Three ways to hack an ATM

Keyboard attacks, disk attacks and network attacks

Three ways to hack an ATM

Hacking ATMs, also known as Jackpotting, is an activity that speaks to our imagination, conjuring up visions of ATMs that spit out money into the street for everyone to pick up. The three attacks that we describe in this article are the result and recurring theme of numerous assessments that we have performed over the years for many of our customers. These are the (digital) attacks that we believe matter most and that require a serious look from anyone protecting an ATM.

Please note that hacking of ATM’s is an illegal action. Fox-IT’s security experts have performed these attacks with the permission of the ATM’s owners.

An overview of the basics

In this article we will explore three easy to execute digital attacks on ATMs: Keyboard attacks, disk attacks and network attacks. We will also cover some defensive measures that can be implemented as well as some detection measures. Bear in mind that an ATM by nature is an asset on which you have to accept compromise and in that regard you are forced to make a healthy decision on security investment versus business risk acceptance.

We will not be covering the physical security measures that might detect or delay the digital attacks on an ATM. The reason for not taking physical security measures into consideration is due to the fact that after breaching the physical security measures you will always be able to perform the digital attacks. You might be detected and the ATM might be cut off from the network, but that will not prevent an attacker from gaining potentially sensitive data or knowledge about the digital setup of an ATM.

One preventative measure that we will not be covering is the end-to-end (server to hardware) signing of commands executed on an ATM. The reason for this is the fact that it involves all parties present in the ATM eco-system: the financial institution, the software builders, the hardware builders. This is a measure that requires a community effort and won’t be possible on the short term.

Background

An Automated Teller Machine referred to as an ATM is usually a machine build from commercial off-the-shelf (COTS) hardware with custom software that serves mostly the following purposes:

    • Give out money
    • Receive money
    • Provide account overviews

The above mentioned functionality usually needs a connection to the financial institution to be able to perform the requested operations. The connection can be setup over dial-up, broadband or mobile type of setups. The ATM could in a sense be split into two halves: the upper half that contains all the logic components and the lower half that contains the money dispensing parts. This lower half contains the vault and the mechanical parts to protect the money and dispense the money that will be received by the customer operating the ATM.

The hardware in an ATM consists of a regular computer and multiple specialised peripherals that are responsible for dispensing money, validating entered money and processing the bank card as well as the entered pincode. Some of these components contain additional layers of protection like additional encryption to further protect the data transmitted.

In regards to the physical security there are multiple layers of preventive, detective and response layers of security. These layers attempt to delay an intrusion, detect the intrusion or respond to the intrusion by making the money unusable.

In a way, the multiple layers of security attempt to find a balance between the likelyhood of an ATM being attacked and the impact or consequences of such an attack. Expressed in another way we could say, how much money do we spend to safeguard the money in the vault of the ATM?

First attack: rogue keyboard access

An easy to execute attack is that of attaching a keyboard to an ATM and then proceed to perform a classical ‘break out’. The most interesting aspect of this attack is that depending on the ATM configuration an attacker does not need to elevate her privileges to be able to jackpot the ATM.

The first part of the attack which consists of attaching the keyboard can be performed in a variety of ways, for example:

  • Open the ATM using jiggle keys or other key opening tools
  • Drill a hole in the ATM near the USB or PS/2 port
  • Open the ATM by removing the screws that hold the side or back plates in place
  • The next step is to physically attach the keyboard to the ATM computer either by USB or PS/2 port

When the keyboard has been attached the attacker can proceed to what during most penetration tests is called a ‘break out’ assignment. This usually includes finding key combination or functionality which enables an attacker to execute custom commands on the ATM with the goal of achieving code execution.

At this point during the attack an attacker can choose to find and abuse existing functionality to jackpot the ATM or load custom code on the ATM to achieve the same objective.

Actions like privilege escalation, backdooring of the ATM and lateral movement through the ATM network are optional and depend on the configuration of the ATM as well as the goal of the attacker.

Prevention and detection measures

Due to the business process surrounding an ATM it is not always possible to apply all of the following measures. It is therefore recommended to make an informed decision on why certain measures are not implemented and documenting this decision. Security is a process and this implies that measures that have not currently been implemented should be re-evaluated periodically. This enables you to change the decision and implement these measures in the future.

Prevention measures

  • Disable unused ports in the BIOS
  • Disable unused ports in the Operating System
  • Disable all keyboard shortcuts using a keyboard filter
  • Implement a whitelist of allowed processes and their corresponding DLL files
  • Implement a blacklist of executables and dll files to cover the gaps off the whitelist

Detection measures

  • Alert on insertion or creation of new devices
  • Alert on execution of new processes not present in a pre-established whitelist
  • Alert on the creation of files not present in a pre-established whitelist
  • Alert on the dispensing of money without a corresponding card entry or creation of a transaction

Second attack: weak or unencrypted disk drive

Another easy to execute attack is that of accessing the disk of an ATM and directly tamper with the files on the disk to achieve code execution. This attack also enables an attacker to fully understand the target environment, there is almost no reason to perform the entire attack on site. An attacker can steal the disk, prepare the attack, come back and execute the attack in a highly efficient manner.

The first part of the attack consists of gaining access to the disk. This can be achieved by for example:

  • Open the ATM using jiggle keys or other key opening tools
  • Open the ATM by removing the screws that hold the side or back plates in place
  • Searching the internet for ‘backups’ or ‘images’ of the disk kept by third parties responsible for maintaining the ATM (This implies unlawful actions like accessing password protected FTP or HTTP servers).

The next part of the attack involves establishing if additional actions are necessary before the data can be accessed on the disk. There are multiple scenarios possible:

  • The disk is unencrypted and can be directly accessed
  • The disk has been encrypted in a flawed manner
  • The disk has been strongly encrypted

If the disk is unencrypted an attacker can read and modify any file on the disk. If the disk has been encrypted in a weak manner an attacker can undo the encryption and access the disk to read or modify any file on the disk. Often seen flaws that enable attacker to perform these type of attacks are:

  • Decryption key resides on a different partition or USB key
  • Decryption key is derived from hardware IDs
  • Decryption key is obfuscated during the boot process

The above ways of implementing disk encryption can in most cases by bypassed by an attacker that has stolen the disk (and has paid attention to any USB sticks present). Lastly if the disk has been strongly encrypted, for example by:

  • Receiving the decryption key from a network server
  • Using a TPM chip

an attacker is forced to increase their investment to obtain access to the disk. Keep in mind that fully preventing access to the disk is almost impossible in most cases. The reason for this is the fact that it is almost always a business requirement that an ATM transparently boots into the operating system.

What does this exactly mean? It means that when you have configured an ATM in this way is becomes an acceptable risk if an attacker manages to obtain access. A couple of ways an attacker could obtain access are, some of these attacks imply other type of misconfiguration present:

  • Direct memory access attacks
  • Virtualization of the disk
  • Sniffing the hardware communication

Prevention and detection measures

Due to the business process surrouding an ATM it is not always possible to apply all of the following measures. It is therefore recommended to make an informed decision on why certain measures are not implemented and documenting this decision. Security is a process and this implies that measures that have not currently been implemented should be re-evaluated pre-evaluated periodically. This enables you to change the decision and implement these measure in the future.

Prevention measures

  • implement a strong disk encryption solution
  • implement a strong file system encryption solution

Detection measures

  • Implement regular remote integrity scan
  • Investigate ATM reboots and shutdowns

Third attack: traditional network breach

The last easy to execute attack is that of attempting to breach the ATM from the network perspective. This overlaps with a traditional network based penetration test that is often performed by organizations. A caveat with this attack is that there is no reason why an attacker would limit the attack to only the ATM, since the backend part of the network is also accessible.

The first part of the attack consists of gaining access to the network which can be wired and / or wireless. For the wired part of the network an attacker has a variety of options:

  • Unplug the network cable on the ATM or the router side
  • Cut the network cable and apply new plugs

For the wireless part of the network an attacker also has some options:

  • Crack the WiFi password
  • Setup a rogue WiFi access point
  • Setup a rogue 3G access point

The next part of the attack involves looking at the network traffic to determine the targets as well as obtain information about potential weaknesses.

When the targets have been established regular penetration testing techniques are used to attempt and obtain access to the ATM or the backend servers:

  • Port scans
  • Vulnerability scans
  • Credential brute force attacks
  • Man-in-the-middle attacks
  • Fuzzing of proprietary protocols

These attacks can result in reading sensitive information or code execution on the ATM or the backend servers. The latter one increases the impact of this attack since usually multiple ATMs are connected to one backend server.

Prevention and detection measures

Due to the business process surrounding an ATM it is not always possible to apply all of the following measures. It is therefore recommended to make an informed decision on why certain measures are not implemented and documenting this decision. Security is a process and this implies that measures that have not currently been implemented should be re-evaluated periodically. This enables you to change the decision and implement these measure in the future.

Prevention measures

  • A VPN connection for all traffic
  • A host based firewall with a white list of allowed incoming and outgoing connections (Ensure that the firewall is also enforced on the VPN interfaces as well as potential backup 3G adapters)
  • Sandbox or exploit mitigation technology for network services
  • Two factor authentication for all the management interfaces
  • Robust TLS certificate checks

Detection measures

  • Host based intrusion detection solutions
  • Network based intrusion detection solutions
  • Centralized log monitoring with (near) real time log collection

Conclusion

In this blog post we have covered three easy to execute attacks against ATMs and the corresponding measures to prevent and detect them. Most of the prevention and detection measure are not that different from the ones needed on office networks or other digitalized environments.

The challenge lies in applying these measures in a qualitative manner and ensuring maximum coverage. This is a recurring problem which we’ll only be able to solve if we keep our focus and set it as a goal for ourselves.

Just like in real life, risks need to be accepted and solution will never be perfect. Hopefully by applying one solution at the time and making sure the next solution covers the gaps of the previous one we will be able to bring the level of security to the level we are willing to accept.

Now at Fox-IT

Contact us

+31 (0) 15 284 79 99

fox@fox-it.com

Delft