Clever Physical ATM Attack

This is an interesting combination of computer and physical attack:

Researchers from the Russian security firm Kaspersky on Monday detailed a new ATM-emptying attack, one that mixes digital savvy with a very precise form of physical penetration. Kaspersky's team has even reverse engineered and demonstrated the attack, using only a portable power drill and a $15 homemade gadget that injects malicious commands to trigger the machine's cash dispenser. And though they won't name the ATM manufacturer or the banks affected, they warn that thieves have already used the drill attack across Russia and Europe, and that the technique could still leave ATMs around the world vulnerable to having their cash safes disemboweled in a matter of minutes.

"We wanted to know: To what extent can you control the internals of the ATM with one drilled hole and one connected wire? It turns out we can do anything with it," says Kaspersky researcher Igor Soumenkov, who presented the research at the company's annual Kaspersky Analyst Summit. "The dispenser will obey and dispense money, and it can all be done with a very simple microcomputer."

Posted on April 5, 2017 at 6:29 AM • 42 Comments

Comments

BobApril 5, 2017 6:52 AM

Am I the only one who gets somewhat irritated when they use the word hacker in the news? It's not about the original hacker culture or the difference between hacker and cracker, it's that to me when the news use it "hacker" sounds like "terrorist".

TimApril 5, 2017 6:57 AM

Yes Bob. You are the only one. Hacker is a term with multiple meanings. A journalist can use it in any meaning he likes. I get enraged by certaing things myself, but I don't go around trying to impose my personal preferences on media outlets and other persons.

david in torontoApril 5, 2017 7:16 AM

1. Anytime you groups of malfeasants that can be easily labeled you will see the same tone applied.
2. Linguistics waits for no one. While I understand you weren't protesting the use of "hacker", I find it fascinating and hilarious that the people who usually take exception are conflicted. They are on one hand aligned against proprietary things and on the other they claim truth and ownership of a definition. And neglect to recognize that golfers had a prior claim.

jbmartin6April 5, 2017 8:07 AM

I would be interested to see their decision making data for ATM security measures. Sure they could fix the issue, but as the article states it would be very expensive. They might just accept the risk and allow regular law enforcement to limit the pool of perpetrators. It's a question of which costs more.

rApril 5, 2017 8:26 AM

@jbmartin6,

Expensive? Have you priced out an ATM? How about one running Windows XP?

"Expensive to fix" should ring alarm bells about their margins of profit or true design goals.

BobApril 5, 2017 8:32 AM

@Bob probably. Language changes over time. We all know what "hacker" means now, and it's not the same thing it meant 40+ years ago.

Also, get your own name.

PatApril 5, 2017 8:37 AM

Languages are living things and either adapt or die. While it may be sad that the original meaning of “hacker” has been denatured, one should not forget that the hacker culture has changed for the worse as well. Mercenarial more than terrorist, perhaps, but the deeds make the man, and my sadness is better spent on society as a whole than one one expression evolved past its original intent.

DosbatchApril 5, 2017 8:41 AM

This is most reminiscent of how I used to reset BIOS passwords using a properly formed paperclip inserted through vent slots in certain PCs. It's all about hitting the right pins. (not foulplay, by the way -- fixing those computers was my job but some users use the case keylock and I didn't want to pry it apart)

Scott LewisApril 5, 2017 8:51 AM

@Bob (1 not Bob 2) - probably not just you, there's got to be another. But yeah I think you're in the minority.

Also, while I suspect the number one use case of this would be theft, a systematic wide attack of 100 ATMs overnight or maybe more might just get the network pulled, disrupting banking (there's hardly any remaining live consumer banking and they are not equipped for the scenario where a large swathe of ATM users suddenly need to come inside for awhile).

This could merely be a movie plot, or it could be an interesting form of financial manipulation, domestic terrorism, etc.

If I was a senior executive at a bank and found out I had five thousand machines that could be robbed, and then I woke up and it happened at 50 spots, I might just shut it down and pull the cash out for awhile.

Z.LozinskiApril 5, 2017 8:58 AM

There are several elements that make up "expensive".

The design of the engineering change (EC) to the ATM. This could be a drill-resistant plate inside the ATM chassis. Or a tamper-resistant box to surround the electronics, with an intrusion alarm.

The manufacturing cost of the new parts for every ATM in service. It is a commercial, very low volume product with special requirements, so USD 10K per unit.

If you are re-designing the ATM to include inter-module authentication, that is a new product and new software will be required. If you are going to re-implement, you will want a "secure-by-design" platform, so plan on an additional USD 10M.

The cost of testing the new ATM.

The cost of physically deploying the EC to every ATM in the field. Train staff to do the installation. Ship the EC to the maintenance company. Say USD 50 to 250 per unit. (Depends on how big/heavy/bulky it end up.) Plan on a truck-roll to every affected site, costing say USD 600-1000 per visit. (These are the costs for an engineer to do a simple site visit that are used in telecoms). Plus the two bank staff to supervise. Add USD 500 per site.

1000 ATMs in a country. That is about USD 11 Million.

Who is going to pay thus multi million dollar bill? The bank? The vendor? The insurance company? And of course, this relies on the vendor still being in business.

I'm not saying it shouldn't be done, just pointing out the practicalities of servicing and supporting legacy technology in the field. And yes, a single engineer could do this much more cheaply. But banks buy from large suppliers because that is a form of insurance in itself.

What it shows is that legacy products that are security critical are a real point of vulnerability if there is no-one maintaining them. (Back to Bruce's point about the issues we will see with IoT devices ...)

WaelApril 5, 2017 9:06 AM

Sounds like an insider attack or assisted by insider knowledge. Could also be a reverse engineering effort on an old ATM that the thief obtained just like Kasparesky was able to obtain one. Newer machines do have "authentication modules" and most ATMs in the US are under direct or indirect camera surveillance.

ThothApril 5, 2017 9:14 AM

@Z.Lozinski

How to build an ATM ?

You just get a metallic case that resist drilling in certain areas, networking units, firewall unit, a traditional CPU, touchscreen or normal screen depending on customer, power unit, EMV payment terminal unit including card reader and PIN pad, additional buttons for non-EMV option entry, printer for receipts, cash dispensing unit and probably a small camera to record the events.

Each part are usually purchased from separate suppliers and the company building ATMs would then assemble them and load their own software and firmware so that the Windows XP OS in the CPU would boot to the ATM software by default. Some basic tamper detection like opening the unit's door to access the components would typically be available and once tamper is detected, it would just shutdown or even wipe the system depending on the severity and settings. Tamper switches in the form of pressure switches on the door are the main form factor.

Typically all components are suppose to communicate with each other in encrypted format (i.e. CPU to printer for printing amount should be encrypted) but the problem is the easy way out (since nobody in the banks would bother to assert) would be to leave it out. The assumption is the metal is thick enough that drilling would be obvious and detectable and bystanders and passerbys would immediately call the help line.

Just to cut cost and get product to market fast, security is always the second class citizen. It is the ill of the ITSEC industry that never dies.

TatütataApril 5, 2017 9:17 AM

I suppose that the crooks studied an ATM that had been acquired in a more "classical" way, i.e., torn from the wall with a backhoe "borrowed" from an adjacent construction site.

This method combines brains (electronics and surgery skills) and a wee little bit of brawns (the drilling).

In the brawnier methods there was/is an epidemic of ATM thefts in Europe whereby an hydrocarbon is injected into the machine through an opening and ignited. Very dangerous, and not very effective. The booth is either completely destroyed, together with the eardrums of the idiot, or not powerful enough.

Somehow reminds me of a story I heard from a relative about one an acquaintance of an acquaintance of her who was cheating the power company back in the 50s. He had pierced a very discreet hole in the cover of the meter (a European-style sheet-metal casing, not the US all-glass one) and inserted a small hook to stop the Ferranti wheel from spinning. He would have been busted when the meter reader came by when the hook was still inserted.

vas pupApril 5, 2017 9:34 AM

Good example when crooks found the weakest link in ATM security and utilized it using their brain (with twisted morality) power and imagination.

WhatDidYouExpectApril 5, 2017 10:17 AM

The banks probably don't care. They want to eliminate all existing card activated ATMs, and move to new machines using NFC (near field communications) technology. This way the lost, stolen, or damaged ATMs can be written off as expenses.

With the old card activated ATMs, you must insert a card to extract cash.

With the new NFC versions, anyone with a smart phone, tablet, or computer equipped with NFC, can activate the ATM to extract cash.

Databases are being broken into all over the network. Financial data is being stolen. In particular, sufficient credentials for NFC access to the new ATMs can be used by anyone to drain an account.

I asked if my ATM (debit card in particular) credentials could be locked from being used for NFC access (no smart phone). I was told no.

I was told that NFC access via smart phones will be more secure. However, if credentials are stolen from a compromised database (and they all can be compromised), then the new machines present a bigger problem.

The only thing I did not determine is if the transactions will still be logged in the ATM and transmitted/processed overnight, as is done today with debit card access. I doubt if it will be real-time access.

BobApril 5, 2017 10:48 AM

@Tim @david @Bob @Pat @Scott

To make it more clear, I repeat, it's not about the original hacker culture or the difference between hacker and cracker. It's not about a definition or what hacker means and the thing it meant years ago. As I said, it's about what it sounds like. It's about what it feels like, to me when they say "hacker" it feels like "terrorist", it feels like FUD.

A side note, I don't think the hacker culture has changed for the worse, it has grown and diversified. It's sad that the majority identifies as hackers no more than the worst of hacker culture. But it is sad, to me at least, not necessarily wrong.

Dirk PraetApril 5, 2017 11:26 AM

Cool attack indeed, and since no one gets hurt and no customers are directly affected, I'm not even classifying this as a crime 8-)

@ Thoth, @ WhatDidYouExpect

Just to cut cost and get product to market fast, security is always the second class citizen. It is the ill of the ITSEC industry that never dies.

What is your take on machines with NFC technology? A couple of weeks ago, I totally freaked out when the barkeep at the local pub pulled out a new pay terminal that could take up to 20 euro from my card without me even typing in the pin code. All of my cards are now in a small RF-shielding case.

Z.LozinskiApril 5, 2017 12:54 PM

@Thoth,

Yes, I get that. An certainly the new generation of ATMs are built this way.

How many of the older ATMs are still in service, I wonder?

Doesn't affect the analysis of the costs to do a fix or update.

HiTechHiTouchApril 5, 2017 1:37 PM

Speaking of NFC, is any deployed in the US? We just finished a massive re-issue of cards containing chips. Was NFC included on any?

Nick PApril 5, 2017 1:54 PM

@ Dirk Praet

"What is your take on machines with NFC technology? "

If it's a nation state, then it's a flashlight shining on your secrets to make EMSEC attacks that much easier. If it's malware, they now can hit you without a physical link when you're merely in proximity to one of many, vulnerable machines. They might do this to go after your money or cause enough faults to make bank disable your access to it. If on user side, it will normally increase convenience while maybe screwing up or costing suppliers more due to increased complexity.

The Chip and PIN deployment over here in U.S. is painful enough for customers that wireless might become a convenience option. That three screwups leads to swipe fall-back is interesting in and of itself for its alleged security. I do miss swiping a card at Subway. They did get hacked at some point but their card processing always took one second or less from swipe with no extra buttons pressed. So simple and fast. :) So gone. :(

rApril 5, 2017 1:58 PM

@Z.Lozinski,

That's sort of what i meant by "expensive", obviously these are not safe (or safe) engineers or engineering practices that are being used. Unfortunately it largely appears that much of the attacks against such things are quite literally 'left for the imagination' and future transgressions, anyways being able to write off such losses to insurance as billable in any form is a hole in and of itself.

Specifically, en response to the 1÷2 reference you make to observational practices I'm documenting here (and now) at least one instance of a stand-alone credit union kiosk being blanketed (tarped) by a soloist in a white van.

There's a million recommendations, very few are actually followed.

@Wael,

If you follow Krebs at all you'll note that (@My Info's oft alluded) the 'Mafia' have much of the same procurement processes as mentioned in one of Robert Grahams regarding the CIA and Huawei technologies. ;-)

It's a feisty network, building block[s].

ab praeceptisApril 5, 2017 4:06 PM

What's all the fuzz about? That ATM disaster is just yet another example of a "smart security marketing strategy" driven industry (and utter lack of reason and proper engineering).

trsm.mckayApril 5, 2017 6:41 PM

Attacks against the cash dispenser component of the ATM is hardly new (I recall a story from the 1970's about using a pop-sickle stick to trigger a bug that re-dispensed the cash). Attacks against internal communication cables are also well known, this is what caused the CCISP (later PCI) to require a "PED". Crooks would tap the cable between the keyboard and the crypto card, so by the early 2000's the card organizations required the keyboard and crypto be placed in the same tamper-evident PIN-Encrypting-Device HW device (the PED is the "PIN pad" mentioned in the Wired story).

So what is new about this attack? Without knowing any inside information, guessing the factors are a combination of poor internal security (cash dispenser without real crypto), physical security issues (ability to drill and access cable), and outside attackers (some expectation that they only had to secure components inside the case against insider attacks).

I am a little surprised by the cash dispenser weakness, as it has a separate layer of security (for obvious reasons, normally you can think of the cash dispenser as its own little safe). Note the details of this attacks also opens up an insider attack vector as well. Guess it is a combination of inertia and the consideration that the "serious crypto" is done elsewhere (in the PED).

@Z.Lozinski

Nice list of the expenses to any modification of deployed ATMs. Might quibble with the numbers a bit, but I think you mentioned the significant expenses (many people don't realize the overhead costs of managing a fleet of ATMs).


@WhatDidYouExpect

While it is true that Banks can tolerate some amount of fraud and theft (just look at the slow reaction to credit card fraud over the years), the rest of your post makes no sense. Just the most obvious contradiction - this attack would still work with a NFC-only ATM.

ThothApril 5, 2017 7:33 PM

@NFC et. al.

What is NFC ? NFC is Near Field Communication and it is a class of contactless payment options over ISO-14443 protocol originally designed for smart cards with contactless payment options.

The NFC protocol's physical layer uses RFID technology which is magnetic induction to transmit data from the reader to the card over 4 cm in distance in a typical contactless payment scenario.

The original targets were tamper resisting smart cards to be used with NFC but due to the latest Host-Card Emulation technology with the likes of Samsung and Apple Pay, as the name suggest, they emulate a contactless smart card but lacks the strict security features of a CC EAL 5+ tamper resisting smart cards typical for banking purposes. All that is required is for the NFC controller within the phone to generate the same magnetic induction and use the ISO-14443 protocol and you have an emulation of the smart card running in contactless mode.

When security developers and engineers like myself look at a smart card to develop applets for them (not just smart cards but NFC and HCE based solutions) for commercial and non-comercial use, we have to look at the host platform and the "logical channel" protocol for the NFC to take place.

On the host platform layer, we have to assert the security of the device if it is a smart card or NFC emulating device like a Samsung or Apple phone or some other NFC and HCE capable phones. Due to smartphones not designed to have the same rigid security and tamper resistence as dmart cards, they are always flagged as lower security and the payment industry have recognised the fact that replacing smart cards with phones capable of NFC and HCE will degrade security but due to the attraction of more uptake and usage, they have reasoned and lowered the level of security which I myself have attempted the warn to no avail.

Now the protocol layer also called the "logical channel" layer in smart card terms is whether the card to reader or payment terminal to payment device is encrypted and secured. EMV payment requires the use od 3DES based encryption and MAC of sensitive payment data but as you can see, if the 3DES keys are not stored in tamper resisting smart cards but in phones, it becomes an easier target to ontain the keys and thus the HCE technology comes in which is a bunch of One Time payment token generated by banks and loaded into customer phones. Samsung's Samsung Pay have been shown to not provide enough encryption and security of the HCE payment tokens and to be susceptible to replay attacks with the tokens given too long of a lifespan which allows enough time to drain an account.

In fact, I have actively been giving source codes in smart card forums on how to establush E2E secured channels for payment protocols for cards which has stronger properties than the partial secured properties of EMV protocol but I guess industry standards will always be industry standards ... being purely crap on security. I have also given free soyrce codes in smart card forums to disable ISO-14443 contactless mode and encourage the disabling of the contactless from the card applet but due to NFC being the cool feature, why would anyone bother to disable the contactless option ?

For me, my debit card is ISO-14443 capable and I have politely asked the bank if they can use a disable contactless on the card but the answer is no when technically it can be done from software applet. I have refrained from using cards for purchase and stick to cash as much as possible and only use debit card to withdraw cashbfrom ATM. So the answer is no NFC payment via my personal payment card. The only NFC payment is via mandatory transit ticketing which the good thing is I did not bother to tie the transit card to the NFC enabled debit card oherwise the payment will become much more easier to track.

There are those of you who are tempted to drill away the NFC chip in the card. Before you do that you have to consider the legality of the practice. It nay be OK for USA but it may not be OK for Singapore due to legal issues.

Before you drill at the chip, you have to check if the card is using a single chip that handles both contact and contactless which you cannot drill the chip since both functions are within the same chip. If it is a dual-chip card where it uses one chip for contact and one for contactless, drill the contactless. If you really want to drill the chip but it is a single chip design for your card, just drill on the antenna inlay for the card but that may not 100% gaurantee destruction of NFC because the single purpose chip itself may have chip level antenna on the IC chip for card and it still would be able to process but at a much closer distance (almost directly touching the reader).

trsm.mckayApril 5, 2017 8:41 PM

@Thoth
Each part are usually purchased from separate suppliers and the company building ATMs would then assemble them... Typically all components are suppose to communicate with each other in encrypted format (i.e. CPU to printer for printing amount should be encrypted)...

This could happen now, but it is certainly not the historic method. Starting around the 80's ATMs were mostly built as embedded systems using classic "IBM PC" compatible technology. The crypto was done either on the main CPU, or on an expansion card (remember ISA and MCA bus) for those customers who had security mandates. There were various cables (mostly serial) that would connect the various components (keyboard, printer, display, cash dispenser, etc.). That was largely the environment when the PED requirements were introduced, with a goal of securing the connection between the keypad and the crypto).

The ATM market used to have two primary tiers (at least in US and Europe), banks and independent servicers. The banks used heavy and expensive ATMs (ala Diebold, NCR), while the servicers used cheaper ATMs (which often had security shortcuts). Won't recap the sorrid story of banking regulations prior to PCI, but lets just say there was a mess (mismatched impacts of poor security) which only became somewhat more standardized when card organizations started flexing their power in the early 2000s. The PED requirement from PCI (etc.) was an important transition milestone in near-universal requirements for ATMs and POS terminals.

Going from a embedded system with a collection of peripherals to something like Thoth mentions might make sense for new ATM manufactures, but there is a lot of inertia. Conservative customers are not willing to pay extra for security beyond the minimum required, and have a costly built-in discouragement from upgrading (truck-roll + installation + management/personnel overhead). A bank my be willing to upgrade for fancy touch screen where customers can be upsold on new services (more revenue), but upgrades won't happen for some theoretical security goodness.

At the same time, expertise in crypto became (even more) scarce at ATM manufacturers. In effect the sophisticated crypto is outsourced to the PED (it is the unit that has to meet all the specific banking crypto requirements). Crypto for the other peripherals, if it exists at all, is a second class citizen. The crypto HW in these other parts lack the crypto-specific physical and logical protections of the PED. Certainly a system designer would not trust a high value key to a mere peripheral like a printer. It is also why Thoth's suggestion of each peripheral doing crypto might not be as acceptable or as standardized as you might expect (though certainly the trend toward cheaper IOT engines make it more possible, albeit not at the PED level of security).

The potential exception to this is the cash dispenser, which has its own security boundary. Traditionally these had physical security measures (think portable safe), but one would hope that logical security protections would be included too. Poor logical security would allow an insider to bypass the physical protections. For a whole bunch of reasons (even if I did not know of this particular attack), as a designer I would seek to have the cash dispenser with PED levels of crypto security. But it would not be cheap, adding to both cost-of-goods, and OPEX (crypto provisioning and maintenance).

Without the details, we don't know how old the ATM's being attacked are, and what markets they are targeted for. But one thing probably has not changed in the industry, which is many manufacturers would not develop strong security in this area unless there was a clear requirement (either customer demand, or a security standard). In the absence of those requirements, it would not be surprising if (some) ATM manufacturers decided the mitigations were not worth the cost. If this becomes as widespread as the Wired article implies, it looks like they made a very costly mistake.

ThothApril 5, 2017 9:07 PM

@trsm.mckay

I was referring to modern versions of ATM specifically those of NCR. If you opened one of those, some of the ingredients include Cisco and Juniper networking equipments inside. So for those who want to disrupt a modern ATM, those bunch of Cisco and Juniper vulnerabilities could be leveraged but it will be harder to penetrate into the payment processing module as usually it is separate ... supposedly.

The ATMs these days in shopping malls and around neighbourhoods looks pretty light to me though when I go to the ATMs to withdraw cash. They have certainly lightened it and my superior used to tell me and my colleagues stories of the "good old days" where ATMs and HSMs were literally like safe boxes. Extremely heavy and surrounded by thick metal.

Almost every ATM in Singapore are using the new blinking, shiny, lightweight ATM terminals with COTS parts. the ones I described with Cisco and Juniper equipments are from NCR. It seems banks (foreign and locals) are willing to spend the cash to use the latest equipments here and do the upgrades.

Indeed the latest and greatest may not be the best. The crypto part mostly coming from the outsourced payment PED device is all that stands against fraud and misuse. The other COTS part like the printer, networking firewall and router from Cisco and Juniper wouldn't have the same hardened security as the PED device for accepting PIN codes and cards. Most of the interactions are driven by the CPU to the connecting peripherals and the CPU doesn't need to be that secure since the card details and PIN are handled by the PED. The CPU simply sees some basic status messsages and the PED is the one encrypting the message and then handing the messages to the CPU to route through the network to the backend or the PED may also have it's network interface to do the routing itself as well depending on the setup.

What the PCI and EMV standards can do is to setup a basic inter-module security protocol between printer, CPU, PED, cash dispenser so that the IC chips in the printer and cash dispenser and the CPU can negotiate a secure channel to each other. It will be more expensive but also more secure.

WaelApril 5, 2017 9:07 PM

@Thoth,

been shown to not provide enough encryption and security of the HCE payment tokens and to be susceptible to replay attacks with the tokens given too long of a lifespan which allows enough time to drain an account.

That's factually not true.

ThothApril 5, 2017 9:33 PM

@Samsung Pay et. al.

Reference Salvador Mendoza's paper:
If we open the database with Sqlitebrowser program, we can see how Samsung Pay database
is designed. The data is “encrypted” using a private function implementing substitution with static passwords. Some of the fields are CC, last four digits of the token, zip code, card name, token id and many more.

So ... that's encryption on a sqlite database containing payment tokens for Samsung Pay ?

They gotta do better on the encryption part by at least moving those stuff into Samsung KNOX to hold the encryption key and encryption engine. Oh, and they use @ab praeceptis's favourite OpenSSL :) . Who knows which version of OpenSSL are they using.

WaelApril 5, 2017 9:42 PM

@Thoth,

I'm aware of that report. It has to do with a vulnerability with MST. I'm not at liberty to say more, but the explanation is inaccurate.

WaelApril 5, 2017 9:47 PM

@Thoth,

Data is encrypted based on its classification. Did you know that the token was designed to be public?

ThothApril 5, 2017 9:50 PM

@Samsung Pay et. al.

The problem was never with MST but with the finer details on security like using static passwords for securing databases containing payment tokens. The very least that could have been done is to provision an encryption key inside KNOX since most of the Samsung phones already have KNOX and to execute the payment and stuff inside KNOX which will prevent reverse engineering to a greater degree in the first place.

WaelApril 5, 2017 10:00 PM

@Thoth,

There are two types of transactions and two types of tokens. You are mixing up two things, and the information you are sharing is plain wrong. Like I said: I can't say more.

Dirk PraetApril 6, 2017 3:39 AM

@ Thoth, @trsm.mckay, @ Wael, @ Nick P.

Re. ATM/NFC

Much obliged for a series of enlightening posts on the subject matter. I'm gonna talk to my bank about this. And find myself an EMF shielding flip cover for my toy smartphone (for the rare occasions I take it outside).

For the terminally paranoid among us (and those wishing to set up a @Clive-style dead tree cave): check out this here site. They seem to have pretty much everything we need, including (-drum roll-) several types of tinfoil hats!

CallMeLateForSupperApril 6, 2017 7:22 AM

@trsm.mckay
"Without the details, we don't know how old the ATM's being attacked are..."

We don't know make & model, but according to the linked article: "Kaspersky’s researchers already had the same model of ATM in their test lab, one that’s been in wide use since the 1990s."

@usual suspects
"[Kaspersky’s researchers] removed [ATM's] front panel to find a serial port that would have been accessible from the thieves’ hole."

Serial port. Again. A year or two ago Brian Krebs wrote about attacks on ... POS terminals? safes? ... in so-called convenience stores. Like this attack on ATMs, those attacks also leveraged an accessible serial port (though to unlock the locked device IIRC).

Just meApril 6, 2017 11:01 PM

I worked for a major ATM manufacturer over 20 years ago now. Even then, we used a salted triple-DES MAC on commands to the cash dispenser. Back then our wire between modules was a simple multi-drop RS485 connection - just one giant bus, and it had been that way for the previous 20 years. Whoever did this must have had access to an actual machine to determine what commands to send in addition to knowing where to drill a hole. Not saying the non-cheap ATMs are impregnable, but these machines must be pretty simplistic.

Back then the UL test for the safe required that someone be able to on it for 10 minutes with a sledge hammer without being able to get in. Just long enough for the police to come when the alarm was triggered. There were seismic alarms, heat alarms, etc.

The UL guys never got in, and I wouldn't have but my safe designer colleagues said it could be opened if you knew where and how to hit it.

Rachel TApril 7, 2017 1:52 AM

@ Dirk Praet
RE NFC

cc: Wael, Nick P, Thoth

Thanks for comments, all. Dirk, in the country I am in the chip in the card is an improvement on the mag swipe, unconnected with NFC.
The NFC is known as 'paywave', and is formed by an antenna looping around the outside of the card (inside the plastic). So, contrary to popular belief, damaging the chip does not affect the paywave. Thoth I know you were commenting about this. I did ask my bank for a non-paywave card, they obliged, however it did not include a chip either. So, improving security in one direction : downgraded in another!

From what I can ascertain and from attacks in the wild, data in transit is the main concern, as opposed to data at rest (the card in ones wallet) This being, some one standing close by whilst one is using the point of sale terminal (EFTOPOS or whatever its called in respective country. Point of Sale terminal cables are not shielded, or they use vulnerable blue tooth or wifi.
Okay, I know this has been discussed elsewhere on this forum and I happen to have gone through the archives on this topic. ' Clive Robinson magnitude' (tm) attacks nonwithstanding (he reported his experiments amplifiying NFC to 3 kilometres away or so , actors scanning RFID data from the card can supposedly be stopped by the RFID protector case. They don't necessary work as advertised buyer beware. although the solid metal flip case (a bit like an old style cigarette case) do work, as demonstrated by Paolo ' i can't remember his surname friends with Samy Kamkar' on youtube. He pulls people out of the audience, reads their credit card numbers with his RFID scanner, then gives them a steel case and demonstrates its utility.

In the country I am, people complain about pulling out their card to do a manual swipe or chip insert, and the NFC going off automatically when the card is inches from their wallet. Short of not owning such a card, which is difficult, and short of disabling it manually which is not advised unless it is lawful and reliable, and doesn't make a mess of your card, the only mitigation I can think of is to do manual withdrawals of cash whenever possible, and keep the card stored in the aforementioned hard case, and avoid EFTPOS as a rule.

Does anyone know about the magnitude of vulnerabilities in RFID tech in passports, data being stolen from them in the wild, etc? it would be good to know the scope of such vulnerability and how to mitigate- they hand out these things but don't exactly advise on safeguards- or even, what data is stored on them.

There is also the following Mag Spoof by Samy
https://www.youtube.com/watch?v=UHSFf0Lz1qc

Dirk PraetApril 7, 2017 4:24 AM

@ Rachel T, @ Wael, @ Nick P, @ Thoth et al

Short of not owning such a card, which is difficult, and short of disabling it manually which is not advised unless it is lawful and reliable, and doesn't make a mess of your card, the only mitigation I can think of is to do manual withdrawals of cash whenever possible, and keep the card stored in the aforementioned hard case, and avoid EFTPOS as a rule.

I called my bank and they told me the NFC card feature could be disabled in my online account settings. The way it works is that you can use it for payments up to 25 euro with a limit of 50. It's reset every time you make a payment with pin code or when you withdraw cash (with pin code) from an ATM. On the upside, there's plenty of quite affordable RF-shielding card cases and wallets available. As NFC technology seems to be becoming ubiquitous, I suggest now is a good time to dump your old wallet and get a new one. Just don't forget to test the thing as I can easily imagine a significant percentage of all those anti-RF thingies are probably just snake oil.

TatütataApril 7, 2017 7:32 AM

@Thoth:

There are those of you who are tempted to drill away the NFC chip in the card.

Why should you attempt to target the chip itself, when breaking the inductive loop at any point near the periphery would seem to be sufficient?

Hopefully killing the NFC that way won't kill anything else.

I was recently issued one of these newfangled RFID-passports. As the lady handed me back my invalidated previous title which was all soggy and worn from having been in my pocket for so many years, she warned me sternly that I should take extra care of the new one, as the RFID is fragile and its failure renders the passport invalid. It's actually written in the regulations. Cr*p.

ThothApril 7, 2017 11:07 AM

@Tatütata

Re-read my previous mention of NFC in detail again.

Just for the TL;DR ...

"If it is a dual-chip card where it uses one chip for contact and one for contactless, drill the contactless. If you really want to drill the chip but it is a single chip design for your card, just drill on the antenna inlay for the card but that may not 100% gaurantee destruction of NFC because the single purpose chip itself may have chip level antenna on the IC chip for card and it still would be able to process but at a much closer distance (almost directly touching the reader)."

In essence, the NFC form factor in smart cards comes in a few flavours. The "Dual Interface IC with chip level antenna" variant is where you have a single IC chip that handles both contact and contactless and on top of having a contactless controller built right into the IC chip, it also has internal antennas WITHIN THE IC CHIP itself. This is the most dangerous type where drilling the external antenna is no use. I personally own a stack of such chip card in the Infineon SLE78 variant and more accurately is the SLE78CLFX4000PM model of the SLE78 smart card chip. The SLE78CLFX4000PM chip includes contact, contactless and in-built antenna inside the IC chip so that in the event your break the external inlay, you just need to bring the card closer to the reader and it still works. In fact, my cards with this model of chips which I use for prototyping my smart card applets do not even have external inlays and solely rely on the SLE78CLFX4000PM's IC chip internal antenna.

The dual-chip variant of the configuration is for one chip to be contact and one to be contactless. Again, the problem is whether the contactless chip has internal antennas. If you were to cut the external antenna but don't get rid of the internal antenna, it is still a waste of effort.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.