----- ###### Information Security Consultant Incident Response, Penetration Testing ###### Instructor SEC 560 & 542 ###### Royal Holloway, University of London Project: ATM Security assessment framework ----- ##### § About the project § ATM Introduction § Attacking the ATM § Common ATM system design § Assessing a sample ATM § Conclusion ----- ##### § About the project ##### § ATM Introduction § Attacking the ATM § Common ATM system design § Assessing a sample ATM § Conclusion ----- ##### § “A security assessment framework for Automated ### Teller Machines” ##### § Finished it this year (2014) § Supervisor: Frederik Mennes ----- ----- ##### § About the project ##### § ATM Introduction ##### § Attacking the ATM § Common ATM system design § Assessing a sample ATM § Conclusion ----- ### Automated Teller Machine Cash disposing & dispensing 2.2 million devices worldwide Different hardware & software vendors ----- ##### It was reintroduced in Ohio in 1959, with huge success. There are currently more then 2.2 million ATM’s worldwide. ##### The first ATM was installed in 1939 in New York City, known as “Bankograph”. Removed after 6 months because it was not used J ##### J ##### J ----- ##### The ATM is a “stupid” device, part of the bank’s overall architecture. It relies on back-end services for “important” decisions. ----- ### 1. ATM computer 2. (Touch)screen 3. Card-reader 4. PIN pad 5. Cash dispenser 6 Cash cassettes ----- ----- ### ATM computer (Touch)screen Card-reader PIN pad Cash dispenser Cash cassettes ----- ----- ##### § About the project § ATM Introduction § Attacking the ATM § Common ATM system design § Assessing a sample ATM § Conclusion ----- ----- ### Handles interesting customer data as well, which could be abused to get MORE MONEY ----- #### Blow up the safe Copy cards & steal PIN codes Steal the entire thing #### Attack back-end communication Attack the OS Access “operator” mode #### ... ----- #### Blow up the safe #### Attack back-end communication #### Copy cards & steal PIN codes #### Attack the OS #### Steal the entire thing #### Access “operator” mode #### ... ----- #### Attack back-end communication #### Attack the OS Access “operator” mode #### Copy cards & steal PIN codes Steal the entire thing ... ----- #### Copy cards & steal PIN codes Steal the entire thing ... ----- #### communication ... #### Attack back-end communication Attack the OS Access “operator” mode ----- #### Copy cards & Attack the OS steal PIN codes Access Steal the entire “operator” mode thing ... ----- ----- #### Safe certification standards, bolts, video surveillance... ----- ----- #### Blow up the safe #### Copy cards & steal PIN codes #### Steal the entire thing #### Attack back-end communication Attack the OS Access “operator” mode #### ... ----- #### Blow up the safe #### Copy cards & steal PIN codes #### Steal the entire thing #### communication Attack the OS Access “operator” mode #### ... ----- #### Blow up the safe #### Copy cards & steal PIN codes #### Steal the entire thing #### communication Attack the OS Access “operator” mode #### ... ----- #### Blow up the safe #### Copy cards & steal PIN codes #### Steal the entire thing #### Attack back-end communication Attack the OS Access “operator” mode ... ----- #### Attack back-end communication Attack the OS Access “operator” mode #### Steal the entire thing ... ----- #### Attack back-end Blow up the safe communication Copy cards & Attack the OS steal PIN codes Access Steal the entire “operator” mode thing ... ----- #### Anti-skimming devices ----- ----- #### Blow up the safe Copy cards & steal PIN codes Steal the entire thing #### Attack back-end communication #### Attack the OS #### Access “operator” mode #### ... ----- #### Attack back-end Blow up the safe communication Copy cards & Attack the OS steal PIN codes #### ... ----- #### Attack back-end Blow up the safe communication Copy cards & Attack the OS steal PIN codes ----- ----- #### Blow up the safe Copy cards & steal PIN codes Steal the entire thing #### Attack back-end communication #### Attack the OS Access “operator” mode #### ... ----- #### Attack back-end communication #### Attack the OS Access “operator” mode #### A Blow up the safe ----- #### Attack back-end communication #### Attack the OS Access “operator” mode #### Blow up the safe Copy cards & steal PIN codes Steal the entire thing #### ... ----- #### Blow up the safe Copy cards & steal PIN codes Steal the entire thing #### “ ----- #### Blow up the safe communication Copy cards & Attack the OS steal PIN codes Access Steal the entire “operator” mode thing ... #### Network access? ----- #### Blow up the safe communication Copy cards & Attack the OS steal PIN codes Shodan HQ (Internet search engine) lists 800+ ATMs Access available on the Internet Steal the entire “operator” mode thing ... #### Network access? Shodan HQ (Internet search engine) lists 800+ ATMs available on the Internet ----- #### Attack back-end communication #### Attack the OS Access “operator” mode #### Blow up the safe Copy cards & steal PIN codes #### Steal the entire CCC 2013 thing “Electronic bank robberies” Boot ATMs from USB ... ----- ##### § About the project § ATM Introduction § Attacking the ATM ##### § Common ATM system design ##### § Assessing a sample ATM § Conclusion ----- ----- ###### Vendor Independent Vendor Dependent #### CEN/XFS (eXtensions for Financial Services) provides a standard set of APIs that can be used by Windows applications to operate the ATM peripherals ----- ----- #### “How will you approach the Windows XP end-of-support?” ###### (KAL 2013 – ATM Software Trends & Analysis) ----- ##### § About the project § ATM Introduction § Attacking the ATM § Common ATM system design ##### § Assessing a sample ATM ##### § Conclusion ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ## Attack failed ----- ##### Using openly available forensic toolkits we managed to ##### recover the majority of the original hard disk content. ----- #### Sweet... But I don’t have a bank back-end (yet) ----- ----- ----- ----- ###### WFSOpen("CurrencyDispenser1", WFS_DEFAULT_HAPP, "NVISOSPIT", WFS_TRACE_NONE, WFS_INDEFINITE_WAIT, 0x0000FFFF, &serviceVersion, &spiVersion, &service); ###### Set up XFS session with the “CurrencyDispenser1”, no logging is required J ###### WFSCDMDISPENSE tDispense; ###### Create a dispense object “tDispense” ###### WFSCDMDENOMINATION tDenomination; ###### Create a denomination object “tDenomination” ----- ###### tDispense.fwPosition =WFS_CDM_POSNULL; tDenomination.cCurrencyID[0]='E'; tDenomination.cCurrencyID[1]='U'; tDenomination.cCurrencyID[2]='R'; ###### tDispense.fwPosition =WFS_CDM_POSNULL; ###### €€€ I want “EUR” J ###### tDenomination.ulAmount=nviso_amount; tDenomination.usCount=5; tDenomination.ulCashBox=0; ###### The amount is specified dynamically by a command line argument ###### ulaValues[0] =nviso_cassette1; ulaValues[1] =nviso_cassette2; ulaValues[2] =0; ulaValues[3] =0; ulaValues[4] =0; ###### Specify how many notes you want per cassette ----- ###### tDenomination.lpulValues = ulaValues; tDispense.lpDenomination= &tDenomination; HRESULT hResult = WFSExecute(service,WFS_CMD_CDM_DISPENSE,&tDispense,WFS_INDEFINIT E_WAIT,&lpResult); ###### Load the dispense with the specified denomination & execute the dispense operation ----- ----- ###### TODO: Make it generic for different ATM devices (read custom config from registry J) ----- # DEMONSTRATION ----- ##### § About the project § ATM Introduction § Attacking the ATM § Common ATM system design § Assessing a sample ATM ##### § Conclusion ----- ###### Modern ATMs are standard, Windows-based, computers full of money ###### Modern ATMs are ###### ATM software is developed according to open standards ###### Highly interesting target, protection is required! ###### Patch management ###### Application whitelisting ###### Network segmentation ###### Disk encryption -----