SlideShare a Scribd company logo

Leave ATM Forever Alone

Olga Kochetova
Olga Kochetova

Leave ATM Alone ATM security workshop by @_endless_quest_ and @GiftsUngiven

Devices & Hardware
1 of 56
Download to read offline
Experts@PHD:~# WhoAmI •Positive Hack Days Team •Speakers at many IT events •Pentesters of various systems •Authors of multiple articles, researches, advisories •CLUB-MATE addicts
Rob The Bank
BOOOoooring
Based On True Stories
Volume Of European ATM Crime
ATM Fraud Attacks Effects 'Unlimited' Withdrawals and Sensitive Data Theft with: Black Box and Malware attacks (PINPAD Malware, Malware to jackpot dispenser, Malware through USB ports; also criminals gain physical access to ATMs to load malware through USB devices) Diagnostics tests Safe lock code compromise Database Theft Skimming Internal attack (employees)
Malware • Skimer.A -2008 • …………………………………… • Backdoor.Ploutus – 2013-2014 • Backdoor.Padpin – 2014 • Macau Malware – 2014 • Backdoor.Tyupkin – 2014 • Trojan.Skimmer (new) – 2015 Subtotal = 16 < variants of malware
Black Box Attacks •Directly control ATM
Hijacking ATM Control/Processing Host •Carbanac – 2015 •MitM – 2015
“Average Bill” Typical ATM contains 4 cassettes with ~2500 notes in each one. (5+10+20+50)= US$ or € 212 500 (100+500+1000+5000)= ₽16 500 000 could be stolen from ATM during single incident.
Tyupkin: Around The World In 412 Days
How It Works: Tyupkin & So On •Access •Infection •Control •Theft
How It Works: XFS Network communication Windows-based application Configuration information Unit #1 Service provider #1 Unit #2 Unit #3 Service provider #2 Service provider #3 Unit #4 Service provider #4 Unit #5 Unit #6 Service provider #5 Service provider #6 XFS API XFS SPI XFS manager COM USB Customer/Service mode
How It Really Works: XFS Insecurity Network communication Windows-based application Configuration information Unit #1 Service provider #1 Unit #2 Unit #3 Service provider #2 Service provider #3 Unit #4 Service provider #4 Unit #5 Unit #6 Service provider #5 Service provider #6 XFS API XFS SPI XFS manager COM USB Customer/Service mode
XFS, Cash Dispenser Device •Cash withdrawal without authorization •Cassette and cash control •Software safe opening
XFS, Identification Card Device •Read/write data •Insert/eject/retain cards •EMV reader (one can access payment history stored in chip)
XFS, PIN Keypad Device • Export of the key is not available • Open mode and secure mode read data (for stealing PIN: an ATM software sets “secure mode” for entering PIN, and intruder changes it to “open mode” to capture the PIN)
XFS Authentication •Authentication? What authentication? •Exclusive access to XFS manager/service provider? Exists, but not intended to be used for security
XFS Authentication •Authentication? What authentication? •Exclusive access to XFS manager/service provider? Exists, but not intended to be used for security
Hacker, Porter And The Chamber Of Secrets
Windows XP Still Alive •Early 2014 – 95% of ATMs run on Windows XP •Support killed off in April •>9000 vulnerabilities
Demo: MS 07-068 Strikes Again http://www.youtube.com/watch?v=Uxd0TRdE6sw
How It Works: Black Box Attacks • Dispenser • Card reader • Encrypted PIN-pad • Sensors
How It Works: Physical Interfaces COM/USB Network communication Windows-based application Configuration information Unit #1 Service provider #1 Unit #2 Unit #3 Service provider #2 Service provider #3 Unit #4 Service provider #4 Unit #5 Unit #6 Service provider #5 Service provider #6 XFS API XFS SPI XFS manager COM USB Customer/Service mode
How It Really Works: COM/USB Insecurity Network communication Windows-based application Configuration information Unit #1 Service provider #1 Unit #2 Unit #3 Service provider #2 Service provider #3 Unit #4 Service provider #4 Unit #5 Unit #6 Service provider #5 Service provider #6 XFS API XFS SPI XFS manager COM USB Customer/Service mode
DinosauRS232 •Standard interface •No specific drivers •No authorization •Insecure proprietary protocols (just sniff and replay)
Difficulties • Protocols bloat • Specific method of integrity control • Short timeouts • Endless polling • New firmware version = new protocol
Typical serial protocol •No good tools for analysis •No flow control •No host loss detection •Packets • Fixed size • Start/stop bytes • Length prefix + data
Advantages Of COM/USB •Direct device control •Execution of undocumented functions •Intercept unmasked sensitive data
Really Big Sale
Really Big Fail
Advantages Of COM/USB •Possibility of producing hardware sniffer, which can’t be detected by visual examination
Card Reader/ Writer/ Skimmer Sensitive data disclosure, e.g. track data in plaintext, is possible with reading command sending to COM/USB port directly. This attack is possible with ATM's computer or with any external device, which is connected to the card reader's COM/USB port.
What Big Vendors Think The vulnerabilities are essentially normal specifications of the card readers and not unexpected. As long as the ATM is running within normal parameters, these problems cannot possibly occur.(c) However this vulnerability is inherent in the USB technology and is expected be mitigated by the use of appropriate physical controls on access to the ATM top box.(c)
Top Lock For The Top Box
Unlockpickable
Locks is not about security
How It Really Works: ATM Cabinet Locks
ATM is locked
Demo: Unlockpickable? http://www.youtube.com/watch?v=KijIzHUtLjU
Secure Your ATMs
Advantages Of COM/USB •Direct device control • Command execution mitigating all host- based checks, e.g. cash withdrawal without notes counter checks • 02 30 / 10 03 – start-stop sentinels • XX XX– op-code • XX – Unknown • 01 01 … – data • 42 – CRC8 02 30 XX XX X X 01 01 02 00 03 00 04 00 05 00 06 00 10 03 42
Quick Cash And Full Control Control cash dispenser module by unauthorized application or user. An attacker has possibility to control cash dispenser by sending command to COM/USB port directly, including dispensing and presenting commands. This attack is possible with ATM's computer or with any external device, which is connected to the dispenser's COM/USB port.
Demo: iCash http://www.youtube.com/watch?v=ksEmXuV324I
What Big Vendors Think “We regret informing you that we had decided to stop producing this model more than 3 years ago and warranties for our distributors been expired.”
What About Cryptography Dispenser “Half” Security Level: Any use of cryptography – is NOT equal to good use of cryptography
Achievement Unlocked Dispenser High Security Level: Dispenser Upgrade Pack is released and available from the vendor_name download center, and it will be included as standard in the next release of XFS.(c)
We Had Two Libs Of Python, 35 USD, Power Bank And Wi-Fi Dongle
Cheap-and-Pi •Minimal price •Small •Capable of using multiple interfaces
ATMs In Internet
No More SSL •OpenSSL in ATM/POS software •Misconfiguration •PCI/PA DSS v.3.1 SSL >> TLS
Conclusions • Service zone is important • Current methods of protection is not enough • Using execution prevention software without OS patches – is wrong
Proposals • Implement mutual authentication both for ATM computer and it’s devices • Make peer review of XFS standard/communication protocols • Service zone is as important as safe • Trust environment is not about ATMs • Implement regular security assessments and pentest of ATMs
Leave ATM Forever Alone

Recommended

Revisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’sRevisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’s
Olga Kochetova
 
ATM Compromise with and without Whitelisting
ATM Compromise with and without WhitelistingATM Compromise with and without Whitelisting
ATM Compromise with and without Whitelisting
Alexandru Gherman
 
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Olga Kochetova
 
How to hack stuff for cash
How to hack stuff for cashHow to hack stuff for cash
How to hack stuff for cash
Marco Schuster
 
Atm hacking and cracking to steal money with atm backdoor default master pass...
Atm hacking and cracking to steal money with atm backdoor default master pass...Atm hacking and cracking to steal money with atm backdoor default master pass...
Atm hacking and cracking to steal money with atm backdoor default master pass...
FREDDY KEKANA
 
DTS Solution - Hacking ATM Machines - The Italian Job Way
DTS Solution - Hacking ATM Machines - The Italian Job WayDTS Solution - Hacking ATM Machines - The Italian Job Way
DTS Solution - Hacking ATM Machines - The Italian Job Way
Shah Sheikh
 
Hacking ATM machines for fun and profit!
Hacking ATM machines for fun and profit!Hacking ATM machines for fun and profit!
Hacking ATM machines for fun and profit!
Zigoo0
 
Secure Real Time Embedded System For ATM Using Web Server
Secure Real Time Embedded System For ATM Using Web ServerSecure Real Time Embedded System For ATM Using Web Server
Secure Real Time Embedded System For ATM Using Web Server
ijcite
 

Recommended

Revisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’sRevisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’s
Olga Kochetova
 
ATM Compromise with and without Whitelisting
ATM Compromise with and without WhitelistingATM Compromise with and without Whitelisting
ATM Compromise with and without Whitelisting
Alexandru Gherman
 
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Olga Kochetova
 
How to hack stuff for cash
How to hack stuff for cashHow to hack stuff for cash
How to hack stuff for cash
Marco Schuster
 
Atm hacking and cracking to steal money with atm backdoor default master pass...
Atm hacking and cracking to steal money with atm backdoor default master pass...Atm hacking and cracking to steal money with atm backdoor default master pass...
Atm hacking and cracking to steal money with atm backdoor default master pass...
FREDDY KEKANA
 
DTS Solution - Hacking ATM Machines - The Italian Job Way
DTS Solution - Hacking ATM Machines - The Italian Job WayDTS Solution - Hacking ATM Machines - The Italian Job Way
DTS Solution - Hacking ATM Machines - The Italian Job Way
Shah Sheikh
 
Hacking ATM machines for fun and profit!
Hacking ATM machines for fun and profit!Hacking ATM machines for fun and profit!
Hacking ATM machines for fun and profit!
Zigoo0
 
Secure Real Time Embedded System For ATM Using Web Server
Secure Real Time Embedded System For ATM Using Web ServerSecure Real Time Embedded System For ATM Using Web Server
Secure Real Time Embedded System For ATM Using Web Server
ijcite
 
EntroWatch V1.2 (1)
EntroWatch V1.2 (1)EntroWatch V1.2 (1)
EntroWatch V1.2 (1)
Helen Williams
 
[CB19] Hardware Wallet Security
[CB19] Hardware Wallet Security[CB19] Hardware Wallet Security
[CB19] Hardware Wallet Security
CODE BLUE
 
Atm card skimming &amp; pin capturing awareness
Atm card skimming &amp; pin capturing awarenessAtm card skimming &amp; pin capturing awareness
Atm card skimming &amp; pin capturing awareness
Muhammad Basharat
 
Thesis presentation
Thesis presentationThesis presentation
Thesis presentation
CHIACHE lee
 
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
CODE BLUE
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_fin
PacSecJP
 
RCS Demo HackingTeam
RCS Demo HackingTeam RCS Demo HackingTeam
RCS Demo HackingTeam
OWASP Foundation
 
Atm Presentationgp2
Atm Presentationgp2Atm Presentationgp2
Atm Presentationgp2
Abhishek Mishra
 
CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their assCONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
PROIDEA
 
ATM Awareness Guide
ATM Awareness GuideATM Awareness Guide
ATM Awareness Guide
Daniel Cheah
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
PacSecJP
 
Atm awareness guide
Atm awareness guideAtm awareness guide
Atm awareness guide
Jude Dsouza
 
ATM Skimming Devices
ATM Skimming DevicesATM Skimming Devices
ATM Skimming Devices
savingsguide
 
System 6000
System 6000System 6000
System 6000
Mail Box Production
 
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortEuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
Cristofaro Mune
 
Disabling Ports 135 and 445 to protect the Road Warrior
Disabling Ports 135 and 445 to protect the Road WarriorDisabling Ports 135 and 445 to protect the Road Warrior
Disabling Ports 135 and 445 to protect the Road Warrior
David Sweigert
 
Skimmer Presentation V1 230109 Ppt
Skimmer Presentation V1 230109 PptSkimmer Presentation V1 230109 Ppt
Skimmer Presentation V1 230109 Ppt
Hyballs the Rat
 
Cant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardCant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless card
Slawomir Jasek
 
Elevator controller for multi story building security
Elevator controller for multi story building securityElevator controller for multi story building security
Elevator controller for multi story building security
Mayank Jain
 
Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalKochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__final
PacSecJP
 
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
CODE BLUE
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine Learning
Avast
 

More Related Content

What's hot

[CB19] Hardware Wallet Security
[CB19] Hardware Wallet Security[CB19] Hardware Wallet Security
[CB19] Hardware Wallet Security
CODE BLUE
 
Atm card skimming &amp; pin capturing awareness
Atm card skimming &amp; pin capturing awarenessAtm card skimming &amp; pin capturing awareness
Atm card skimming &amp; pin capturing awareness
Muhammad Basharat
 
Thesis presentation
Thesis presentationThesis presentation
Thesis presentation
CHIACHE lee
 
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
CODE BLUE
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_fin
PacSecJP
 
RCS Demo HackingTeam
RCS Demo HackingTeam RCS Demo HackingTeam
RCS Demo HackingTeam
OWASP Foundation
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
PacSecJP
 
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortEuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
Cristofaro Mune
 
Skimmer Presentation V1 230109 Ppt
Skimmer Presentation V1 230109 PptSkimmer Presentation V1 230109 Ppt
Skimmer Presentation V1 230109 Ppt
Hyballs the Rat
 
Cant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardCant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless card
Slawomir Jasek
 

What's hot (19)

EntroWatch V1.2 (1)
EntroWatch V1.2 (1)EntroWatch V1.2 (1)
EntroWatch V1.2 (1)
 
[CB19] Hardware Wallet Security
[CB19] Hardware Wallet Security[CB19] Hardware Wallet Security
[CB19] Hardware Wallet Security
 
Atm card skimming &amp; pin capturing awareness
Atm card skimming &amp; pin capturing awarenessAtm card skimming &amp; pin capturing awareness
Atm card skimming &amp; pin capturing awareness
 
Thesis presentation
Thesis presentationThesis presentation
Thesis presentation
 
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_fin
 
RCS Demo HackingTeam
RCS Demo HackingTeam RCS Demo HackingTeam
RCS Demo HackingTeam
 
Atm Presentationgp2
Atm Presentationgp2Atm Presentationgp2
Atm Presentationgp2
 
CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their assCONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
 
ATM Awareness Guide
ATM Awareness GuideATM Awareness Guide
ATM Awareness Guide
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
 
Atm awareness guide
Atm awareness guideAtm awareness guide
Atm awareness guide
 
ATM Skimming Devices
ATM Skimming DevicesATM Skimming Devices
ATM Skimming Devices
 
System 6000
System 6000System 6000
System 6000
 
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortEuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
 
Disabling Ports 135 and 445 to protect the Road Warrior
Disabling Ports 135 and 445 to protect the Road WarriorDisabling Ports 135 and 445 to protect the Road Warrior
Disabling Ports 135 and 445 to protect the Road Warrior
 
Skimmer Presentation V1 230109 Ppt
Skimmer Presentation V1 230109 PptSkimmer Presentation V1 230109 Ppt
Skimmer Presentation V1 230109 Ppt
 
Cant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardCant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless card
 
Elevator controller for multi story building security
Elevator controller for multi story building securityElevator controller for multi story building security
Elevator controller for multi story building security
 

Similar to Leave ATM Forever Alone

Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalKochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__final
PacSecJP
 
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
CODE BLUE
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay Alive
Positive Hack Days
 
Hacking tutorial
Hacking tutorialHacking tutorial
Hacking tutorial
MSA Technosoft
 
Workshop on Cyber security and investigation
Workshop on Cyber security and investigationWorkshop on Cyber security and investigation
Workshop on Cyber security and investigation
Mehedi Hasan
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
Jakub Kałużny
 

Similar to Leave ATM Forever Alone (20)

Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalKochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__final
 
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine Learning
 
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
 
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
 
PoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryPoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail Industry
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy code
 
Maximising the security of your cloud infrastructure
Maximising the security of your cloud infrastructureMaximising the security of your cloud infrastructure
Maximising the security of your cloud infrastructure
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay Alive
 
Cybercrime
CybercrimeCybercrime
Cybercrime
 
Hacking tutorial
Hacking tutorialHacking tutorial
Hacking tutorial
 
Workshop on Cyber security and investigation
Workshop on Cyber security and investigationWorkshop on Cyber security and investigation
Workshop on Cyber security and investigation
 
Ethical hacking (legal)
Ethical hacking (legal)Ethical hacking (legal)
Ethical hacking (legal)
 
Hacking
HackingHacking
Hacking
 
Hacking
HackingHacking
Hacking
 
Hacking In Detail
Hacking In DetailHacking In Detail
Hacking In Detail
 
Paper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesPaper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devices
 
Who needs iot security?
Who needs iot security?Who needs iot security?
Who needs iot security?
 
Hacking by Pratyush Gupta
Hacking by Pratyush GuptaHacking by Pratyush Gupta
Hacking by Pratyush Gupta
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 

Recently uploaded

在线制作(ANU毕业证书)澳大利亚国立大学毕业证成绩单原版一比一
在线制作(ANU毕业证书)澳大利亚国立大学毕业证成绩单原版一比一在线制作(ANU毕业证书)澳大利亚国立大学毕业证成绩单原版一比一
在线制作(ANU毕业证书)澳大利亚国立大学毕业证成绩单原版一比一
ougvy
 
在线制作(UQ毕业证书)昆士兰大学毕业证成绩单原版一比一
在线制作(UQ毕业证书)昆士兰大学毕业证成绩单原版一比一在线制作(UQ毕业证书)昆士兰大学毕业证成绩单原版一比一
在线制作(UQ毕业证书)昆士兰大学毕业证成绩单原版一比一
uodye
 
Top profile Call Girls In Palghar [ 7014168258 ] Call Me For Genuine Models W...
Top profile Call Girls In Palghar [ 7014168258 ] Call Me For Genuine Models W...Top profile Call Girls In Palghar [ 7014168258 ] Call Me For Genuine Models W...
Top profile Call Girls In Palghar [ 7014168258 ] Call Me For Genuine Models W...
gajnagarg
 
CRISIS COMMUNICATION presentation=-Rishabh(11195)-group ppt (4).pptx
CRISIS COMMUNICATION presentation=-Rishabh(11195)-group ppt (4).pptxCRISIS COMMUNICATION presentation=-Rishabh(11195)-group ppt (4).pptx
CRISIS COMMUNICATION presentation=-Rishabh(11195)-group ppt (4).pptx
Rishabh332761
 
Abort pregnancy in research centre+966_505195917 abortion pills in Kuwait cyt...
Abort pregnancy in research centre+966_505195917 abortion pills in Kuwait cyt...Abort pregnancy in research centre+966_505195917 abortion pills in Kuwait cyt...
Abort pregnancy in research centre+966_505195917 abortion pills in Kuwait cyt...
drmarathore
 
一比一定(购)新西兰林肯大学毕业证(Lincoln毕业证)成绩单学位证
一比一定(购)新西兰林肯大学毕业证(Lincoln毕业证)成绩单学位证一比一定(购)新西兰林肯大学毕业证(Lincoln毕业证)成绩单学位证
一比一定(购)新西兰林肯大学毕业证(Lincoln毕业证)成绩单学位证
wpkuukw
 
一比一定(购)国立南方理工学院毕业证(Southern毕业证)成绩单学位证
一比一定(购)国立南方理工学院毕业证(Southern毕业证)成绩单学位证一比一定(购)国立南方理工学院毕业证(Southern毕业证)成绩单学位证
一比一定(购)国立南方理工学院毕业证(Southern毕业证)成绩单学位证
wpkuukw
 
怎样办理昆士兰大学毕业证(UQ毕业证书)成绩单留信认证
怎样办理昆士兰大学毕业证(UQ毕业证书)成绩单留信认证怎样办理昆士兰大学毕业证(UQ毕业证书)成绩单留信认证
怎样办理昆士兰大学毕业证(UQ毕业证书)成绩单留信认证
ehyxf
 
一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制
一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制
一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制
uodye
 
怎样办理阿德莱德大学毕业证(Adelaide毕业证书)成绩单留信认证
怎样办理阿德莱德大学毕业证(Adelaide毕业证书)成绩单留信认证怎样办理阿德莱德大学毕业证(Adelaide毕业证书)成绩单留信认证
怎样办理阿德莱德大学毕业证(Adelaide毕业证书)成绩单留信认证
ehyxf
 
Hilti's Latest Battery - Hire Depot.pptx
Hilti's Latest Battery - Hire Depot.pptxHilti's Latest Battery - Hire Depot.pptx
Hilti's Latest Battery - Hire Depot.pptx
hiredepot6
 
Abortion pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Jeddah |+966572737505 | Get CytotecAbortion pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Riyadh +966572737505 get cytotec
 
Top profile Call Girls In Ratlam [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Ratlam [ 7014168258 ] Call Me For Genuine Models We...Top profile Call Girls In Ratlam [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Ratlam [ 7014168258 ] Call Me For Genuine Models We...
nirzagarg
 
一比一定(购)UNITEC理工学院毕业证(UNITEC毕业证)成绩单学位证
一比一定(购)UNITEC理工学院毕业证(UNITEC毕业证)成绩单学位证一比一定(购)UNITEC理工学院毕业证(UNITEC毕业证)成绩单学位证
一比一定(购)UNITEC理工学院毕业证(UNITEC毕业证)成绩单学位证
wpkuukw
 
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
tufbav
 

Recently uploaded (20)

在线制作(ANU毕业证书)澳大利亚国立大学毕业证成绩单原版一比一
在线制作(ANU毕业证书)澳大利亚国立大学毕业证成绩单原版一比一在线制作(ANU毕业证书)澳大利亚国立大学毕业证成绩单原版一比一
在线制作(ANU毕业证书)澳大利亚国立大学毕业证成绩单原版一比一
 
在线制作(UQ毕业证书)昆士兰大学毕业证成绩单原版一比一
在线制作(UQ毕业证书)昆士兰大学毕业证成绩单原版一比一在线制作(UQ毕业证书)昆士兰大学毕业证成绩单原版一比一
在线制作(UQ毕业证书)昆士兰大学毕业证成绩单原版一比一
 
Top profile Call Girls In Palghar [ 7014168258 ] Call Me For Genuine Models W...
Top profile Call Girls In Palghar [ 7014168258 ] Call Me For Genuine Models W...Top profile Call Girls In Palghar [ 7014168258 ] Call Me For Genuine Models W...
Top profile Call Girls In Palghar [ 7014168258 ] Call Me For Genuine Models W...
 
CRISIS COMMUNICATION presentation=-Rishabh(11195)-group ppt (4).pptx
CRISIS COMMUNICATION presentation=-Rishabh(11195)-group ppt (4).pptxCRISIS COMMUNICATION presentation=-Rishabh(11195)-group ppt (4).pptx
CRISIS COMMUNICATION presentation=-Rishabh(11195)-group ppt (4).pptx
 
Abortion pills in Jeddah +966572737505 <> buy cytotec <> unwanted kit Saudi A...
Abortion pills in Jeddah +966572737505 <> buy cytotec <> unwanted kit Saudi A...Abortion pills in Jeddah +966572737505 <> buy cytotec <> unwanted kit Saudi A...
Abortion pills in Jeddah +966572737505 <> buy cytotec <> unwanted kit Saudi A...
 
Abort pregnancy in research centre+966_505195917 abortion pills in Kuwait cyt...
Abort pregnancy in research centre+966_505195917 abortion pills in Kuwait cyt...Abort pregnancy in research centre+966_505195917 abortion pills in Kuwait cyt...
Abort pregnancy in research centre+966_505195917 abortion pills in Kuwait cyt...
 
Critical Commentary Social Work Ethics.pptx
Critical Commentary Social Work Ethics.pptxCritical Commentary Social Work Ethics.pptx
Critical Commentary Social Work Ethics.pptx
 
Point of Care Testing in clinical laboratory
Point of Care Testing in clinical laboratoryPoint of Care Testing in clinical laboratory
Point of Care Testing in clinical laboratory
 
Guwahati Escorts Service Girl ^ 9332606886, WhatsApp Anytime Guwahati
Guwahati Escorts Service Girl ^ 9332606886, WhatsApp Anytime GuwahatiGuwahati Escorts Service Girl ^ 9332606886, WhatsApp Anytime Guwahati
Guwahati Escorts Service Girl ^ 9332606886, WhatsApp Anytime Guwahati
 
一比一定(购)新西兰林肯大学毕业证(Lincoln毕业证)成绩单学位证
一比一定(购)新西兰林肯大学毕业证(Lincoln毕业证)成绩单学位证一比一定(购)新西兰林肯大学毕业证(Lincoln毕业证)成绩单学位证
一比一定(购)新西兰林肯大学毕业证(Lincoln毕业证)成绩单学位证
 
一比一定(购)国立南方理工学院毕业证(Southern毕业证)成绩单学位证
一比一定(购)国立南方理工学院毕业证(Southern毕业证)成绩单学位证一比一定(购)国立南方理工学院毕业证(Southern毕业证)成绩单学位证
一比一定(购)国立南方理工学院毕业证(Southern毕业证)成绩单学位证
 
怎样办理昆士兰大学毕业证(UQ毕业证书)成绩单留信认证
怎样办理昆士兰大学毕业证(UQ毕业证书)成绩单留信认证怎样办理昆士兰大学毕业证(UQ毕业证书)成绩单留信认证
怎样办理昆士兰大学毕业证(UQ毕业证书)成绩单留信认证
 
一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制
一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制
一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制
 
怎样办理阿德莱德大学毕业证(Adelaide毕业证书)成绩单留信认证
怎样办理阿德莱德大学毕业证(Adelaide毕业证书)成绩单留信认证怎样办理阿德莱德大学毕业证(Adelaide毕业证书)成绩单留信认证
怎样办理阿德莱德大学毕业证(Adelaide毕业证书)成绩单留信认证
 
Hilti's Latest Battery - Hire Depot.pptx
Hilti's Latest Battery - Hire Depot.pptxHilti's Latest Battery - Hire Depot.pptx
Hilti's Latest Battery - Hire Depot.pptx
 
Abortion pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Jeddah |+966572737505 | Get CytotecAbortion pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Jeddah |+966572737505 | Get Cytotec
 
Top profile Call Girls In Ratlam [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Ratlam [ 7014168258 ] Call Me For Genuine Models We...Top profile Call Girls In Ratlam [ 7014168258 ] Call Me For Genuine Models We...
Top profile Call Girls In Ratlam [ 7014168258 ] Call Me For Genuine Models We...
 
一比一定(购)UNITEC理工学院毕业证(UNITEC毕业证)成绩单学位证
一比一定(购)UNITEC理工学院毕业证(UNITEC毕业证)成绩单学位证一比一定(购)UNITEC理工学院毕业证(UNITEC毕业证)成绩单学位证
一比一定(购)UNITEC理工学院毕业证(UNITEC毕业证)成绩单学位证
 
LANDSLIDE MONITORING AND ALERT SYSTEM FINAL YEAR PROJECT BROCHURE
LANDSLIDE MONITORING AND ALERT SYSTEM FINAL YEAR PROJECT BROCHURELANDSLIDE MONITORING AND ALERT SYSTEM FINAL YEAR PROJECT BROCHURE
LANDSLIDE MONITORING AND ALERT SYSTEM FINAL YEAR PROJECT BROCHURE
 
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
 

Leave ATM Forever Alone

  • 1.
  • 2. Experts@PHD:~# WhoAmI •Positive Hack Days Team •Speakers at many IT events •Pentesters of various systems •Authors of multiple articles, researches, advisories •CLUB-MATE addicts
  • 3.
  • 6. Based On True Stories
  • 7. Volume Of European ATM Crime
  • 8. ATM Fraud Attacks Effects 'Unlimited' Withdrawals and Sensitive Data Theft with: Black Box and Malware attacks (PINPAD Malware, Malware to jackpot dispenser, Malware through USB ports; also criminals gain physical access to ATMs to load malware through USB devices) Diagnostics tests Safe lock code compromise Database Theft Skimming Internal attack (employees)
  • 9. Malware • Skimer.A -2008 • …………………………………… • Backdoor.Ploutus – 2013-2014 • Backdoor.Padpin – 2014 • Macau Malware – 2014 • Backdoor.Tyupkin – 2014 • Trojan.Skimmer (new) – 2015 Subtotal = 16 < variants of malware
  • 11. Hijacking ATM Control/Processing Host •Carbanac – 2015 •MitM – 2015
  • 12. “Average Bill” Typical ATM contains 4 cassettes with ~2500 notes in each one. (5+10+20+50)= US$ or € 212 500 (100+500+1000+5000)= ₽16 500 000 could be stolen from ATM during single incident.
  • 13. Tyupkin: Around The World In 412 Days
  • 14. How It Works: Tyupkin & So On •Access •Infection •Control •Theft
  • 15. How It Works: XFS Network communication Windows-based application Configuration information Unit #1 Service provider #1 Unit #2 Unit #3 Service provider #2 Service provider #3 Unit #4 Service provider #4 Unit #5 Unit #6 Service provider #5 Service provider #6 XFS API XFS SPI XFS manager COM USB Customer/Service mode
  • 16. How It Really Works: XFS Insecurity Network communication Windows-based application Configuration information Unit #1 Service provider #1 Unit #2 Unit #3 Service provider #2 Service provider #3 Unit #4 Service provider #4 Unit #5 Unit #6 Service provider #5 Service provider #6 XFS API XFS SPI XFS manager COM USB Customer/Service mode
  • 17. XFS, Cash Dispenser Device •Cash withdrawal without authorization •Cassette and cash control •Software safe opening
  • 18. XFS, Identification Card Device •Read/write data •Insert/eject/retain cards •EMV reader (one can access payment history stored in chip)
  • 19. XFS, PIN Keypad Device • Export of the key is not available • Open mode and secure mode read data (for stealing PIN: an ATM software sets “secure mode” for entering PIN, and intruder changes it to “open mode” to capture the PIN)
  • 20. XFS Authentication •Authentication? What authentication? •Exclusive access to XFS manager/service provider? Exists, but not intended to be used for security
  • 21. XFS Authentication •Authentication? What authentication? •Exclusive access to XFS manager/service provider? Exists, but not intended to be used for security
  • 22. Hacker, Porter And The Chamber Of Secrets
  • 23. Windows XP Still Alive •Early 2014 – 95% of ATMs run on Windows XP •Support killed off in April •>9000 vulnerabilities
  • 24. Demo: MS 07-068 Strikes Again http://www.youtube.com/watch?v=Uxd0TRdE6sw
  • 25. How It Works: Black Box Attacks • Dispenser • Card reader • Encrypted PIN-pad • Sensors
  • 26. How It Works: Physical Interfaces COM/USB Network communication Windows-based application Configuration information Unit #1 Service provider #1 Unit #2 Unit #3 Service provider #2 Service provider #3 Unit #4 Service provider #4 Unit #5 Unit #6 Service provider #5 Service provider #6 XFS API XFS SPI XFS manager COM USB Customer/Service mode
  • 27. How It Really Works: COM/USB Insecurity Network communication Windows-based application Configuration information Unit #1 Service provider #1 Unit #2 Unit #3 Service provider #2 Service provider #3 Unit #4 Service provider #4 Unit #5 Unit #6 Service provider #5 Service provider #6 XFS API XFS SPI XFS manager COM USB Customer/Service mode
  • 28. DinosauRS232 •Standard interface •No specific drivers •No authorization •Insecure proprietary protocols (just sniff and replay)
  • 29. Difficulties • Protocols bloat • Specific method of integrity control • Short timeouts • Endless polling • New firmware version = new protocol
  • 30. Typical serial protocol •No good tools for analysis •No flow control •No host loss detection •Packets • Fixed size • Start/stop bytes • Length prefix + data
  • 31. Advantages Of COM/USB •Direct device control •Execution of undocumented functions •Intercept unmasked sensitive data
  • 34. Advantages Of COM/USB •Possibility of producing hardware sniffer, which can’t be detected by visual examination
  • 35. Card Reader/ Writer/ Skimmer Sensitive data disclosure, e.g. track data in plaintext, is possible with reading command sending to COM/USB port directly. This attack is possible with ATM's computer or with any external device, which is connected to the card reader's COM/USB port.
  • 36. What Big Vendors Think The vulnerabilities are essentially normal specifications of the card readers and not unexpected. As long as the ATM is running within normal parameters, these problems cannot possibly occur.(c) However this vulnerability is inherent in the USB technology and is expected be mitigated by the use of appropriate physical controls on access to the ATM top box.(c)
  • 37. Top Lock For The Top Box
  • 39. Locks is not about security
  • 40. How It Really Works: ATM Cabinet Locks
  • 44. Advantages Of COM/USB •Direct device control • Command execution mitigating all host- based checks, e.g. cash withdrawal without notes counter checks • 02 30 / 10 03 – start-stop sentinels • XX XX– op-code • XX – Unknown • 01 01 … – data • 42 – CRC8 02 30 XX XX X X 01 01 02 00 03 00 04 00 05 00 06 00 10 03 42
  • 45. Quick Cash And Full Control Control cash dispenser module by unauthorized application or user. An attacker has possibility to control cash dispenser by sending command to COM/USB port directly, including dispensing and presenting commands. This attack is possible with ATM's computer or with any external device, which is connected to the dispenser's COM/USB port.
  • 47. What Big Vendors Think “We regret informing you that we had decided to stop producing this model more than 3 years ago and warranties for our distributors been expired.”
  • 48. What About Cryptography Dispenser “Half” Security Level: Any use of cryptography – is NOT equal to good use of cryptography
  • 49. Achievement Unlocked Dispenser High Security Level: Dispenser Upgrade Pack is released and available from the vendor_name download center, and it will be included as standard in the next release of XFS.(c)
  • 50. We Had Two Libs Of Python, 35 USD, Power Bank And Wi-Fi Dongle
  • 53. No More SSL •OpenSSL in ATM/POS software •Misconfiguration •PCI/PA DSS v.3.1 SSL >> TLS
  • 54. Conclusions • Service zone is important • Current methods of protection is not enough • Using execution prevention software without OS patches – is wrong
  • 55. Proposals • Implement mutual authentication both for ATM computer and it’s devices • Make peer review of XFS standard/communication protocols • Service zone is as important as safe • Trust environment is not about ATMs • Implement regular security assessments and pentest of ATMs