SlideShare a Scribd company logo

Leave ATM Forever Alone

Olga Kochetova
Olga Kochetova

Leave ATM Alone ATM security workshop by @_endless_quest_ and @GiftsUngiven

Devices & Hardware
1 of 56
Download to read offline
Experts@PHD:~# WhoAmI •Positive Hack Days Team •Speakers at many IT events •Pentesters of various systems •Authors of multiple articles, researches, advisories •CLUB-MATE addicts
Rob The Bank
BOOOoooring
Based On True Stories
Volume Of European ATM Crime
ATM Fraud Attacks Effects 'Unlimited' Withdrawals and Sensitive Data Theft with: Black Box and Malware attacks (PINPAD Malware, Malware to jackpot dispenser, Malware through USB ports; also criminals gain physical access to ATMs to load malware through USB devices) Diagnostics tests Safe lock code compromise Database Theft Skimming Internal attack (employees)
Malware • Skimer.A -2008 • …………………………………… • Backdoor.Ploutus – 2013-2014 • Backdoor.Padpin – 2014 • Macau Malware – 2014 • Backdoor.Tyupkin – 2014 • Trojan.Skimmer (new) – 2015 Subtotal = 16 < variants of malware
Black Box Attacks •Directly control ATM
Hijacking ATM Control/Processing Host •Carbanac – 2015 •MitM – 2015
“Average Bill” Typical ATM contains 4 cassettes with ~2500 notes in each one. (5+10+20+50)= US$ or € 212 500 (100+500+1000+5000)= ₽16 500 000 could be stolen from ATM during single incident.
Tyupkin: Around The World In 412 Days
How It Works: Tyupkin & So On •Access •Infection •Control •Theft
How It Works: XFS Network communication Windows-based application Configuration information Unit #1 Service provider #1 Unit #2 Unit #3 Service provider #2 Service provider #3 Unit #4 Service provider #4 Unit #5 Unit #6 Service provider #5 Service provider #6 XFS API XFS SPI XFS manager COM USB Customer/Service mode
How It Really Works: XFS Insecurity Network communication Windows-based application Configuration information Unit #1 Service provider #1 Unit #2 Unit #3 Service provider #2 Service provider #3 Unit #4 Service provider #4 Unit #5 Unit #6 Service provider #5 Service provider #6 XFS API XFS SPI XFS manager COM USB Customer/Service mode
XFS, Cash Dispenser Device •Cash withdrawal without authorization •Cassette and cash control •Software safe opening
XFS, Identification Card Device •Read/write data •Insert/eject/retain cards •EMV reader (one can access payment history stored in chip)
XFS, PIN Keypad Device • Export of the key is not available • Open mode and secure mode read data (for stealing PIN: an ATM software sets “secure mode” for entering PIN, and intruder changes it to “open mode” to capture the PIN)
XFS Authentication •Authentication? What authentication? •Exclusive access to XFS manager/service provider? Exists, but not intended to be used for security
XFS Authentication •Authentication? What authentication? •Exclusive access to XFS manager/service provider? Exists, but not intended to be used for security
Hacker, Porter And The Chamber Of Secrets
Windows XP Still Alive •Early 2014 – 95% of ATMs run on Windows XP •Support killed off in April •>9000 vulnerabilities
Demo: MS 07-068 Strikes Again http://www.youtube.com/watch?v=Uxd0TRdE6sw
How It Works: Black Box Attacks • Dispenser • Card reader • Encrypted PIN-pad • Sensors
How It Works: Physical Interfaces COM/USB Network communication Windows-based application Configuration information Unit #1 Service provider #1 Unit #2 Unit #3 Service provider #2 Service provider #3 Unit #4 Service provider #4 Unit #5 Unit #6 Service provider #5 Service provider #6 XFS API XFS SPI XFS manager COM USB Customer/Service mode
How It Really Works: COM/USB Insecurity Network communication Windows-based application Configuration information Unit #1 Service provider #1 Unit #2 Unit #3 Service provider #2 Service provider #3 Unit #4 Service provider #4 Unit #5 Unit #6 Service provider #5 Service provider #6 XFS API XFS SPI XFS manager COM USB Customer/Service mode
DinosauRS232 •Standard interface •No specific drivers •No authorization •Insecure proprietary protocols (just sniff and replay)
Difficulties • Protocols bloat • Specific method of integrity control • Short timeouts • Endless polling • New firmware version = new protocol
Typical serial protocol •No good tools for analysis •No flow control •No host loss detection •Packets • Fixed size • Start/stop bytes • Length prefix + data
Advantages Of COM/USB •Direct device control •Execution of undocumented functions •Intercept unmasked sensitive data
Really Big Sale
Really Big Fail
Advantages Of COM/USB •Possibility of producing hardware sniffer, which can’t be detected by visual examination
Card Reader/ Writer/ Skimmer Sensitive data disclosure, e.g. track data in plaintext, is possible with reading command sending to COM/USB port directly. This attack is possible with ATM's computer or with any external device, which is connected to the card reader's COM/USB port.
What Big Vendors Think The vulnerabilities are essentially normal specifications of the card readers and not unexpected. As long as the ATM is running within normal parameters, these problems cannot possibly occur.(c) However this vulnerability is inherent in the USB technology and is expected be mitigated by the use of appropriate physical controls on access to the ATM top box.(c)
Top Lock For The Top Box
Unlockpickable
Locks is not about security
How It Really Works: ATM Cabinet Locks
ATM is locked
Demo: Unlockpickable? http://www.youtube.com/watch?v=KijIzHUtLjU
Secure Your ATMs
Advantages Of COM/USB •Direct device control • Command execution mitigating all host- based checks, e.g. cash withdrawal without notes counter checks • 02 30 / 10 03 – start-stop sentinels • XX XX– op-code • XX – Unknown • 01 01 … – data • 42 – CRC8 02 30 XX XX X X 01 01 02 00 03 00 04 00 05 00 06 00 10 03 42
Quick Cash And Full Control Control cash dispenser module by unauthorized application or user. An attacker has possibility to control cash dispenser by sending command to COM/USB port directly, including dispensing and presenting commands. This attack is possible with ATM's computer or with any external device, which is connected to the dispenser's COM/USB port.
Demo: iCash http://www.youtube.com/watch?v=ksEmXuV324I
What Big Vendors Think “We regret informing you that we had decided to stop producing this model more than 3 years ago and warranties for our distributors been expired.”
What About Cryptography Dispenser “Half” Security Level: Any use of cryptography – is NOT equal to good use of cryptography
Achievement Unlocked Dispenser High Security Level: Dispenser Upgrade Pack is released and available from the vendor_name download center, and it will be included as standard in the next release of XFS.(c)
We Had Two Libs Of Python, 35 USD, Power Bank And Wi-Fi Dongle
Cheap-and-Pi •Minimal price •Small •Capable of using multiple interfaces
ATMs In Internet
No More SSL •OpenSSL in ATM/POS software •Misconfiguration •PCI/PA DSS v.3.1 SSL >> TLS
Conclusions • Service zone is important • Current methods of protection is not enough • Using execution prevention software without OS patches – is wrong
Proposals • Implement mutual authentication both for ATM computer and it’s devices • Make peer review of XFS standard/communication protocols • Service zone is as important as safe • Trust environment is not about ATMs • Implement regular security assessments and pentest of ATMs
Leave ATM Forever Alone

Recommended

Revisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’sRevisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’sOlga Kochetova
 
ATM Compromise with and without Whitelisting
ATM Compromise with and without WhitelistingATM Compromise with and without Whitelisting
ATM Compromise with and without WhitelistingAlexandru Gherman
 
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Olga Kochetova
 
How to hack stuff for cash
How to hack stuff for cashHow to hack stuff for cash
How to hack stuff for cashMarco Schuster
 
Atm hacking and cracking to steal money with atm backdoor default master pass...
Atm hacking and cracking to steal money with atm backdoor default master pass...Atm hacking and cracking to steal money with atm backdoor default master pass...
Atm hacking and cracking to steal money with atm backdoor default master pass...FREDDY KEKANA
 
DTS Solution - Hacking ATM Machines - The Italian Job Way
DTS Solution - Hacking ATM Machines - The Italian Job WayDTS Solution - Hacking ATM Machines - The Italian Job Way
DTS Solution - Hacking ATM Machines - The Italian Job WayShah Sheikh
 
Hacking ATM machines for fun and profit!
Hacking ATM machines for fun and profit!Hacking ATM machines for fun and profit!
Hacking ATM machines for fun and profit!Zigoo0
 
Secure Real Time Embedded System For ATM Using Web Server
Secure Real Time Embedded System For ATM Using Web ServerSecure Real Time Embedded System For ATM Using Web Server
Secure Real Time Embedded System For ATM Using Web Serverijcite
 

Recommended

Revisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’sRevisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’sOlga Kochetova
 
ATM Compromise with and without Whitelisting
ATM Compromise with and without WhitelistingATM Compromise with and without Whitelisting
ATM Compromise with and without WhitelistingAlexandru Gherman
 
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Olga Kochetova
 
How to hack stuff for cash
How to hack stuff for cashHow to hack stuff for cash
How to hack stuff for cashMarco Schuster
 
Atm hacking and cracking to steal money with atm backdoor default master pass...
Atm hacking and cracking to steal money with atm backdoor default master pass...Atm hacking and cracking to steal money with atm backdoor default master pass...
Atm hacking and cracking to steal money with atm backdoor default master pass...FREDDY KEKANA
 
DTS Solution - Hacking ATM Machines - The Italian Job Way
DTS Solution - Hacking ATM Machines - The Italian Job WayDTS Solution - Hacking ATM Machines - The Italian Job Way
DTS Solution - Hacking ATM Machines - The Italian Job WayShah Sheikh
 
Hacking ATM machines for fun and profit!
Hacking ATM machines for fun and profit!Hacking ATM machines for fun and profit!
Hacking ATM machines for fun and profit!Zigoo0
 
Secure Real Time Embedded System For ATM Using Web Server
Secure Real Time Embedded System For ATM Using Web ServerSecure Real Time Embedded System For ATM Using Web Server
Secure Real Time Embedded System For ATM Using Web Serverijcite
 
EntroWatch V1.2 (1)
EntroWatch V1.2 (1)EntroWatch V1.2 (1)
EntroWatch V1.2 (1)Helen Williams
 
[CB19] Hardware Wallet Security
[CB19] Hardware Wallet Security[CB19] Hardware Wallet Security
[CB19] Hardware Wallet SecurityCODE BLUE
 
Atm card skimming &amp; pin capturing awareness
Atm card skimming &amp; pin capturing awarenessAtm card skimming &amp; pin capturing awareness
Atm card skimming &amp; pin capturing awarenessMuhammad Basharat
 
Thesis presentation
Thesis presentationThesis presentation
Thesis presentationCHIACHE lee
 
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...CODE BLUE
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finPacSecJP
 
RCS Demo HackingTeam
RCS Demo HackingTeam RCS Demo HackingTeam
RCS Demo HackingTeam OWASP Foundation
 
Atm Presentationgp2
Atm Presentationgp2Atm Presentationgp2
Atm Presentationgp2Abhishek Mishra
 
CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their assCONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their assPROIDEA
 
ATM Awareness Guide
ATM Awareness GuideATM Awareness Guide
ATM Awareness GuideDaniel Cheah
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2PacSecJP
 
Atm awareness guide
Atm awareness guideAtm awareness guide
Atm awareness guideJude Dsouza
 
ATM Skimming Devices
ATM Skimming DevicesATM Skimming Devices
ATM Skimming Devicessavingsguide
 
System 6000
System 6000System 6000
System 6000Mail Box Production
 
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortEuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortCristofaro Mune
 
Disabling Ports 135 and 445 to protect the Road Warrior
Disabling Ports 135 and 445 to protect the Road WarriorDisabling Ports 135 and 445 to protect the Road Warrior
Disabling Ports 135 and 445 to protect the Road WarriorDavid Sweigert
 
Skimmer Presentation V1 230109 Ppt
Skimmer Presentation V1 230109 PptSkimmer Presentation V1 230109 Ppt
Skimmer Presentation V1 230109 PptHyballs the Rat
 
Cant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardCant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardSlawomir Jasek
 
Elevator controller for multi story building security
Elevator controller for multi story building securityElevator controller for multi story building security
Elevator controller for multi story building securityMayank Jain
 
Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalKochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalPacSecJP
 
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...CODE BLUE
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine LearningAvast
 

More Related Content

What's hot

[CB19] Hardware Wallet Security
[CB19] Hardware Wallet Security[CB19] Hardware Wallet Security
[CB19] Hardware Wallet SecurityCODE BLUE
 
Atm card skimming &amp; pin capturing awareness
Atm card skimming &amp; pin capturing awarenessAtm card skimming &amp; pin capturing awareness
Atm card skimming &amp; pin capturing awarenessMuhammad Basharat
 
Thesis presentation
Thesis presentationThesis presentation
Thesis presentationCHIACHE lee
 
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...CODE BLUE
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finPacSecJP
 
CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their assCONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their assPROIDEA
 
ATM Awareness Guide
ATM Awareness GuideATM Awareness Guide
ATM Awareness GuideDaniel Cheah
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2PacSecJP
 
Atm awareness guide
Atm awareness guideAtm awareness guide
Atm awareness guideJude Dsouza
 
ATM Skimming Devices
ATM Skimming DevicesATM Skimming Devices
ATM Skimming Devicessavingsguide
 
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortEuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortCristofaro Mune
 
Disabling Ports 135 and 445 to protect the Road Warrior
Disabling Ports 135 and 445 to protect the Road WarriorDisabling Ports 135 and 445 to protect the Road Warrior
Disabling Ports 135 and 445 to protect the Road WarriorDavid Sweigert
 
Skimmer Presentation V1 230109 Ppt
Skimmer Presentation V1 230109 PptSkimmer Presentation V1 230109 Ppt
Skimmer Presentation V1 230109 PptHyballs the Rat
 
Cant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardCant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardSlawomir Jasek
 
Elevator controller for multi story building security
Elevator controller for multi story building securityElevator controller for multi story building security
Elevator controller for multi story building securityMayank Jain
 

What's hot (19)

EntroWatch V1.2 (1)
EntroWatch V1.2 (1)EntroWatch V1.2 (1)
EntroWatch V1.2 (1)
 
[CB19] Hardware Wallet Security
[CB19] Hardware Wallet Security[CB19] Hardware Wallet Security
[CB19] Hardware Wallet Security
 
Atm card skimming &amp; pin capturing awareness
Atm card skimming &amp; pin capturing awarenessAtm card skimming &amp; pin capturing awareness
Atm card skimming &amp; pin capturing awareness
 
Thesis presentation
Thesis presentationThesis presentation
Thesis presentation
 
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_fin
 
RCS Demo HackingTeam
RCS Demo HackingTeam RCS Demo HackingTeam
RCS Demo HackingTeam
 
Atm Presentationgp2
Atm Presentationgp2Atm Presentationgp2
Atm Presentationgp2
 
CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their assCONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
 
ATM Awareness Guide
ATM Awareness GuideATM Awareness Guide
ATM Awareness Guide
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
 
Atm awareness guide
Atm awareness guideAtm awareness guide
Atm awareness guide
 
ATM Skimming Devices
ATM Skimming DevicesATM Skimming Devices
ATM Skimming Devices
 
System 6000
System 6000System 6000
System 6000
 
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortEuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
 
Disabling Ports 135 and 445 to protect the Road Warrior
Disabling Ports 135 and 445 to protect the Road WarriorDisabling Ports 135 and 445 to protect the Road Warrior
Disabling Ports 135 and 445 to protect the Road Warrior
 
Skimmer Presentation V1 230109 Ppt
Skimmer Presentation V1 230109 PptSkimmer Presentation V1 230109 Ppt
Skimmer Presentation V1 230109 Ppt
 
Cant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardCant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless card
 
Elevator controller for multi story building security
Elevator controller for multi story building securityElevator controller for multi story building security
Elevator controller for multi story building security
 

Similar to Leave ATM Forever Alone

Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalKochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalPacSecJP
 
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...CODE BLUE
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine LearningAvast
 
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh
 
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...Eric Vanderburg
 
PoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryPoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryInvincea, Inc.
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy codeG Prachi
 
Maximising the security of your cloud infrastructure
Maximising the security of your cloud infrastructureMaximising the security of your cloud infrastructure
Maximising the security of your cloud infrastructureOVHcloud
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AlivePositive Hack Days
 
Workshop on Cyber security and investigation
Workshop on Cyber security and investigationWorkshop on Cyber security and investigation
Workshop on Cyber security and investigationMehedi Hasan
 
Paper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesPaper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesYOU SHENG CHEN
 
Who needs iot security?
Who needs iot security?Who needs iot security?
Who needs iot security?Justin Black
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
 

Similar to Leave ATM Forever Alone (20)

Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalKochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__final
 
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine Learning
 
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
 
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
 
PoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryPoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail Industry
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy code
 
Maximising the security of your cloud infrastructure
Maximising the security of your cloud infrastructureMaximising the security of your cloud infrastructure
Maximising the security of your cloud infrastructure
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay Alive
 
Cybercrime
CybercrimeCybercrime
Cybercrime
 
Hacking tutorial
Hacking tutorialHacking tutorial
Hacking tutorial
 
Workshop on Cyber security and investigation
Workshop on Cyber security and investigationWorkshop on Cyber security and investigation
Workshop on Cyber security and investigation
 
Ethical hacking (legal)
Ethical hacking (legal)Ethical hacking (legal)
Ethical hacking (legal)
 
Hacking
HackingHacking
Hacking
 
Hacking
HackingHacking
Hacking
 
Hacking In Detail
Hacking In DetailHacking In Detail
Hacking In Detail
 
Paper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesPaper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devices
 
Who needs iot security?
Who needs iot security?Who needs iot security?
Who needs iot security?
 
Hacking by Pratyush Gupta
Hacking by Pratyush GuptaHacking by Pratyush Gupta
Hacking by Pratyush Gupta
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 

Recently uploaded

办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一
办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一
办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一diploma 1
 
Dubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
Dubai Call Girls O525547819 Spring Break Fast Call Girls DubaiDubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
Dubai Call Girls O525547819 Spring Break Fast Call Girls Dubaikojalkojal131
 
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...ttt fff
 
Real Sure (Call Girl) in I.G.I. Airport 8377087607 Hot Call Girls In Delhi NCR
Real Sure (Call Girl) in I.G.I. Airport 8377087607 Hot Call Girls In Delhi NCRReal Sure (Call Girl) in I.G.I. Airport 8377087607 Hot Call Girls In Delhi NCR
Real Sure (Call Girl) in I.G.I. Airport 8377087607 Hot Call Girls In Delhi NCRdollysharma2066
 
NO1 Qualified Best Black Magic Specialist Near Me Spiritual Healer Powerful L...
NO1 Qualified Best Black Magic Specialist Near Me Spiritual Healer Powerful L...NO1 Qualified Best Black Magic Specialist Near Me Spiritual Healer Powerful L...
NO1 Qualified Best Black Magic Specialist Near Me Spiritual Healer Powerful L...Amil baba
 
5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)
5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)
5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)861c7ca49a02
 
NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...
NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...
NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...Amil Baba Dawood bangali
 
NO1 Certified Vashikaran Specialist in Uk Black Magic Specialist in Uk Black ...
NO1 Certified Vashikaran Specialist in Uk Black Magic Specialist in Uk Black ...NO1 Certified Vashikaran Specialist in Uk Black Magic Specialist in Uk Black ...
NO1 Certified Vashikaran Specialist in Uk Black Magic Specialist in Uk Black ...Amil baba
 
Vip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Vip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best ServicesVip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Vip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best Servicesnajka9823
 
Call Girls In Munirka>༒9599632723 Incall_OutCall Available
Call Girls In Munirka>༒9599632723 Incall_OutCall AvailableCall Girls In Munirka>༒9599632723 Incall_OutCall Available
Call Girls In Munirka>༒9599632723 Incall_OutCall AvailableCall Girls in Delhi
 
Hindu amil baba kala jadu expert in pakistan islamabad lahore karachi atar ...
Hindu amil baba kala jadu expert in pakistan islamabad lahore karachi atar ...Hindu amil baba kala jadu expert in pakistan islamabad lahore karachi atar ...
Hindu amil baba kala jadu expert in pakistan islamabad lahore karachi atar ...amilabibi1
 
Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作
Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作
Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作f3774p8b
 
萨斯喀彻温大学毕业证学位证成绩单-购买流程
萨斯喀彻温大学毕业证学位证成绩单-购买流程萨斯喀彻温大学毕业证学位证成绩单-购买流程
萨斯喀彻温大学毕业证学位证成绩单-购买流程1k98h0e1
 
专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degreeyuu sss
 
NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...Amil Baba Dawood bangali
 
(办理学位证)韩国汉阳大学毕业证成绩单原版一比一
(办理学位证)韩国汉阳大学毕业证成绩单原版一比一(办理学位证)韩国汉阳大学毕业证成绩单原版一比一
(办理学位证)韩国汉阳大学毕业证成绩单原版一比一C SSS
 
existing product research b2 Sunderland Culture
existing product research b2 Sunderland Cultureexisting product research b2 Sunderland Culture
existing product research b2 Sunderland CultureChloeMeadows1
 
RBS学位证,鹿特丹商学院毕业证书1:1制作
RBS学位证,鹿特丹商学院毕业证书1:1制作RBS学位证,鹿特丹商学院毕业证书1:1制作
RBS学位证,鹿特丹商学院毕业证书1:1制作f3774p8b
 

Recently uploaded (20)

办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一
办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一
办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一
 
young call girls in Gtb Nagar,🔝 9953056974 🔝 escort Service
young call girls in Gtb Nagar,🔝 9953056974 🔝 escort Serviceyoung call girls in Gtb Nagar,🔝 9953056974 🔝 escort Service
young call girls in Gtb Nagar,🔝 9953056974 🔝 escort Service
 
Dubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
Dubai Call Girls O525547819 Spring Break Fast Call Girls DubaiDubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
Dubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
 
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...
 
Real Sure (Call Girl) in I.G.I. Airport 8377087607 Hot Call Girls In Delhi NCR
Real Sure (Call Girl) in I.G.I. Airport 8377087607 Hot Call Girls In Delhi NCRReal Sure (Call Girl) in I.G.I. Airport 8377087607 Hot Call Girls In Delhi NCR
Real Sure (Call Girl) in I.G.I. Airport 8377087607 Hot Call Girls In Delhi NCR
 
NO1 Qualified Best Black Magic Specialist Near Me Spiritual Healer Powerful L...
NO1 Qualified Best Black Magic Specialist Near Me Spiritual Healer Powerful L...NO1 Qualified Best Black Magic Specialist Near Me Spiritual Healer Powerful L...
NO1 Qualified Best Black Magic Specialist Near Me Spiritual Healer Powerful L...
 
5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)
5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)
5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)
 
NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...
NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...
NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...
 
NO1 Certified Vashikaran Specialist in Uk Black Magic Specialist in Uk Black ...
NO1 Certified Vashikaran Specialist in Uk Black Magic Specialist in Uk Black ...NO1 Certified Vashikaran Specialist in Uk Black Magic Specialist in Uk Black ...
NO1 Certified Vashikaran Specialist in Uk Black Magic Specialist in Uk Black ...
 
Vip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Vip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best ServicesVip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Vip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best Services
 
Call Girls In Munirka>༒9599632723 Incall_OutCall Available
Call Girls In Munirka>༒9599632723 Incall_OutCall AvailableCall Girls In Munirka>༒9599632723 Incall_OutCall Available
Call Girls In Munirka>༒9599632723 Incall_OutCall Available
 
young call girls in Khanpur,🔝 9953056974 🔝 escort Service
young call girls in Khanpur,🔝 9953056974 🔝 escort Serviceyoung call girls in Khanpur,🔝 9953056974 🔝 escort Service
young call girls in Khanpur,🔝 9953056974 🔝 escort Service
 
Hindu amil baba kala jadu expert in pakistan islamabad lahore karachi atar ...
Hindu amil baba kala jadu expert in pakistan islamabad lahore karachi atar ...Hindu amil baba kala jadu expert in pakistan islamabad lahore karachi atar ...
Hindu amil baba kala jadu expert in pakistan islamabad lahore karachi atar ...
 
Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作
Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作
Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作
 
萨斯喀彻温大学毕业证学位证成绩单-购买流程
萨斯喀彻温大学毕业证学位证成绩单-购买流程萨斯喀彻温大学毕业证学位证成绩单-购买流程
萨斯喀彻温大学毕业证学位证成绩单-购买流程
 
专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
 
NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...
 
(办理学位证)韩国汉阳大学毕业证成绩单原版一比一
(办理学位证)韩国汉阳大学毕业证成绩单原版一比一(办理学位证)韩国汉阳大学毕业证成绩单原版一比一
(办理学位证)韩国汉阳大学毕业证成绩单原版一比一
 
existing product research b2 Sunderland Culture
existing product research b2 Sunderland Cultureexisting product research b2 Sunderland Culture
existing product research b2 Sunderland Culture
 
RBS学位证,鹿特丹商学院毕业证书1:1制作
RBS学位证,鹿特丹商学院毕业证书1:1制作RBS学位证,鹿特丹商学院毕业证书1:1制作
RBS学位证,鹿特丹商学院毕业证书1:1制作
 

Leave ATM Forever Alone

  • 1.
  • 2. Experts@PHD:~# WhoAmI •Positive Hack Days Team •Speakers at many IT events •Pentesters of various systems •Authors of multiple articles, researches, advisories •CLUB-MATE addicts
  • 3.
  • 6. Based On True Stories
  • 7. Volume Of European ATM Crime
  • 8. ATM Fraud Attacks Effects 'Unlimited' Withdrawals and Sensitive Data Theft with: Black Box and Malware attacks (PINPAD Malware, Malware to jackpot dispenser, Malware through USB ports; also criminals gain physical access to ATMs to load malware through USB devices) Diagnostics tests Safe lock code compromise Database Theft Skimming Internal attack (employees)
  • 9. Malware • Skimer.A -2008 • …………………………………… • Backdoor.Ploutus – 2013-2014 • Backdoor.Padpin – 2014 • Macau Malware – 2014 • Backdoor.Tyupkin – 2014 • Trojan.Skimmer (new) – 2015 Subtotal = 16 < variants of malware
  • 11. Hijacking ATM Control/Processing Host •Carbanac – 2015 •MitM – 2015
  • 12. “Average Bill” Typical ATM contains 4 cassettes with ~2500 notes in each one. (5+10+20+50)= US$ or € 212 500 (100+500+1000+5000)= ₽16 500 000 could be stolen from ATM during single incident.
  • 13. Tyupkin: Around The World In 412 Days
  • 14. How It Works: Tyupkin & So On •Access •Infection •Control •Theft
  • 15. How It Works: XFS Network communication Windows-based application Configuration information Unit #1 Service provider #1 Unit #2 Unit #3 Service provider #2 Service provider #3 Unit #4 Service provider #4 Unit #5 Unit #6 Service provider #5 Service provider #6 XFS API XFS SPI XFS manager COM USB Customer/Service mode
  • 16. How It Really Works: XFS Insecurity Network communication Windows-based application Configuration information Unit #1 Service provider #1 Unit #2 Unit #3 Service provider #2 Service provider #3 Unit #4 Service provider #4 Unit #5 Unit #6 Service provider #5 Service provider #6 XFS API XFS SPI XFS manager COM USB Customer/Service mode
  • 17. XFS, Cash Dispenser Device •Cash withdrawal without authorization •Cassette and cash control •Software safe opening
  • 18. XFS, Identification Card Device •Read/write data •Insert/eject/retain cards •EMV reader (one can access payment history stored in chip)
  • 19. XFS, PIN Keypad Device • Export of the key is not available • Open mode and secure mode read data (for stealing PIN: an ATM software sets “secure mode” for entering PIN, and intruder changes it to “open mode” to capture the PIN)
  • 20. XFS Authentication •Authentication? What authentication? •Exclusive access to XFS manager/service provider? Exists, but not intended to be used for security
  • 21. XFS Authentication •Authentication? What authentication? •Exclusive access to XFS manager/service provider? Exists, but not intended to be used for security
  • 22. Hacker, Porter And The Chamber Of Secrets
  • 23. Windows XP Still Alive •Early 2014 – 95% of ATMs run on Windows XP •Support killed off in April •>9000 vulnerabilities
  • 24. Demo: MS 07-068 Strikes Again http://www.youtube.com/watch?v=Uxd0TRdE6sw
  • 25. How It Works: Black Box Attacks • Dispenser • Card reader • Encrypted PIN-pad • Sensors
  • 26. How It Works: Physical Interfaces COM/USB Network communication Windows-based application Configuration information Unit #1 Service provider #1 Unit #2 Unit #3 Service provider #2 Service provider #3 Unit #4 Service provider #4 Unit #5 Unit #6 Service provider #5 Service provider #6 XFS API XFS SPI XFS manager COM USB Customer/Service mode
  • 27. How It Really Works: COM/USB Insecurity Network communication Windows-based application Configuration information Unit #1 Service provider #1 Unit #2 Unit #3 Service provider #2 Service provider #3 Unit #4 Service provider #4 Unit #5 Unit #6 Service provider #5 Service provider #6 XFS API XFS SPI XFS manager COM USB Customer/Service mode
  • 28. DinosauRS232 •Standard interface •No specific drivers •No authorization •Insecure proprietary protocols (just sniff and replay)
  • 29. Difficulties • Protocols bloat • Specific method of integrity control • Short timeouts • Endless polling • New firmware version = new protocol
  • 30. Typical serial protocol •No good tools for analysis •No flow control •No host loss detection •Packets • Fixed size • Start/stop bytes • Length prefix + data
  • 31. Advantages Of COM/USB •Direct device control •Execution of undocumented functions •Intercept unmasked sensitive data
  • 34. Advantages Of COM/USB •Possibility of producing hardware sniffer, which can’t be detected by visual examination
  • 35. Card Reader/ Writer/ Skimmer Sensitive data disclosure, e.g. track data in plaintext, is possible with reading command sending to COM/USB port directly. This attack is possible with ATM's computer or with any external device, which is connected to the card reader's COM/USB port.
  • 36. What Big Vendors Think The vulnerabilities are essentially normal specifications of the card readers and not unexpected. As long as the ATM is running within normal parameters, these problems cannot possibly occur.(c) However this vulnerability is inherent in the USB technology and is expected be mitigated by the use of appropriate physical controls on access to the ATM top box.(c)
  • 37. Top Lock For The Top Box
  • 39. Locks is not about security
  • 40. How It Really Works: ATM Cabinet Locks
  • 44. Advantages Of COM/USB •Direct device control • Command execution mitigating all host- based checks, e.g. cash withdrawal without notes counter checks • 02 30 / 10 03 – start-stop sentinels • XX XX– op-code • XX – Unknown • 01 01 … – data • 42 – CRC8 02 30 XX XX X X 01 01 02 00 03 00 04 00 05 00 06 00 10 03 42
  • 45. Quick Cash And Full Control Control cash dispenser module by unauthorized application or user. An attacker has possibility to control cash dispenser by sending command to COM/USB port directly, including dispensing and presenting commands. This attack is possible with ATM's computer or with any external device, which is connected to the dispenser's COM/USB port.
  • 47. What Big Vendors Think “We regret informing you that we had decided to stop producing this model more than 3 years ago and warranties for our distributors been expired.”
  • 48. What About Cryptography Dispenser “Half” Security Level: Any use of cryptography – is NOT equal to good use of cryptography
  • 49. Achievement Unlocked Dispenser High Security Level: Dispenser Upgrade Pack is released and available from the vendor_name download center, and it will be included as standard in the next release of XFS.(c)
  • 50. We Had Two Libs Of Python, 35 USD, Power Bank And Wi-Fi Dongle
  • 53. No More SSL •OpenSSL in ATM/POS software •Misconfiguration •PCI/PA DSS v.3.1 SSL >> TLS
  • 54. Conclusions • Service zone is important • Current methods of protection is not enough • Using execution prevention software without OS patches – is wrong
  • 55. Proposals • Implement mutual authentication both for ATM computer and it’s devices • Make peer review of XFS standard/communication protocols • Service zone is as important as safe • Trust environment is not about ATMs • Implement regular security assessments and pentest of ATMs