Hacking ATMs

Hacking ATMs to spit out money, demonstrated at the Black Hat conference:

The two systems he hacked on stage were made by Triton and Tranax. The Tranax hack was conducted using an authentication bypass vulnerability that Jack found in the system’s remote monitoring feature, which can be accessed over the Internet or dial-up, depending on how the owner configured the machine.

Tranax’s remote monitoring system is turned on by default, but Jack said the company has since begun advising customers to protect themselves from the attack by disabling the remote system.

To conduct the remote hack, an attacker would need to know an ATM’s Internet IP address or phone number. Jack said he believes about 95 percent of retail ATMs are on dial-up; a hacker could war dial for ATMs connected to telephone modems, and identify them by the cash machine’s proprietary protocol.

The Triton attack was made possible by a security flaw that allowed unauthorized programs to execute on the system. The company distributed a patch last November so that only digitally signed code can run on them.

Both the Triton and Tranax ATMs run on Windows CE.

Using a remote attack tool, dubbed Dillinger, Jack was able to exploit the authentication bypass vulnerability in Tranax’s remote monitoring feature and upload software or overwrite the entire firmware on the system. With that capability, he installed a malicious program he wrote, called Scrooge.

EDITED TO ADD (7/30): Another two articles.

Posted on July 30, 2010 at 8:55 AM18 Comments

Comments

HJohn July 30, 2010 9:40 AM

@”Jack said he believes about 95 percent of retail ATMs are on dial-up; a hacker could war dial for ATMs connected to telephone modems, and identify them by the cash machine’s proprietary protocol.”


How hard could it have been to set up the ATMs to only answer calls from authorized numbers, rendering war dialing ineffective? Or to use callback, or something?

I admit, ATM’s aren’t my area of expertise, but there just doesn’t seem to be a need to accept any call from anywhere.

Stephane July 30, 2010 9:51 AM

@HJohn Caller ID spoofing isn’t particularly difficult either. Best would have been to use a secure authentication protocol.

Clive Robinson July 30, 2010 9:55 AM

What is not clear is if the “MS Win CE” these machines use is contributory or not.

That is are the falts only in the ATM application code or are they partly or fully in the Win CE OS code.

If it’s just in the ATM app code this not overly important as changing the app will (or should) resolve the issue. If however it’s the Win CE OS code then other people who use Win CE should be made aware of the faults (not that the Win CE user base is very large).

kangaroo July 30, 2010 9:59 AM

@Stephane:

No, I don’t think the suggestion is CallerID. But controlling routing centrally should be possible — that hasn’t been inline like CallerID for decades (at least since they blocked phreaking at some point in the 80s or 90s). Or, as HJohn suggest, just callback — the phone gets pinged and the modem calls a fixed number rather than accepting any call at all.

But why should they bother at all if the insurance companies don’t demand it? I’m sure the primary costs lie there.

Phillip July 30, 2010 10:26 AM

War Dial? Why not just go to the corner store, make a quick switch on the phone line, plug in your own phone, dial somewhere (Skype, etc.) and get the number off the caller ID? Plug the ATM back in and be on your way.

Dom De Vitto July 30, 2010 10:41 AM

Even callback needs bi-directional authentication. Otherwise you just need to keep trying and you’ll get connected to their dial-out, when you dial-in. (you need to hit the window between ‘check for not ringing’ and ‘pick and dial’)

I love ’80s hacks, they just seem more elegant.

HJohn July 30, 2010 10:47 AM

@Stephane: “Caller ID spoofing isn’t particularly difficult either. Best would have been to use a secure authentication protocol.”


Of course, I agree about a secure authentication protocol. Caller ID spoofing isn’t difficult, but they would at least have to know what an authorized number is. Major point being that while no countermeasure is fool proof, an array of simple countermeasures (caller ID, call back, secure protocols, etc.) will reduce the risk window to a manageble level.

Great point about protocol though.

Clive Robinson July 30, 2010 1:20 PM

As @ Phillip notes some ATM instalations in “mom-n-pops” stores are not exactly well installed when it comes to phone line security.

Further even in more secure instalations the phone pair can be easily found in a service cabinet either in the building or street.

Which means installing a “vampire tap” or a couple of 2-4 wire hybrids wired back to back is not that difficult.

It will thus allow a “Man In The Middle” attack part way through a connection which means you need to securly autheticate all transactions etc not just the end points.

Often the problem is that “engineers” generally go for transparency and reliability and tend not to be to good at doing secure communications even when working at International Standards Level (think wep).

So I would normally assume that any comms in a custom application would be suspect unless it can be shown otherwise (which is no easy task).

Likewise the engineers, technicians and architects that are responsable for installing ATMs in shops etc should be more savey when it comes to physical access beyond the ATM it’s self.

lmckeon July 30, 2010 5:22 PM

“What makes this somewhat easy is that–through his discovery of purchasing ATM machines online–manufacturers tend to use the same key across all models.” — Tom’s Guide.

Diebold, is that you?

spaceman spiff July 30, 2010 8:24 PM

Running on WinCE? Arrrrgh! No wonder these systems are so vulnerable! Signed applications or not, it won’t be long before they are pwnd also. The development managers who specified that WinCE be used for these devices should all be sued for gross negligence and incompetence, IMHO.

BF Skinner July 31, 2010 12:30 PM

@spaceman spiff “WinCE? Arrrrgh! No wonder these systems are so vulnerable!”

I aver that windows is no less secure than *nix or Mac for a given configuration. That’s a big given. Includes maintainence.

That said. The Deepwater Horizon safety computer was an XP install that was bluescreening before the diaster. I wonder if they were playing Halo on it.

Jason July 31, 2010 9:52 PM

There was also the fact that one of the ATMs is set up to look for firmware upgrades on any external storage media plugged in and installs it automatically.

With a key you can buy of the Internet, you could open the ATM, plug-in your drive to the motherboard, and power-cycle it in less than 30 seconds.

That put his backdoor (Scrooge) on the ATM which let him Jackpot it by either using a precoded mag card, or by entering a specific sequence of button presses.

The attacks weren’t as easy as I’d hoped, but there are definitely doable.

Note that he wasn’t able to find keys for Diebold ATMs online.

DUDE August 2, 2010 10:02 AM

Mark tobias and Tobias bluzimanis have a video that appears in wired news, in which they hack a fingerprint lock with a paperclip.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.