revisiting atm
play

Revisiting ATM vulnerabilities for our fun and vendors profit - PowerPoint PPT Presentation

Jan 10, 2023 •182 likes •793 views

Revisiting ATM vulnerabilities for our fun and vendors profit Alexey Osipov & Olga Kochetova Experts@Security:~# WhoAmI Positive Hack Days Team Speakers at many IT events Pentesters of various systems Authors of multiple

  1. Revisiting ATM vulnerabilities for our fun and vendor’s profit Alexey Osipov & Olga Kochetova

  2. Experts@Security:~# WhoAmI • Positive Hack Days Team • Speakers at many IT events • Pentesters of various systems • Authors of multiple articles, researches, advisories

  3. Agenda • Overview • What makes us roll • Short stories • Vendors losses • Our frustration • Conclusions

  4. ATM (front view)

  5. ATM Cabinet

  6. ATM Safe (outside)

  7. ATM Safe (inside)

  8. Software Stack Host st • MS Windows • Device control middleware and kiosk • Some AV/integrity control • Video surveillance/Radmin/Old flash player and other crap Devi vices es • RTOS on strange microcontrollers

  9. Windows XP Still Alive • Early 2014 – 95% of ATMs run on Windows XP • Support killed off in April 2014 • >9000 vulnerabilities

  10. Rob The Bank

  11. BOOOoooring

  12. Alternative News

  13. “Average Bill” Typical ATM contains 4 cassettes with ~2500 notes in each one. US$/ € 21 (5+ 5+10 10+20+ +20+50)x2 50)x2500= 500= US 212 50 2 500 could be stolen from ATM during single incident.

  14. DO NOT REPEAT IT AT HOME

  15. Main Parts Of Everything

  16. True Story #1

  17. Malware • Skimer.A -2008 • …………………………………… • Backdoor.Ploutus – 2013-2014 • Backdoor.Padpin – 2014 • Macau Malware – 2014 • Backdoor.Tyupkin – 2014 • Trojan.Skimmer (new) – 2015 Subtotal = 16 < variants of malware

  18. Tyupkin: Around The World In 435 Days

  19. How It Works: Jackpotting Malware • Access • Infection • Control • Theft

  20. How It Works: XFS Customer/Service Windows-based Network mode application communication XFS API XFS manager Configuration information XFS SPI Service Service Service Service Service Service provider #1 provider #2 provider #3 provider #4 provider #5 provider #6 COM USB Unit #1 Unit #2 Unit #3 Unit #4 Unit #5 Unit #6

  21. How It Really Works: XFS Insecurity Customer/Service Windows-based Network mode application communication XFS API XFS manager Configuration information XFS SPI Service Service Service Service Service Service provider #1 provider #2 provider #3 provider #4 provider #5 provider #6 COM USB Unit #1 Unit #2 Unit #3 Unit #4 Unit #5 Unit #6

  22. XFS , Cash Dispenser Device • Cash withdrawal without authorization • Cassette and cash control • Software safe opening

  23. XFS, Identification Card Device • Insert/eject/retain cards • Read/write data • EMV reader (one can access payment history stored in chip)

  24. XFS , PIN Keypad Device • Export of the key is not available • Open mode and secure mode read data (for stealing PIN: an ATM software sets “secure mode” for entering PIN, and intruder changes it to “open mode” to capture the PIN)

  25. PIN Device Flow

  26. PIN Device Flow -If entering PIN/encryption keys -Authenticate host on currently used keys -Send empty button press events -Send PIN block to host -If entering open string -Send all button press events with button values to host

  27. PIN MITM Attack

  28. PIN Device MITM Attacks -Request open mode from PIN pad when user is going to insert PIN code -Acknowledge host about button presses - Send erroneous PIN block (we don’t know keys) -Host refuses transaction, but attacker knows client PIN code -Next transaction will be unmodified

  29. XFS Authentication • Authentication? Wha What t aut authent henticat ication? ion? • Exclusive access to XFS manager/service provider? Exi Exists, sts, but but not not int intende ended to d to be be use used fo d for se r securi curity ty

  30. XFS Authentication • Authentication? Wha What t aut authent henticat ication? ion? • Exclusive access to XFS manager/service provider? Exi Exists, sts, but but not not int intende ended to d to be be use used fo d for se r securi curity ty

  31. XFS specification • Where?

  32. XFS specification • Where? • “We don’t know yet” (c) but try google “ XFS ATM ”

  33. True Story #2

  34. http://krebsonsecurity.com/2015/01/thieves-jackpot-atms-with-black-box-attack/

  35. Black Box Attacks • Directly control ATM

  36. How It Works: Black Box Attacks • Dispenser • Card reader • Encrypted PIN-pad • Sensors

  37. How It Works: Physical Interfaces COM/USB Customer/Service Windows-based Network mode application communication XFS API XFS manager Configuration information XFS SPI Service Service Service Service Service Service provider #1 provider #2 provider #3 provider #4 provider #5 provider #6 COM USB Unit #1 Unit #2 Unit #3 Unit #4 Unit #5 Unit #6

  38. How It Really Works: COM/USB Insecurity Customer/Service Windows-based Network mode application communication XFS API XFS manager Configuration information XFS SPI Service Service Service Service Service Service provider #1 provider #2 provider #3 provider #4 provider #5 provider #6 COM USB Unit #1 Unit #2 Unit #3 Unit #4 Unit #5 Unit #6

  39. DinosauRS232 • Standard interface • No specific drivers • No authorization • Insecure proprietary protocols (just sniff and replay)

  40. Advantages Of COM/USB • Direct device control • Execution of undocumented functions • Intercept unmasked sensitive data • Possibility of producing hardware sniffer, which can’t be detected by visual examination

  41. Advantages Of COM/USB • Direct device control • Command execution mitigating all host- based checks, e.g. cash withdrawal without notes counter checks 01 01 02 00 • 02 30 / 10 03 – start-stop sentinels 02 03 00 10 XX X 42 • XX XX – op-code 30 XX X 04 00 03 05 00 • XX – Unknown 06 00 • 01 01 … – data • 42 – CRC8

  42. We Had Two Libs Of Python, 35 USD, Power Bank And Wi-Fi Dongle

  43. RS232 vs USB-HID # ls /dev/tty* # lsusb import serial import hid ser = serial.Serial('/dev/ttyUSB0') h = hid.device(0x????, 0x20) h.write([0x80] + map(ord, ser.write(" 0230XXXXXX01010200 " 0230XXXXXX0101020003000400 0300040005000600100342 “.deco de(‘hex’)) 05000600100342 “.decode(‘hex’))) ser.close() h.close()

  44. Demo https://youtu.be/4TXnIcjn1xc

  45. True Story #3

  46. Hijacking ATM Control/Processing Host • Carbanac – 2015 • MitM – 2015

  47. Possible connections to processing center • VPN (Hardware/Software) • SSL • MAC-authentication • Firewall • IDS

  48. ATMs In Internet Pakistan 1458 Russia 571 Venezuela 28 Tajikistan 20 Ukraine 16 Armenia 11 Brazil 1 Zambia 1 Sierra-Leone 1 Thailand 1

  49. Who Cares

  50. Card Reader/ Writer/ Skimmer Sensitive data disclosure, e.g. track data in plaintext, is possible with reading command sending to COM/USB port directly. This attack is possible with ATM's computer or with any external device, which is connected to the card reader's COM/USB port.

  51. What Big Vendors Think The vulnerabilities are essentially normal specifications of the card readers and not unexpected. As long as the ATM is running within normal parameters, these problems cannot possibly occur.(c) However this vulnerability is inherent in the USB technology and is expected be mitigated by the use of appropriate physical controls on access to the ATM top box.(c)

  52. Quick Cash And Full Control Control cash dispenser module by unauthorized application or user. An attacker has possibility to control cash dispenser by sending command to COM/USB port directly, including dispensing and presenting commands. This attack is possible with ATM's computer or with any external device, which is connected to the dispenser's COM/USB port.

  53. What Big Vendors Think “We regret informing you that we had decided to stop producing this model more than 3 years ago and warranties for our distributors been expired.”

  54. What About Cryptography Dispenser “Half” Security Level: Any use of cryptography – is NOT equal to good use of cryptography

  55. Achievement Unlocked Dispenser Hig High Security Level: Dispenser Upgrade Pack is released and available from the vendor_name download center, and it will be included as standard in the next release of XFS.(c)

  56. No More SSL • OpenSSL in ATM/POS software • Misconfiguration • PCI/PA DSS v.3.1 SSL >> TLS

  57. How Live With All This

  58. Conclusions • Current vulnerabilities in ATMs are low hanging fruits, that are ready for criminals • Vendors are not that interested in fixing. Increase cost, decrease profit • Banks are not that competent to know what to do

  59. Proposals • Implement mutual authentication both for ATM computer and it’s devices • Make peer review of XFS standard/communication protocols • Authenticated dispense from processing center • Trust environment is not about ATMs • Implement regular security assessments and pentest of ATMs

  60. Kudos Alexander Tlyapov, @_Rigmar_ And all other guys worth mentioning

  61. Questions? Alexey Osipov @GiftsUngiven, GiftsUngiv3n@gmail.com Olga Kochetova @_Endless_Quest_, Olga.v.Kochetova@gmail.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Revisiting Paulsons Theory of the Con- structible Universe with Isar and Sledge-

Revisiting Paulsons Theory of the Con- structible Universe with Isar and Sledge-

Revisiting Paulsons Theory of the Con- structible Universe with Isar and Sledge- hammer Ioanna M. Dimitriou H. and Peter Koepke, University of Bonn, Germany AITP 2016 Obergurgl, Austria, April 3-7, 2016 Revisiting Paulsons

703 views • 33 slides
REVISITING GENDER AND HOUSEWORK IN Dawn Mannay CONTEMPORARY URBAN SOUTH WALES

REVISITING GENDER AND HOUSEWORK IN Dawn Mannay CONTEMPORARY URBAN SOUTH WALES

WHO SHOULD DO THE DISHES NOW? REVISITING GENDER AND HOUSEWORK IN Dawn Mannay CONTEMPORARY URBAN SOUTH WALES MannayDI@Cardiff.ac.uk REVISITING Jane Pilchers (1994) seminal work Who should do the dishes? Three generations of Welsh women

250 views • 11 slides
Revisiting the Estim ation of the Revisiting the Estim ation of the Marginal Cost of Highw ay

Revisiting the Estim ation of the Revisiting the Estim ation of the Marginal Cost of Highw ay

The 6 th Conference on Applied I nfrastructure Research ( I nfraday) The 6 th Conference on Applied I nfrastructure Research ( I nfraday) Berlin - - October 2 0 0 7 October 2 0 0 7 Berlin Revisiting the Estim ation of the Revisiting the Estim

206 views • 20 slides
Theory and applications 1 Roadmap to Lecture 6 Part 2 1. Revisiting the Reynolds stress

Theory and applications 1 Roadmap to Lecture 6 Part 2 1. Revisiting the Reynolds stress

Turbulence and CFD models: Theory and applications 1 Roadmap to Lecture 6 Part 2 1. Revisiting the Reynolds stress transport equation and the turbulent kinetic energy equation 2. Revisiting the closure problem 3. Two equations models

598 views • 36 slides
Revisiting Old Friends: Is CoDel Really Achieving What RED Cannot? Nicolas Kuhn 1 Emmanuel Lochin

Revisiting Old Friends: Is CoDel Really Achieving What RED Cannot? Nicolas Kuhn 1 Emmanuel Lochin

Revisiting Old Friends: Is CoDel Really Achieving What RED Cannot? Nicolas Kuhn 1 Emmanuel Lochin 2 Olivier Mehani 3 1 IMT Telecom Bretagne, France 2 Universit e de Toulouse, France 3 National ICT Australia, Australia 1/21 Revisiting Old

838 views • 40 slides
Re Revisiting Multilateral Co Cooperation o on N NTS S Is Issues es in in ASEAN: Th The

Re Revisiting Multilateral Co Cooperation o on N NTS S Is Issues es in in ASEAN: Th The

Re Revisiting Multilateral Co Cooperation o on N NTS S Is Issues es in in ASEAN: Th The Cas ase of f AHA Centre Is Is mu mult ltila ilater eral al coop ooper eration ion need eeded ed? In In wh what s situation m

332 views • 15 slides
1 Revisiting the Roman Masculine Ideal 1. Confident public speaker

1 Revisiting the Roman Masculine Ideal 1. Confident public speaker

Class 8a REAL (CHRISTIAN) MEN: AN OXYMORON? Outline Revisiting the Roman Masculine Ideal How Christian Men Measured Up Research Cluster

412 views • 4 slides
Less is more: Revisiting interrogative flip Natasha Korotkova Konstanz / Tbingen Workshop

Less is more: Revisiting interrogative flip Natasha Korotkova Konstanz / Tbingen Workshop

Less is more: Revisiting interrogative flip Natasha Korotkova Konstanz / Tbingen Workshop Meaning in non-canonical questions June 8, 2018 Natasha Korotkova (n.korotkova@ucla.edu) Revisiting Interrogative flip MiQ 6/8/18 1 / 42

1.09k views • 52 slides
Revisiting the Top Background (and a little of B-tagging) G. Codispoti, J.F. de Trocniz

Revisiting the Top Background (and a little of B-tagging) G. Codispoti, J.F. de Trocniz

May12 Higgs 2l2q Working Meeting Revisiting the Top Background (and a little of B-tagging) G. Codispoti, J.F. de Trocniz Universidad Autnoma de Madrid Outline q Using e data for top(+X) background: full 2011 results. q First

378 views • 19 slides
Analysis and Optimization of Cryptographically Generated Addresses (CGA) Revisiting

Analysis and Optimization of Cryptographically Generated Addresses (CGA) Revisiting

Introduction CGA for IPv6 CGA++ Analysis and Optimization of Cryptographically Generated Addresses (CGA) Revisiting Self-Certifying Address Generation and Verification Joppe Bos, Onur Ozen and Jean-Pierre Hubaux Ecole Polytechnique F

2.28k views • 44 slides
-[ Revisiting Mac OS X Kernel Rootkits! ]- Liar! Macs have no viruses! Who

-[ Revisiting Mac OS X Kernel Rootkits! ]- Liar! Macs have no viruses! Who

-[ Revisiting Mac OS X Kernel Rootkits! ]- Liar! Macs have no viruses! Who Am I Hold two degrees nobody likes these days: Economics &amp; MBA. Ex-hacker for .pt banking system (www.sibs.pt). Security

1.16k views • 91 slides
Revisiting Auxiliary Variables Stephan Merz joint work with Leslie Lamport Inria &amp; LORIA,

Revisiting Auxiliary Variables Stephan Merz joint work with Leslie Lamport Inria &amp; LORIA,

Revisiting Auxiliary Variables Stephan Merz joint work with Leslie Lamport Inria &amp; LORIA, Nancy, France IFIP Working Group 2.2 Bordeaux, September 2017 Stephan Merz Revisiting Auxiliary Variables WG 2.2, 2017-09 1 / 24 Specifications

990 views • 51 slides
Revisiting Magnetic Field Limits in Revisiting Magnetic Field Limits in Quadrupoles Arising From

Revisiting Magnetic Field Limits in Revisiting Magnetic Field Limits in Quadrupoles Arising From

Revisiting Magnetic Field Limits in Revisiting Magnetic Field Limits in Quadrupoles Arising From Losses due to H- Quadrupoles Arising From Losses due to H- Stripping Stripping (Encore) (Encore) J.-F. Ostiguy APC/Fermilab ostiguy@fnal.gov

148 views • 14 slides
Revisiting Lie integrability by quadratures from a geometric perspective Jos F. Cariena

Revisiting Lie integrability by quadratures from a geometric perspective Jos F. Cariena

Revisiting Lie integrability by quadratures from a geometric perspective Jos F. Cariena Universidad de Zaragoza jfc@unizar.es Geometry of jets and fields, Bedlewo, May 13, 2015 Abstract The classical result of Lie on integrability by

724 views • 41 slides
Revisiting the Institutional Approach to Herbrands Theorem Ionu uu 1,2 Jos Luiz

Revisiting the Institutional Approach to Herbrands Theorem Ionu uu 1,2 Jos Luiz

Revisiting the Institutional Approach to Herbrands Theorem Ionu uu 1,2 Jos Luiz Fiadeiro 1 1 Department of Computer Science, Royal Holloway University of London 2 Simion Stoilow Institute of Mathematics of the Romanian Academy 6 th

435 views • 32 slides
Revisiting Question Answering in Vampire Giles Reger School of Computer Science, University of

Revisiting Question Answering in Vampire Giles Reger School of Computer Science, University of

Revisiting Question Answering in Vampire Giles Reger School of Computer Science, University of Manchester, UK The 4th Vampire Workshop Reger,G Revisiting Question Answering in Vampire 1 / 24 Introduction In this talk we will Revisit the

500 views • 28 slides
Webinar: Active Traffic Management (ATM) Implementation and Operations Guidance October 17,

Webinar: Active Traffic Management (ATM) Implementation and Operations Guidance October 17,

The Future of Transportation - 2010 APWA Annual Congress and Exposition Webinar: Active Traffic Management (ATM) Implementation and Operations Guidance October 17, 2017 Agenda Housekeeping Introductions Overview of Active Transportation

1k views • 86 slides
CS 451 Software Engineering Yuanfang Cai Room 104, University Crossings 215.895.0298

CS 451 Software Engineering Yuanfang Cai Room 104, University Crossings 215.895.0298

CS 451 Software Engineering Yuanfang Cai Room 104, University Crossings 215.895.0298 yfcai@cs.drexel.edu 1 Drexel University Design Engineering A systematical way to translate SRS into design Start with use cases from SRS

565 views • 20 slides
How To Buy And Hack an ATM Leigh-Anne Galloway &amp; Timur Yunusov About us

How To Buy And Hack an ATM Leigh-Anne Galloway &amp; Timur Yunusov About us

How To Buy And Hack an ATM Leigh-Anne Galloway &amp; Timur Yunusov About us Appsec/websec/banksec/infosec Incident response (payment investigation) No experience with ATM acquisition L_AGalloway a66at THE BIRTH OF AN IDEA HISTORY OF

770 views • 57 slides
CS 457 Lecture 9 ATM and Switch Implementations Fall 2011 Recall: Introduced Switches

CS 457 Lecture 9 ATM and Switch Implementations Fall 2011 Recall: Introduced Switches

CS 457 Lecture 9 ATM and Switch Implementations Fall 2011 Recall: Introduced Switches Switch breaks subnet into LAN segments Switch filters packets Frame only forwarded to the necessary segments Segments become separate

783 views • 30 slides
ATM Signaling Project ARL Washington University Dakang Wu dakang@arl.wustl.edu Hui Shen

ATM Signaling Project ARL Washington University Dakang Wu dakang@arl.wustl.edu Hui Shen

ATM Signaling Project ARL Washington University Dakang Wu dakang@arl.wustl.edu Hui Shen shen@arl.wustl.edu Jeyashankher Ramamirtham jai@arl.wustl.edu Outline ATM signaling project overview Project current status Demo setting

464 views • 17 slides
PHYSICS OF THE NEUTRINO FACTORY (AND FRIENDS) J.J. Gmez Cadenas IFIC (CSIC-UV) Lecture II

PHYSICS OF THE NEUTRINO FACTORY (AND FRIENDS) J.J. Gmez Cadenas IFIC (CSIC-UV) Lecture II

PHYSICS OF THE NEUTRINO FACTORY (AND FRIENDS) J.J. Gmez Cadenas IFIC (CSIC-UV) Lecture II viernes 17 de julio de 2009 LECTURE II Matter matters Degenerate physics Design your experiment viernes 17 de julio de 2009 TRAVEL IN

301 views • 18 slides
Tibor Bosse, Alexei Sharpanskykh, Jan Treur, Henk Blom, Sybert Stroeve SESAR Innovation Days,

Tibor Bosse, Alexei Sharpanskykh, Jan Treur, Henk Blom, Sybert Stroeve SESAR Innovation Days,

Agent-Based Modelling of Hazards in ATM Tibor Bosse, Alexei Sharpanskykh, Jan Treur, Henk Blom, Sybert Stroeve SESAR Innovation Days, Braunschweig, Germany, Nov 27-29, 2012 vrije Universiteit amsterdam Contents 1. MAREA project and motivation 2.

257 views • 24 slides
Regulation E Background Electronic Funds Transfer Act Rights, liabilities, and

Regulation E Background Electronic Funds Transfer Act Rights, liabilities, and

Regulation E Background Electronic Funds Transfer Act Rights, liabilities, and responsibilities of the parties involved in an electronic funds transfer (EFT) The CFPB has rulemaking authority 12 CFR 1005 Examples of EFTs

608 views • 40 slides

More recommend