote monitoring feature, which can be accessed over the Internet or dial-up, depending on how the owner configured the machine.
Tranax's remote monitoring system is turned on by default, but Jack said the company has since begun advising customers to protect themselves from the attack by disabling the remote system.
To conduct the remote hack, an attacker would need to know an ATM's Internet IP address or phone number. Jack said he believes about 95 percent of retail ATMs are on dial-up; a hacker could war dial for ATMs connected to telephone modems, and identify them by the cash machine's proprietary protocol.
The Triton attack was made possible by a security flaw that allowed unauthorized programs to execute on the system. The company distributed a patch last November so that only digitally signed code can run on them.
Both the Triton and Tranax ATMs run on Windows CE.
Using a remote attack tool, dubbed Dillinger, Jack was able to exploit the authentication bypass vulnerability in Tranax's remote monitoring feature and upload software or overwrite the entire firmware on the system. With that capability, he installed a malicious program he wrote, called Scrooge.
EDITED TO ADD (7/30): Another two articles.
Posted on July 30, 2010 at 8:55 AM
• 18 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
@"Jack said he believes about 95 percent of retail ATMs are on dial-up; a hacker could war dial for ATMs connected to telephone modems, and identify them by the cash machine's proprietary protocol."
How hard could it have been to set up the ATMs to only answer calls from authorized numbers, rendering war dialing ineffective? Or to use callback, or something?
I admit, ATM's aren't my area of expertise, but there just doesn't seem to be a need to accept any call from anywhere.
@Stephane: "Caller ID spoofing isn't particularly difficult either. Best would have been to use a secure authentication protocol."
Of course, I agree about a secure authentication protocol. Caller ID spoofing isn't difficult, but they would at least have to know what an authorized number is. Major point being that while no countermeasure is fool proof, an array of simple countermeasures (caller ID, call back, secure protocols, etc.) will reduce the risk window to a manageble level.
Great point about protocol though.
As @ Phillip notes some ATM instalations in "mom-n-pops" stores are not exactly well installed when it comes to phone line security.
Further even in more secure instalations the phone pair can be easily found in a service cabinet either in the building or street.
Which means installing a "vampire tap" or a couple of 2-4 wire hybrids wired back to back is not that difficult.
It will thus allow a "Man In The Middle" attack part way through a connection which means you need to securly autheticate all transactions etc not just the end points.
Often the problem is that "engineers" generally go for transparency and reliability and tend not to be to good at doing secure communications even when working at International Standards Level (think wep).
So I would normally assume that any comms in a custom application would be suspect unless it can be shown otherwise (which is no easy task).
Likewise the engineers, technicians and architects that are responsable for installing ATMs in shops etc should be more savey when it comes to physical access beyond the ATM it's self.
There was also the fact that one of the ATMs is set up to look for firmware upgrades on any external storage media plugged in and installs it automatically.
With a key you can buy of the Internet, you could open the ATM, plug-in your drive to the motherboard, and power-cycle it in less than 30 seconds.
That put his backdoor (Scrooge) on the ATM which let him Jackpot it by either using a precoded mag card, or by entering a specific sequence of button presses.
The attacks weren't as easy as I'd hoped, but there are definitely doable.
Note that he wasn't able to find keys for Diebold ATMs online.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.