While the average reader may not be familiar with cyber attacks targeting ATMs, the term 'ATM jackpot attack' is pretty self-explanatory. However, carrying out such an attack takes more than the child John Connor and his Atari Portfolio (i love that laptop. If you're going to order one via eBay, be careful that the model is infamous for its capacitors' tendency to dry out. Be sure to have the soldering skills to replace a few caps).
I said it takes more, but not much more...
An executive's wet dream: enhanced security without having to invest (too much) in security
Spoiler: it's not a paradox. It's a lie.
With the spread of cashless banks came ATMs with deposit functionality. How practical, how convenient: not only does one wanting to deposit cash not have to wait for an army of boomers to withdraw money without using their cards, but a cashless bank also means that there's no sense in trying to rob it. At least not the old way.
I have always laughed at the fool who robs a bank with a gun as there have always been cheaper and more subtle options than marching in, gun-waving and demanding money. Such options do require a bit more sophisticated mind, though...
Welcome to the early 2010's!
No pandemic, Mass Effect 2, Civ 5, and Fallout: New Vegas already exist and almost everyone uses Windows XP.
Wait... Those games are still good, but XP is also still here!
Always wondered how a quarian looks like under the suit. Disappointed that i didn't get my answers. Had i known, i would have romanced Miranda. She looks better.
Can you please stop discussing having sex with aliens and write about hacking ATMs instead?
Yeah, sure. Thanks for refocusing me on my duties, you stupid, malfunctioning brain. Fed up with the personalities crammed in here.
Ok, so back to ATMs. These machines routinely use antiquated operating systems (before WinXP, many of them used Windows 3.11 - released in 1992, supported until 2008!).
Although end-of-life software is known to be affected by a multitude of vulnerabilities, neither the ATMs' embedded OS, nor any other software serve as the only attack vector:
An ATM is physically exposed to attacks, but surprisingly, physical security of ATMs is even poorer than their logical security. They may run fancy (or not-so-fancy, more on that later) security software, but that can be defeated. What remains is reasonable physical security protecting the money, and almost no physical security protecting the computer unit.
While accessing the built-in PC is relatively simple, i would recommend against starting by busting open the lid, lest you might trigger a potential sabotage detector.
Found this on 9Gag. The PC is in the upper right corner, and even has an ODD. This is a gold mine.
Cracking the perimeter
This attack targets a weakness of the bank note dispenser and the following ATM models are affected:
<REDACTED. Y'know, there is freedom of speech here, and if someonne intentionally uses outdated, vulnerable technology, i'm the one to blame if they get fucked>
Your first order of business is to elicit an overflow by supplying a malformed integer input to the computer unit. Sounds complicated, right? Well, it is (wannabes never understand that one can't become a hacker without extensive knowledge of computer architecture). To put it simply: you need to feed a number value to the computer, and that value must exceed the upper limit of the expected range.
Remember (from computer science class) how computers store all active program data in RAM? Operative memory is divided into so-called registers of varying sizes. The size of a register limits how much data can be put into that register. Now, if a program expects some user input that may (under normal circumstances) not be higher than 100, then the register reserved for that input is a 1-byte register (which can house a maximum value of 255, because 256 different combinations os 8 bits can exist (0-255)).
Insert your card (you had a homeless person open the account, right?), then select the deposit cash option.
The dispenser opens, and you only have to put in more than 255 pieces of paper. Note that the dispenser may not be able to physically accomodate that many bank notes, but you can use fake paper rectangles cut out from some paper that's not as thick as a bank note.
Once the note counter hits 255, the next piece of paper will result in the counter trying to put more than one byte into a one-byte register, causing a memory overflow in the dispenser's firmware. If you're lucky, you may even crash the operating system.
Upon detecting a memory integrity failure, the system will hopefully restart (if not, you can get out your burner phone and ask the kind tech support person answering your call to restart the ATM for you. First recorded instance in history that tech support actually helps you solve a problem).
Yeah, my Paint skills are terrible. And i use Linux Mint. And i messed up the aspect ratios...
♫Keyboards and flash drives, ATM machines*/Buy myself all of my favourite things♫
*NEVER say "ATM machines. An "automated teller machine machine" doesn't make any sense.
This is the part where you need to be quick: pull the plug, pop open the lid, remove the CR2032 battery from the mainboard, and pull the RSA card (if any). Forgot to mention that dressing up as a technician helps a lot...
Restore power and connect your keyboard. The following models use a USB dongle that poses as a dummy keyboard so that the system won't complain about the lack of a keyboard at bootup:
Guess what:
This also had to be redacted...
For these models, be sure to plug your keyboard into the slot that previously housed the dummy plug.
With the removal of the CR2032 battery, you won't be bothered by a BIOS password prompt. Enter the setup program and lift any possible USB lockdown measures. You can now boot from your USB flash drive. Be sure to disconnect the PC from the network.
Option 1 (for experts only):
If it contains a live Linux, Boot up and execute the ages-old utilman rename exploit. Also take a look around the file system and copy over anything of interest to your flash drive. Some stuff will be encrypted but you can dump the key from RAM once you boot the ATM's original embedded OS. You can also brute-force it: XP means it's only DES...
Option 2 (for script kiddies):
Connect your flash drive containing Konboot and bypass the embedded system's authentication, while keeping shift pressed during logon to prevent startup applications from being launched.
With admin access and without the additional security software running, you can pretty much do anything. Run your payload.
This ATM in Ukraine has been infected with ransomware (so much for ATM security software). Stealing is for pussies: this attacker is outright demanding money from the bank.
Leave the OS, target the peripeherals!
Another viable attack vector is to target the dispenser's firmware. An interesting persistent attack method is what i named recognizer poisoning:
Not a recognizer like these ones...
After dumping the dispenser's firmware, it is possible to update the samples used by the recognition routines so that the dispenser will perceive fake notes as genuine ones. There is a more elaborate approach by supplying samples of Monopoly money and a less elaborate one, if you're good at Assembly and don't have time to waste, you can just NOP out the entire anti-counterfeit recognition check routine from entry to exit point. Yes, some dispensers' firmware is easier to crack than Winrar.
This method requires that you dump pseudorandom data in the updated sample files so that their checksum wont change and the dispenser (and ATM software) will accept them.
This is done by <REDACTED>
The checksum can then be re-calculated to match those of the legit samples by <REDACTED>
The recognizer poisoning method requires quite a bit of expertise, but it's probably the most rewarding one as you're not directly stealing money (triggering an inventory miscount alert at the end of the day, when the physical inventory is correlated with the transaction log), but instead, you're creating money (just like a bank does. Ok, this method is more sophisticated than that).
Jack(pot) in the box
The dispenser is an especially appealing target, not only because it can be compromised without much interaction with the OS, but also because of how insecure the data excange is between the dispenser and the PC: The reason i could hack my then-girlfriend's first-gen Xbox decades ago with relative ease is because its chain of trust was flawed from the ground up and the console trusted anything that came from the ODD without validation (Kinda. Oversimplified description).
ATMs tend to still suffer from this decades-old vulnerability by accepting, with little to no validation, whatever comes from the dispenser (and vica versa, in most of the cases).
It was notable how Diebold-Nixdorf ATMs (one of the most vulnerable brand, but at least they use the Phoenix Vista ATM security software instead of McAffee's Solidcore, straight from the nightmares of IT security professionals) got exploited using the company's own (presumably leaked) sofrtware. Diebold's official response ridiculous (note the recommendation that 3DES should be used. In 2020)...
But even if the attacker doesn't have access to proprietary software, the so-called black box attacks are the most common ways of hacking ATMs:
Just a phone and a Pi. (Source)
Nowadays, a cheap Raspberry Pi is enough to carry out a black box attack (but even before the affordable Linux mini computers came on the scene, purpose-built hardware was used to black box ATMs). The appropriately programmed RasPi (the black box) is connected between the dispenser and the PC, and, posing as the PC towards the dispenser (and vica versa), it is used to capture and replay instructions sent to the dispenser, forcing the ATM to spit out cash.
About 70% of all ATMs are vulnerable to black box attacks, and this fact mainly has to do with how little can be done to detect a black box attack. Monitoring the wires' electrical resistance is a method sometimes used by sabotage detection solutions, but considering that a cheap silver necklace can be made into 1 meter of wiring, resistance monitoring is not reliable: silver has a conductivity of 63*10^6 S/m (Siemens per meters), as opposed to the 59*10^6 S/m conductivity of copper. Of course, a cheap silver necklace will not be made of the purest form of silver, but neither is your average ribbon cable made of the purest copper by Chinese child-slaves.
Ladies, i need your jewels. You know: silver for monsters sabotage detectors, money for hoes.
Im Radio ist ein*... Fehlerhafte Paket?
*Sorry, my daughter likes this song. At least the women are optically pleasing.
Even though the Raspberry Pi made black box attacks affordable (and feasible even for script kiddies), with the spread of NFC-enabled ATMs, a new attack vector seems to be opening up.
Yet another instance where a peripheral is trusted while it shouldn't be. Yet another instance of a flawed risk model and a failure to identify the root of the problem.
Yep, you guessed it: it's all because the NFC transceiver is trusted. Because neither the transceiver firmware, nor the ATM software vaildates the size of data packets received over NFC, the attacker can transmit a specially crafted, malformed packet that results in a buffer overflow. A similar result to what we have covered in the "Cracking the perimeter" section, but while the dispenser was attacked with the number of physical objects inserted into it (wow, sounds like porn), somewhat limiting what an attacker can do, your malformed packet transmitted via NFC can contain any data you want, enabling not only a buffer overflow, but also arbitrary code execution.
The following models are vulnerable to the malformed NFC exploits:
<Redacted>
Did you really think i was going to share the list?
Sorry.
Not here, not now.
What happens one i'm in? Make it COUNT!
Well, you have the tools, so now it's time to actually crack Fort Knox open.
Unfortunately, i cannot share any specifics.
Blame those fuckers who refuse to fix their vulnerabilities, but sue anyone who dares shed some light on their practice.
This entire section had to be redacted.
ATMs and reincarnation
For some, past and future lives are a question of belief, but ATMs can actually be observed to have lived more than once. When an ATM at a fancy location is replaced, it is usually handed down to other, less frequented locations of the same bank. This continoues until the ATM is deemed to be at the end of its useful lifecycle, at which point it is sold to banks on a tighter budget, and this is how "new" ATMs usually appear here, on the eastern fringe of civilization, and after a few more years, the same ATM starts a new life and boldly goes where no ATM has returned from: the Middle East, Africa, and Central Asia, before reaching the well-deserved state of Nirvana. An ATM's karma, however, is to get jackpotted a few times in each of its lives.
Having more than one life doesn't help an ATM whose existence is a downward spiral.
The fact that an ATM has so many lives also means that our region (as well as many other regions) is plagued by ATMs with architectural vulnerabilities on the hardware and firmware level. To add to the risk, these regions are also infamous for how easily authorities can be persuaded to look the other way while some "technician" is working on the ATM.
Banks tend to leave risks unaddressed as long as accepting the risk costs less than remediating it. They are willing to absorb the losses resulting from cyber attacks -- it's your mortgage's growing interest rate that pays for the pocket money given to cyber criminals. And who gives a FUCK about your mortgage as long as the members executive board can suck themselves (and each other) in their quarterly speeches, congratulating each other over the figures and taking home a sizeable bonus?
And yet, i'm the fucking bank robber for publishing vulnerability data that's been available to the affected banks for years, they are just not willing to care.
You want proper risk management? Ask the hacker.
An ATM is a physical object, phyically exposed in unsecure locations. Logical controls can only mitigate the threat, but the bottom line is that banks have a hardware problem (risk), and that needs to be addressed on the hardware level.
