
Cash machines robbed with infected USB sticks - joosters
http://www.bbc.co.uk/news/technology-25550512
======
ketralnis
This is surprisingly easy. Look for the defcon talk "atm jackpotting".

The summary is there there are only a few vendors of ATMs and ATM software.
They often have a tubular lock with a small number of lock combinations. You
open it, and there's the main board. USB (some with auto-play still enabled),
CF card (main storage), everything. Plug in what you want. Some insist on
code-signing of the CF card to boot, but it can be bypassed.

Often they are exposed to the internet, and as of the talk at least one vendor
had a pre-login vulnerability to an internet-exposed port (which the speaker
reported, so that particular one is probably fixed now, but goodness knows if
the sites in the real world are patched).

Once you have your code running, it's game over. Open the cash drawer, record
stripe data (and phone it to yourself whenever you like), rootkit the device
to make yourself undetectable.

He bought several ATMs of the most popular model to experiment, right off the
internet, some from the vendors themselves. Nobody questioned him.

Watch the talk, it was great.

~~~
SeparateWolf
Whatever happened to Barnaby Jack? I know he was found dead in his SF
apartment sometime after this DefCon talk.

Port 18456 is the port BTW. If you do a masscan sweep you'll find a ton of
them facing the internet.....

I don't think he ever released his exploit or scrooge rootkit.

~~~
coldtea
Hmm, just read on this Jack guy. What was that thing? He was 35 years old and
wasn't sick or obese.

Now, for people who believe the generally good nature of states (and/or Santa)
this might not even raise an eyebrow, but for people who have read their
history, well...

------
bastawhiz
So a lot of things clearly came together here:

1\. The attackers knew there was a USB port on these devices that would auto-
play, or at least trigger the auto-play dialog. 2\. The attackers knew all of
the software internals of the machines before they started. You don't just
write code that works with any old ATM software. 3\. The article stated that
'the organisers displayed "profound knowledge of the target ATMs"'. "Profound
knowledge" seems to be an understatement. That's the kind of knowledge that
you get when you work for a company that designs and builds ATMs.

Really, I don't see this as anything more than something to chuckle at. It's
like if a restaurant was robbed by someone that knew the code for the back
door and that a spare key to the safe was taped to the underside of the desk
in the back room. If you know what you're doing, of _course_ you can break in.

~~~
walshemj
So why in the name of "bruce" was an ATM ever shipped with a USB port in the
firstplace. The firmware update process should be locked down.

what needs to happen is that all the executives of the ATM company and the
bank concerned (going back 15 years or so) need to be banned for life from
ever being directors and b from ever working in the finance industry

~~~
bronson
USB port or no, once you have physical access to the internal electronics then
the game is over. It seems to me the failure was using materials that could be
quickly breached and then patched.

Do you have unique experience to justify up your vitriol?

~~~
TacticalCoder
"once you have physical access to the internal electronics then the game is
over"

Common... Someone used an X-acto knife to plug in an USB stick on a PC
configured to auto-play it and we should take it as a proof that "physical
access to the internal electronics then the game is over"?

Companies like Brinks are using special sprays that renders bills unusable in
case someone tries to break in the safes if I'm not mistaken.

What about an ATM where any tentative of opening it to physically access the
internal electronics would result in the ATM bricking and all the bills
getting instantly sprayed as to render them unusable?

What about spraying the bills and rendering them unusable in case the ATM is
powered down and making it impossible to install new software without powering
the machine down? (so that when you come with your new harddisk and access the
internal to plug it in, you're SOL). This would even have the benefit of
rendering attacks of the type: "I come with a truck and steal the part of the
wall that contains the ATM" impractical (yes, people have done these).

And where the only way to prevent that, for example during legitimate
maintenance, would be to first enter a token generated by the ATM company and
communicated to the (legit) employee doing the maintenance when he's working
on the machine?

I've never worked on ATMs and I'm sure it shows, but that's not the point.

Honestly I find it quite sad that simply plugging in an USB stick allows to
steal money from the machine.

I find it also very sad that several people here consider that "nothing can be
done against a rogue employee" or that "nothing can be done if you have
physical access to the internal electronics".

And I do honestly hope that people working on ATMs will start thinking about
how to better secure their ATMs and which kind of trust systems can be put in
place so that rogue employees (and other thieves) have a much harder time
attacking ATMs.

"It seems to me the failure was using materials that could be quickly breached
and then patched."

That is just _one_ failure. The attacker exploited several holes and the
answer from ATM companies should be more complex than just putting duct tape
on one of the holes.

~~~
mmicn
With regards to the "spraying of bills", the bills themselves are usually in a
safe, which is separated from the electronics (computer & peripherals). But I
do agree that when a machine is breached it should halt immediately. Having
said that, financial institutions are not going to take this route for a
variety of reasons, one of which is just general maintenance. If the case is
breached, do you suspect that the intruders had access to everything? If so
you want need to brick the entire device, to prevent any data from leaking
back to the intruders.

Your suggestion with regards to maintenance is indeed a valid one, but again
the increase in cost is simply to big. Most financial institutions in my
country and region (western europe) actually see ATM purely as a cost, and
install them simply because they want customers to get a hold of their money.
It is that simple. So why would they increase the costs?

I think, and I don't want to start any flamewars or anything, that
reconsidering the use of Windows in its current form is a valid route. If you
were to start from an extremely limited & stripped down version sure, but not
in the way companies are currently using it (for those that might wonder, yes
full installs of windows happen all the time).

Anyway, I'm glad this is in the open. The more people talk about it, the more
things will change.

~~~
lucaspiller
> With regards to the "spraying of bills", the bills themselves are usually in
> a safe, which is separated from the electronics (computer & peripherals).

I used to work in a supermarket with the 'self service' checkouts. The cash
dispenser internals looks to be exactly the same as that in basic ATMs [0].
Without going into too many details, in our case the security was minimal and
there was no tamper proofing. If you really wanted to get inside it wouldn't
have been particularly hard. ATMs may by different as they are slightly more
portable than a checkout though :)

[0] [http://gadgets.boingboing.net/2009/05/11/this-picture-of-
an-...](http://gadgets.boingboing.net/2009/05/11/this-picture-of-an-a.html)

~~~
wil421
Basic ATMs found in gas stations and liquor stores are different. All the ATMs
in big banks have a safe at the bottom that houses the case made of 1/4 inch
or so steel plates.

------
rhblake
The actual talk, "Electronic Bank Robberies - Stealing Money from ATMs with
Malware", from 30C3 a few days ago:
[http://media.ccc.de/browse/congress/2013/30C3_-_5476_-_en_-_...](http://media.ccc.de/browse/congress/2013/30C3_-_5476_-_en_-
_saal_2_-_201312271600_-_electronic_bank_robberies_-_tw_-_sb.html)

------
tony_mono
I have about a year of industry knowledge working with ATMs. NCR and Diebold
hold a huge portion of the North American ATM market and likely European too.
All of the NCR and Diebold machines I worked on were running locked down
Windows XP as of a couple of years ago. The PC hardware is fairly standard.
Most of the peripherals like cash dispensers connect via USB to the PC in the
ATM.

I haven't had a chance to look at the exploit but I'd assume it didn't
necessarily use auto-play. The OS images that are loaded on these machines are
highly customized and would likely prevent auto-loading a usb driver. However,
either it auto-loaded or they exploited some other USB bug in Windows.

Once they could load code then they would have been able to manipulate the
cash dispenser using an XFS app[0]. This would let them dispense bills from
the safe to the customer facing throat. However, once the machine was
restocked the bill counts would be off and the banks backend should detect the
tampering.

Based on the story it sounds like they were able to load code into the banking
application to allow activating their hack from the pin pad. To me that seems
to indicate either a former engineer of NCR/Diebold or someone who got their
hands on a used ATM and spent a lot of time reverse engineering the
application software and chassis.

I've also made the assumption that this was done on a free-standing ATM[1].
Wall mount ATMs that you see at most banks are mostly behind the wall and
would be extremely difficult to get access to a USB port.

[0]
[http://en.wikipedia.org/wiki/CEN/XFS](http://en.wikipedia.org/wiki/CEN/XFS)
[1] [http://www.diebold.com/products-services/atm-self-
service/te...](http://www.diebold.com/products-services/atm-self-
service/terminals/full-function-cash-dispenser/Pages/522-lobby.aspx)

~~~
tekromancr
Do the NCR ATMs dispense bottle caps?

~~~
logfromblammo
You have to walk a long way from Shady Sands if you want anything but Tandis.

------
peterwwillis
For what it's worth, there's a fair number of Windows-based ATMs in the US and
around the globe. You can find articles as old as 2003 about exploiting
Windows-based ATMs. My favorite was the machine that had a Paint program
enabled by an intrepid hacker. Every year without fail the ATMs of the hotels
surrounding DEFCON get owned multiple times, sometimes advertising it. ("Dumb"
ATMs are often much easier to attack using default passwords, but harder to
install malware on)

[https://www.informationweek.com/mobile/banks-struggle-to-
get...](https://www.informationweek.com/mobile/banks-struggle-to-get-atms-off-
windows-xp/d/d-id/1110965)

[http://www.engadget.com/2007/02/25/windows-based-atm-
machine...](http://www.engadget.com/2007/02/25/windows-based-atm-machine-
hacked-gets-painted/)

~~~
mmicn
Depends on what you mean by "harder to install malware on". Most of these
machines are regular Windows, and inherit the default risk associated with
such machines. The only difference is that some might have better hardening.

~~~
BuildTheRobots
> Most of these machines are regular Windows

What's "Regular" Windows" when it's at home? The couple of ATMs I managed to
see the inside of were either running WinCE or OS/2.

~~~
mmicn
The windows CE and OS/2 are getting rare. those I have tested all had win XP
and win 7. (I have tested nearly every major financial institution in my
country)

~~~
thrownaway2424
Whenever I come across a green-screen ATM running decent old software I
practically leap for joy. Why? I can get my money in 5 seconds. The new ones,
that I guess are running Flash on top of MSIE on top of WinXP, are
unbelievably slow.

~~~
chiph
My favorite are the ones where the developer got the resolution of the screen
wrong, and both the horizontal & vertical scrollbars are present. The touch
screen is emulating a mouse, so you can drag the bars a little ways.

------
jsundquist
I notice at the end of the article it says a filename was hack.bat.

Looks like they are windows based machines. Wonder if they left auto-play
running on them?

~~~
marcosdumay
That's also in the article, they left auto-play running.

I'd bet they use standard PC motherboards. The only unusual things the thiefs
knew where where to open the hole, and how to use the cash dispenser (altough,
I'm quite sure one'd be able to get the entire dispenser documentation from
Google).

Knowing that they are Windows machines, why don't people attack the ATMs by
the network?

~~~
loupgarou21
I'm vaguely surprised they bothered to cut a hole to do this. When I was
working on ATMs, none of my clients ever bothered to have they ATMs uniquely
keyed. I had a keyring of about 30 keys that could open pretty much any ATM I
came across.

------
bliker
this reminds me of this ATM hacking talk at DEFCON
[https://www.youtube.com/watch?v=w1KfSSDh3gU](https://www.youtube.com/watch?v=w1KfSSDh3gU)
pretty much an exact description of the attack with nice demo.

------
RRRA
The sad part is that BBC takes this random fact and completely missed the
important ones about the more massive problem that the NSA and complacent /
blackmailed government represent...

------
mariusz79
First things first: USB sticks were not infected. They were just a tool used
to infect.. It's like saying that the needle was infected.

------
knodi
Please stop all auto-run options.

