
Hackers Are Emptying ATMs with a Single Drilled Hole and $15 Worth of Gear - nols
https://www.wired.com/2017/04/hackers-emptying-atms-drill-15-worth-gear/
======
scardine
My first job was being a field technician for a bank automation supplier.

We had a "test" card that could be insert on the eprom socket. This small card
was almost the same size of the original chip but had a few buttons that
allowed us to make the mechanism deliver notes in order to fine tune it.

In a particular ATM design used by major banks in Brazil, this location were
accessible by removing a front panel, although you would have to be kind of a
contortionist in order to plug it.

Why we can find whole ATMs at junkyards is beyond me: there are many easy to
spot flaws. They should grind everything when decommissioning this kind of
equipment.

~~~
andrewwharton
> Why we can find whole ATMs at junkyards is beyond me: there are many easy to
> spot flaws.

If there are many easy to spot flaws, I don't think finding them in a junkyard
is the root of the problem here. This is good old security by obscurity.

As Bruce Schneier says (at least about safes), you should be able to publish
the blueprints and source code for the machines, then maybe they'll be secure.
There should be enough physical security to ensure an attack will take longer
to perform than the response time of the authorities. Any components which are
vulnerable to physical attack need the same level of physical protection as
the cash that's being protected.

Until this happens, 'hackers' (thieves) are going to keep finding flaws and
exploiting them.

~~~
erikpukinskis
It's a false dichotomy. Your private keys are just "obscure" information that
requires some effort to find too. And security protocols can be designed so
the keys aren't enough.

At the end of the day it's an arms race, and you're just trying to slow
attackers down.

~~~
throwaway91111
Well, they're provably secure for some (mind-bogingly massive) search space.

Security by obscurity tends to refer to measures which can be broken once, and
thereafter opened trivially. It sounds like the article is about one of these
trivial openings.

Everything can be broken; the goal is to move it or arrest them before they
can get in, physically or virtually. It just so happens that, virtually, the
time required to brute force it can, at times, be on heat-death-of-the-
universe scales. Safes tend to rely on men with guns following soon after
alarms trigger.

~~~
Rapzid
Obtaining most keys doesn't require mind-bogglingly massive searches.

~~~
throwaway91111
Well, it might not. Can you clue me in to the specific scenario you're
thinking about?

Input rate limiting + known key size should provide a concrete search space.

~~~
Rapzid
Physically obtaining them through malware, viruses, bugs, backdoors, social
engineering, coercion(physical threats, blackmail, application of force),
tapping, physical spying, etc.

------
devy
> They found that the machine’s only encryption was a weak XOR cipher they
> were able to easily break, and that there was no real authentication between
> the machine’s modules.

This reminds me of many many years ago some guy in a bimmer forum figured out
BMW's iDriver music file formats (BR3/BR4/BR5) were simply DRM'd via XOR.[1] I
was able to verify it via a simple script. Kudos to the reverse engineering
masters!

[1]:
[http://www.e90post.com/forums/showthread.php?t=279294#5](http://www.e90post.com/forums/showthread.php?t=279294#5)

~~~
giancarlostoro
I found it curious that the very person who mentioned it being XOR had only
one single post in that forum.

~~~
devy
That info was originated from a German bimmer forum, it seems.

------
kefka
I'm not terribly shocked.

Most communication happens either at serial, SPI, or i2c busses. If it's cars,
CAN.

And if you can plug in a wire somewhere, you can damage or pwn it. Most things
don't have security, other than software security and physical locks. And even
when there is other types of security, like cryptokeys and such, physical
wires can usually bypass even those.

If they wanted something that was secure, they could do that glass mesh thing
the ORWL does, and have some sort of black dyepack on the money that explodes
everywhere. Go for "we ruin so you cant have". But then again, I could see
criminals pissed off and taking a hammer primarily to ruin their money, and
cause customer consternation.

~~~
mjevans
I could see a more effective solution being embedded chassis intrusion meshes.

Disrupt the meshes in any way (EG drilling) would result in three actions.

    
    
      1) Electronic erase MOST programmable memory in the machine. (Brick it)
      2) Engage something akin to an EMO (Emergency Machine Off)
      3) If an uplink of some sort exists, broadcast repeatedly on it that such an event occurred and the current uptime.

~~~
monocasa
I mean, there's chips that have that in their top metal layers, and there's
still crazy people out there with electron microscopes and tiny pins that
subvert them.

[https://web-beta.archive.org/web/20111124050620/http://www.f...](https://web-
beta.archive.org/web/20111124050620/http://www.flylogic.net/blog/?p=86)

I wouldn't be surprised if increased physical security on ATMS isn't worth the
practical difference in losses.

~~~
mjevans
Sure, someone COULD do that, but how long and how fiddly is that process? How
big of a risk is there to disrupting internal components.

What if you sandwich the sensitive layer as a thin mesh encased in weak resin
between two metal plates?

The point of security isn't absolute, but to ruin the risk + effort vs reward
balance.

------
Declanomous
>Computer security experts have long warned that no computer should be
considered secure if an attacker takes physical control of it.

I think the lack of physical security is more surprising than the lack of
electronic security. A three-inch hole is pretty big, all things considered. I
have to imagine that ATMs are designed to resist drilling three inch holes
through to the money or the dispenser mechanism. Why isn't the computer
protected to similar degree?

~~~
wnevets
>Why isn't the computer protected to similar degree?

It was cheaper not to.

~~~
scardine
I can confirm this. I used to work for a major ATM supplier and this was the
answer I got every time I asked bank personal about the lack of physical
security. They would compute the average loss from burglarized ATMs against
the cost to install and maintain better alarm systems and decide against it.

------
contingencies
I am currently designing food machines, which have security concerns equal to
financial machines in some senses (you don't want people to get poisoned
through environmental contaminants, malicious reprogramming, etc.).

The article claims there is essentially no authentication between disparate
modules, only simple XOR encryption. That seems a clear fail.

In my experience, ATM control boards (I was literally at a factory in China
for these a few weeks ago) tend to be custom PCBs but there is a move towards
genericization. Presumably because their designs tend to date from bygone
eras, they do not use software-based approaches in favor of hardware and
security through obscurity. Perhaps it is time for a software-oriented modular
ATM redesign project with an emphasis on modern internal security? Anyone want
to collaborate? Serious question. (I have an existing ATM component factory
group potentially on side already.)

Second, to 'notice' the independent activity of any given module, power draw
should be easy to detect. Again, the lack of such a feature probably harks
back to a bygone-era hardware-oriented design psychology.

~~~
DonHopkins
Where do you draw the line between poisoning people, and vending them
unhealthy fatty sugary junk food?

~~~
contingencies
Everything we sell will be made to order from fresh ingredients. Sugar is only
traditionally used in a few noodle cuisines (eg. Thai) and customers can opt
out of any ingredient they wish. Likewise significant lipids are really only
present in meats, oils, cheeses and coconut milk. Again, Thai is a strong
contender. Calorie counting is transparently supported for those who want to
do the numbers. Launching in Asia, for Asia, nothing we sell will likely come
close in calories to an average US serving of anything.

------
stinos
Ah brings backs sweet memories to Terminator, for real now! IIRC in the movie
Connor used some portable Atari with a cable attached to a creditcard to hack
an ATM to spit out money.

------
nodesocket
How much cash is in a fully stocked ATM? 10k, 25k, 50k, 100K?

~~~
pp19dd
From a 2013 reddit AMA: "Each ATM is different. We do 12,500, but have ones
with metal cases that reach 26k."

From a 2010 time article: "The average size machine can hold as much as
$200,000, though few do. In off hours, most machines contain less than
$10,000."

In the article they cite a Philadelphia theft case where a single stolen
machine held $96,000.

------
Pica_soO
The Firefighters' Guild has been formed and dissolved repeatedly throughout
the history of Ankh-Morpork. Usually formed in response to fires which cause
significant damage to large parts of the city, the guild is usually dissolved
in response to... er, fires which cause significant damage to large parts of
the city. The Guild suffers from the undying capitalist spirit of Ankh-
Morpork, as those men who are paid per-fire extinguished eventually begin to
guarantee a regular supply of fires to be put out (see also Inn-Sewer-Ants).
This has led to the frequent destruction of large portions of the city and
ultimately to the Guild's being banned.

Seems we need lots of new ATMs, lots of them. And then prayer, for the fire-
fighter-guild to not run out of money.

------
bigbugbag
I see these kind of stories floating around from time to time, I wonder how
much money is lifted each year from banks this way. It seems to not be
significant enough for banks to be proactive about the issue.

------
DonHopkins
Is there a tutorial on Instructables or YouTube about how to do this?

------
anonymous_iam
Not as elegant as Barnaby Jack, but just as effective.

------
s73ver
Seems like an implementation of that XKCD comic on encryption security:
[https://xkcd.com/538/](https://xkcd.com/538/)

------
anthonybsd
To be fair, drilling a 3 inch hole in a modern ATM is no easy task. We are
talking about high-grade steel, a layer of fiberglass, etc. Hence "portable
power drill" is a bit misleading.

~~~
jessriedel
Hard to tell what's actually inside them, but these sorts of ATMs don't look
very intimidating:

[http://www.edmontonatm.com/images/rl1600.jpg](http://www.edmontonatm.com/images/rl1600.jpg)

~~~
mod
I own one of these. It's inside a building that would be closed when no staff
were around, and it doesn't ever contain enough money to be worth it to most
people.

I wouldn't leave that thing at an outside location with enough money in it to
hurt me, unless the robberies were insured or so seldom as to be considered a
cost of doing business.

