First days of new year came with the warning about a new class of ATM fraud named "black box attack". The crooks gain physical access to the top of the cash machine, connect their own computer to the the cash dispenser and force it to spit out cash, Krebs OnSecurity reports. In fact, this technics isn't so new. The Positive Technologies experts Olga Kochetova and Alexey Osipov showed similar attacks on ATM at Black Hat Europe 2014 in Amsterdam.
For the experiment, the researchers used a cash machine and a popular controller Raspberry Pi. The small device can be easily hidden inside an ATM enclosure. Due to its size, it doesn’t draw attention of service engineers who, say, replace paper in built-in printers.
It is not much of a challenge to find ATM interface documentation. Regardless of the vendor, cash machines and payment terminals share the same API for accessing and manipulating various modules and use the Windows platform in accordance with the Extensions for Financial Services (XFS).
Knowing the API, one may easily gain access to an ATM host and directly manage multiple peripheral devices installed inside the money machine, e.g. a card reader, PIN pad, touchscreen display, dispenser unit, etc. Do not forget about ATM OS vulnerabilities — Windows has a lot of those in stock for many years to come.
Before Raspberry Pi can be installed inside an ATM and connected to Ethernet, USB, or RS-232 ports, an attacker needs to open up an ATM enclosure. At the machine’s upper part, there is a service area where the host that manages the ATM’s devices and network hardware, including poorly protected GSM/GPRS modems, are located. Unlike the safe located at the bottom, the upper part is quite easy to access — there is hardly any supervision over it if any. Attackers may open the service area using easy-to-make keys and simple materials at hands.
Yet it is not enough just to make it open — you need to be swift, and your manipulations must remain undetected.
At Black Hat, the Positive Technologies experts timed how long it took them to install the tiny computer inside the ATM service area for use as a sniffer to intercept PIN code and credit card info or as a skimmer that is virtually impossible to detect from the outside. The researchers were able to unlock the ATM enclosure, install, disguise, and bring their computer online in just two minutes.
When preparing for the presentation, the experts programmed Raspberry Pi to manage ATM peripheral modules. The computer connected to a Wi-Fi adapter, which you might access from any device like, say, your smartphone. A special web interface was designed to instruct the cash dispenser to empty the cassettes. The experts demonstrated how to make an ATM dispense several banknotes and, after some code adjustments, give out all the money. By the way, a typical ATM cassette holds two or three thousand banknotes, and there are usually four of those for different denominations inside a regular ATM.
It is needless to say that, as a result of the researchers’ proof-of-concept attack, the ATM dispensed all cash leaving no trace on the host; and though the camera was on, it was controlled by Raspberry Pi as well as any other devices on the hacked ATM.
How to Secure ATMs
It is not an easy feat to provide sufficient security protection for ATMs. A lot depends on an attack scenario. For example the UK’s LINK specialists advise replacing default locks for the service area and monitoring ATMs with cameras.
Meantime, the Positive Technologies experts are convinced that the main security problem lies in the possibility of installing any device or program (including Angry Birds) on ATMs exploiting OS and devices vulnerabilities. The tables may be turned if ATM vendors collaborate on a new, open specification for the components inside a cash machine to interact and authenticate securely. This would help to prevent anyone with a service area key from easily connecting whatever he or she wishes to the system.