revisiting atm
play

Revisiting ATM vulnerabilities for our fun and vendors profit - PowerPoint PPT Presentation

Jan 10, 2023 •182 likes •793 views

Revisiting ATM vulnerabilities for our fun and vendors profit Alexey Osipov & Olga Kochetova Experts@Security:~# WhoAmI Positive Hack Days Team Speakers at many IT events Pentesters of various systems Authors of multiple

  1. Revisiting ATM vulnerabilities for our fun and vendor’s profit Alexey Osipov & Olga Kochetova

  2. Experts@Security:~# WhoAmI • Positive Hack Days Team • Speakers at many IT events • Pentesters of various systems • Authors of multiple articles, researches, advisories

  3. Agenda • Overview • What makes us roll • Short stories • Vendors losses • Our frustration • Conclusions

  4. ATM (front view)

  5. ATM Cabinet

  6. ATM Safe (outside)

  7. ATM Safe (inside)

  8. Software Stack Host st • MS Windows • Device control middleware and kiosk • Some AV/integrity control • Video surveillance/Radmin/Old flash player and other crap Devi vices es • RTOS on strange microcontrollers

  9. Windows XP Still Alive • Early 2014 – 95% of ATMs run on Windows XP • Support killed off in April 2014 • >9000 vulnerabilities

  10. Rob The Bank

  11. BOOOoooring

  12. Alternative News

  13. “Average Bill” Typical ATM contains 4 cassettes with ~2500 notes in each one. US$/ € 21 (5+ 5+10 10+20+ +20+50)x2 50)x2500= 500= US 212 50 2 500 could be stolen from ATM during single incident.

  14. DO NOT REPEAT IT AT HOME

  15. Main Parts Of Everything

  16. True Story #1

  17. Malware • Skimer.A -2008 • …………………………………… • Backdoor.Ploutus – 2013-2014 • Backdoor.Padpin – 2014 • Macau Malware – 2014 • Backdoor.Tyupkin – 2014 • Trojan.Skimmer (new) – 2015 Subtotal = 16 < variants of malware

  18. Tyupkin: Around The World In 435 Days

  19. How It Works: Jackpotting Malware • Access • Infection • Control • Theft

  20. How It Works: XFS Customer/Service Windows-based Network mode application communication XFS API XFS manager Configuration information XFS SPI Service Service Service Service Service Service provider #1 provider #2 provider #3 provider #4 provider #5 provider #6 COM USB Unit #1 Unit #2 Unit #3 Unit #4 Unit #5 Unit #6

  21. How It Really Works: XFS Insecurity Customer/Service Windows-based Network mode application communication XFS API XFS manager Configuration information XFS SPI Service Service Service Service Service Service provider #1 provider #2 provider #3 provider #4 provider #5 provider #6 COM USB Unit #1 Unit #2 Unit #3 Unit #4 Unit #5 Unit #6

  22. XFS , Cash Dispenser Device • Cash withdrawal without authorization • Cassette and cash control • Software safe opening

  23. XFS, Identification Card Device • Insert/eject/retain cards • Read/write data • EMV reader (one can access payment history stored in chip)

  24. XFS , PIN Keypad Device • Export of the key is not available • Open mode and secure mode read data (for stealing PIN: an ATM software sets “secure mode” for entering PIN, and intruder changes it to “open mode” to capture the PIN)

  25. PIN Device Flow

  26. PIN Device Flow -If entering PIN/encryption keys -Authenticate host on currently used keys -Send empty button press events -Send PIN block to host -If entering open string -Send all button press events with button values to host

  27. PIN MITM Attack

  28. PIN Device MITM Attacks -Request open mode from PIN pad when user is going to insert PIN code -Acknowledge host about button presses - Send erroneous PIN block (we don’t know keys) -Host refuses transaction, but attacker knows client PIN code -Next transaction will be unmodified

  29. XFS Authentication • Authentication? Wha What t aut authent henticat ication? ion? • Exclusive access to XFS manager/service provider? Exi Exists, sts, but but not not int intende ended to d to be be use used fo d for se r securi curity ty

  30. XFS Authentication • Authentication? Wha What t aut authent henticat ication? ion? • Exclusive access to XFS manager/service provider? Exi Exists, sts, but but not not int intende ended to d to be be use used fo d for se r securi curity ty

  31. XFS specification • Where?

  32. XFS specification • Where? • “We don’t know yet” (c) but try google “ XFS ATM ”

  33. True Story #2

  34. http://krebsonsecurity.com/2015/01/thieves-jackpot-atms-with-black-box-attack/

  35. Black Box Attacks • Directly control ATM

  36. How It Works: Black Box Attacks • Dispenser • Card reader • Encrypted PIN-pad • Sensors

  37. How It Works: Physical Interfaces COM/USB Customer/Service Windows-based Network mode application communication XFS API XFS manager Configuration information XFS SPI Service Service Service Service Service Service provider #1 provider #2 provider #3 provider #4 provider #5 provider #6 COM USB Unit #1 Unit #2 Unit #3 Unit #4 Unit #5 Unit #6

  38. How It Really Works: COM/USB Insecurity Customer/Service Windows-based Network mode application communication XFS API XFS manager Configuration information XFS SPI Service Service Service Service Service Service provider #1 provider #2 provider #3 provider #4 provider #5 provider #6 COM USB Unit #1 Unit #2 Unit #3 Unit #4 Unit #5 Unit #6

  39. DinosauRS232 • Standard interface • No specific drivers • No authorization • Insecure proprietary protocols (just sniff and replay)

  40. Advantages Of COM/USB • Direct device control • Execution of undocumented functions • Intercept unmasked sensitive data • Possibility of producing hardware sniffer, which can’t be detected by visual examination

  41. Advantages Of COM/USB • Direct device control • Command execution mitigating all host- based checks, e.g. cash withdrawal without notes counter checks 01 01 02 00 • 02 30 / 10 03 – start-stop sentinels 02 03 00 10 XX X 42 • XX XX – op-code 30 XX X 04 00 03 05 00 • XX – Unknown 06 00 • 01 01 … – data • 42 – CRC8

  42. We Had Two Libs Of Python, 35 USD, Power Bank And Wi-Fi Dongle

  43. RS232 vs USB-HID # ls /dev/tty* # lsusb import serial import hid ser = serial.Serial('/dev/ttyUSB0') h = hid.device(0x????, 0x20) h.write([0x80] + map(ord, ser.write(" 0230XXXXXX01010200 " 0230XXXXXX0101020003000400 0300040005000600100342 “.deco de(‘hex’)) 05000600100342 “.decode(‘hex’))) ser.close() h.close()

  44. Demo https://youtu.be/4TXnIcjn1xc

  45. True Story #3

  46. Hijacking ATM Control/Processing Host • Carbanac – 2015 • MitM – 2015

  47. Possible connections to processing center • VPN (Hardware/Software) • SSL • MAC-authentication • Firewall • IDS

  48. ATMs In Internet Pakistan 1458 Russia 571 Venezuela 28 Tajikistan 20 Ukraine 16 Armenia 11 Brazil 1 Zambia 1 Sierra-Leone 1 Thailand 1

  49. Who Cares

  50. Card Reader/ Writer/ Skimmer Sensitive data disclosure, e.g. track data in plaintext, is possible with reading command sending to COM/USB port directly. This attack is possible with ATM's computer or with any external device, which is connected to the card reader's COM/USB port.

  51. What Big Vendors Think The vulnerabilities are essentially normal specifications of the card readers and not unexpected. As long as the ATM is running within normal parameters, these problems cannot possibly occur.(c) However this vulnerability is inherent in the USB technology and is expected be mitigated by the use of appropriate physical controls on access to the ATM top box.(c)

  52. Quick Cash And Full Control Control cash dispenser module by unauthorized application or user. An attacker has possibility to control cash dispenser by sending command to COM/USB port directly, including dispensing and presenting commands. This attack is possible with ATM's computer or with any external device, which is connected to the dispenser's COM/USB port.

  53. What Big Vendors Think “We regret informing you that we had decided to stop producing this model more than 3 years ago and warranties for our distributors been expired.”

  54. What About Cryptography Dispenser “Half” Security Level: Any use of cryptography – is NOT equal to good use of cryptography

  55. Achievement Unlocked Dispenser Hig High Security Level: Dispenser Upgrade Pack is released and available from the vendor_name download center, and it will be included as standard in the next release of XFS.(c)

  56. No More SSL • OpenSSL in ATM/POS software • Misconfiguration • PCI/PA DSS v.3.1 SSL >> TLS

  57. How Live With All This

  58. Conclusions • Current vulnerabilities in ATMs are low hanging fruits, that are ready for criminals • Vendors are not that interested in fixing. Increase cost, decrease profit • Banks are not that competent to know what to do

  59. Proposals • Implement mutual authentication both for ATM computer and it’s devices • Make peer review of XFS standard/communication protocols • Authenticated dispense from processing center • Trust environment is not about ATMs • Implement regular security assessments and pentest of ATMs

  60. Kudos Alexander Tlyapov, @_Rigmar_ And all other guys worth mentioning

  61. Questions? Alexey Osipov @GiftsUngiven, GiftsUngiv3n@gmail.com Olga Kochetova @_Endless_Quest_, Olga.v.Kochetova@gmail.com

Recommend

Revisiting Paulsons Theory of the Con- structible Universe with Isar and Sledge-

Revisiting Paulsons Theory of the Con- structible Universe with Isar and Sledge-

Revisiting Paulsons Theory of the Con- structible Universe with Isar and Sledge- hammer Ioanna M. Dimitriou H. and Peter Koepke, University of Bonn, Germany AITP 2016 Obergurgl, Austria, April 3-7, 2016 Revisiting Paulsons

703 views • 33 slides
REVISITING GENDER AND HOUSEWORK IN Dawn Mannay CONTEMPORARY URBAN SOUTH WALES

REVISITING GENDER AND HOUSEWORK IN Dawn Mannay CONTEMPORARY URBAN SOUTH WALES

WHO SHOULD DO THE DISHES NOW? REVISITING GENDER AND HOUSEWORK IN Dawn Mannay CONTEMPORARY URBAN SOUTH WALES MannayDI@Cardiff.ac.uk REVISITING Jane Pilchers (1994) seminal work Who should do the dishes? Three generations of Welsh women

250 views • 11 slides
Revisiting the Estim ation of the Revisiting the Estim ation of the Marginal Cost of Highw ay

Revisiting the Estim ation of the Revisiting the Estim ation of the Marginal Cost of Highw ay

The 6 th Conference on Applied I nfrastructure Research ( I nfraday) The 6 th Conference on Applied I nfrastructure Research ( I nfraday) Berlin - - October 2 0 0 7 October 2 0 0 7 Berlin Revisiting the Estim ation of the Revisiting the Estim

206 views • 20 slides
Theory and applications 1 Roadmap to Lecture 6 Part 2 1. Revisiting the Reynolds stress

Theory and applications 1 Roadmap to Lecture 6 Part 2 1. Revisiting the Reynolds stress

Turbulence and CFD models: Theory and applications 1 Roadmap to Lecture 6 Part 2 1. Revisiting the Reynolds stress transport equation and the turbulent kinetic energy equation 2. Revisiting the closure problem 3. Two equations models

598 views • 36 slides
Revisiting Old Friends: Is CoDel Really Achieving What RED Cannot? Nicolas Kuhn 1 Emmanuel Lochin

Revisiting Old Friends: Is CoDel Really Achieving What RED Cannot? Nicolas Kuhn 1 Emmanuel Lochin

Revisiting Old Friends: Is CoDel Really Achieving What RED Cannot? Nicolas Kuhn 1 Emmanuel Lochin 2 Olivier Mehani 3 1 IMT Telecom Bretagne, France 2 Universit e de Toulouse, France 3 National ICT Australia, Australia 1/21 Revisiting Old

838 views • 40 slides
Re Revisiting Multilateral Co Cooperation o on N NTS S Is Issues es in in ASEAN: Th The

Re Revisiting Multilateral Co Cooperation o on N NTS S Is Issues es in in ASEAN: Th The

Re Revisiting Multilateral Co Cooperation o on N NTS S Is Issues es in in ASEAN: Th The Cas ase of f AHA Centre Is Is mu mult ltila ilater eral al coop ooper eration ion need eeded ed? In In wh what s situation m

332 views • 15 slides
1 Revisiting the Roman Masculine Ideal 1. Confident public speaker

1 Revisiting the Roman Masculine Ideal 1. Confident public speaker

Class 8a REAL (CHRISTIAN) MEN: AN OXYMORON? Outline Revisiting the Roman Masculine Ideal How Christian Men Measured Up Research Cluster

412 views • 4 slides
Less is more: Revisiting interrogative flip Natasha Korotkova Konstanz / Tbingen Workshop

Less is more: Revisiting interrogative flip Natasha Korotkova Konstanz / Tbingen Workshop

Less is more: Revisiting interrogative flip Natasha Korotkova Konstanz / Tbingen Workshop Meaning in non-canonical questions June 8, 2018 Natasha Korotkova (n.korotkova@ucla.edu) Revisiting Interrogative flip MiQ 6/8/18 1 / 42

1.09k views • 52 slides
Revisiting the Top Background (and a little of B-tagging) G. Codispoti, J.F. de Trocniz

Revisiting the Top Background (and a little of B-tagging) G. Codispoti, J.F. de Trocniz

May12 Higgs 2l2q Working Meeting Revisiting the Top Background (and a little of B-tagging) G. Codispoti, J.F. de Trocniz Universidad Autnoma de Madrid Outline q Using e data for top(+X) background: full 2011 results. q First

378 views • 19 slides
Analysis and Optimization of Cryptographically Generated Addresses (CGA) Revisiting

Analysis and Optimization of Cryptographically Generated Addresses (CGA) Revisiting

Introduction CGA for IPv6 CGA++ Analysis and Optimization of Cryptographically Generated Addresses (CGA) Revisiting Self-Certifying Address Generation and Verification Joppe Bos, Onur Ozen and Jean-Pierre Hubaux Ecole Polytechnique F

2.28k views • 44 slides
-[ Revisiting Mac OS X Kernel Rootkits! ]- Liar! Macs have no viruses! Who

-[ Revisiting Mac OS X Kernel Rootkits! ]- Liar! Macs have no viruses! Who

-[ Revisiting Mac OS X Kernel Rootkits! ]- Liar! Macs have no viruses! Who Am I Hold two degrees nobody likes these days: Economics &amp; MBA. Ex-hacker for .pt banking system (www.sibs.pt). Security

1.16k views • 91 slides
Revisiting Auxiliary Variables Stephan Merz joint work with Leslie Lamport Inria &amp; LORIA,

Revisiting Auxiliary Variables Stephan Merz joint work with Leslie Lamport Inria &amp; LORIA,

Revisiting Auxiliary Variables Stephan Merz joint work with Leslie Lamport Inria &amp; LORIA, Nancy, France IFIP Working Group 2.2 Bordeaux, September 2017 Stephan Merz Revisiting Auxiliary Variables WG 2.2, 2017-09 1 / 24 Specifications

990 views • 51 slides
Revisiting Magnetic Field Limits in Revisiting Magnetic Field Limits in Quadrupoles Arising From

Revisiting Magnetic Field Limits in Revisiting Magnetic Field Limits in Quadrupoles Arising From

Revisiting Magnetic Field Limits in Revisiting Magnetic Field Limits in Quadrupoles Arising From Losses due to H- Quadrupoles Arising From Losses due to H- Stripping Stripping (Encore) (Encore) J.-F. Ostiguy APC/Fermilab ostiguy@fnal.gov

148 views • 14 slides
Revisiting Lie integrability by quadratures from a geometric perspective Jos F. Cariena

Revisiting Lie integrability by quadratures from a geometric perspective Jos F. Cariena

Revisiting Lie integrability by quadratures from a geometric perspective Jos F. Cariena Universidad de Zaragoza jfc@unizar.es Geometry of jets and fields, Bedlewo, May 13, 2015 Abstract The classical result of Lie on integrability by

724 views • 41 slides
Revisiting the Institutional Approach to Herbrands Theorem Ionu uu 1,2 Jos Luiz

Revisiting the Institutional Approach to Herbrands Theorem Ionu uu 1,2 Jos Luiz

Revisiting the Institutional Approach to Herbrands Theorem Ionu uu 1,2 Jos Luiz Fiadeiro 1 1 Department of Computer Science, Royal Holloway University of London 2 Simion Stoilow Institute of Mathematics of the Romanian Academy 6 th

435 views • 32 slides
Revisiting Question Answering in Vampire Giles Reger School of Computer Science, University of

Revisiting Question Answering in Vampire Giles Reger School of Computer Science, University of

Revisiting Question Answering in Vampire Giles Reger School of Computer Science, University of Manchester, UK The 4th Vampire Workshop Reger,G Revisiting Question Answering in Vampire 1 / 24 Introduction In this talk we will Revisit the

500 views • 28 slides
R Revisiting a Soft-State Approach to i iti S ft St t A h t Managing Reliable Transport

R Revisiting a Soft-State Approach to i iti S ft St t A h t Managing Reliable Transport

R Revisiting a Soft-State Approach to i iti S ft St t A h t Managing Reliable Transport Connections Gonca Gursun, Ibrahim Matta , Karim Mattar Computer Science Boston U. 1 Ad-Hoc Wireless Network Whats wrong with Laptop today s

254 views • 22 slides
Revisiting Counter Mode to Repair Galois/Counter Mode Bo Zhu, Yin Tan and Guang Gong University

Revisiting Counter Mode to Repair Galois/Counter Mode Bo Zhu, Yin Tan and Guang Gong University

Intro Repairing GCM Simeck Design Summery Revisiting Counter Mode to Repair Galois/Counter Mode Bo Zhu, Yin Tan and Guang Gong University of Waterloo, Canada Aug 12, 2013 1 of 32 Revisiting CM to Repair GCM Intro Repairing GCM Simeck

917 views • 70 slides
Has Digital Distribution Rejuvenated Readership? Revisiting the age demographics of newspaper

Has Digital Distribution Rejuvenated Readership? Revisiting the age demographics of newspaper

Has Digital Distribution Rejuvenated Readership? Revisiting the age demographics of newspaper consumption Neil Thurman (LMU Munich) @neilthurman Cross platform monthly reach Advertising income , (UK national newspapers) UK newspaper brand s

553 views • 18 slides
Revisiting SoA for the IoT A Middleware Perspective Valerie Issarny Joint work with Georgios

Revisiting SoA for the IoT A Middleware Perspective Valerie Issarny Joint work with Georgios

ICSOC 2016 Revisiting SoA for the IoT A Middleware Perspective Valerie Issarny Joint work with Georgios Bouloukakis, MiMove Project Team Nikolaos Georgantas, Benjamin Billet, Inria Paris and many other colleagues Agenda 1. The IoT: An

672 views • 45 slides
supporting international students in the classroom BALEAP. The Janus Moment in EAP: Revisiting

supporting international students in the classroom BALEAP. The Janus Moment in EAP: Revisiting

Teach for success: supporting international students in the classroom BALEAP. The Janus Moment in EAP: Revisiting the Past and Building the Future, University of Nottingham, 19-21 April 2013 Jill Doubleday, Modern Languages &amp; Centre for

832 views • 30 slides
CWD Advisory Group Meeting 3 Revisiting the CWD Prevalence Threshold Discussion Thresholds for

CWD Advisory Group Meeting 3 Revisiting the CWD Prevalence Threshold Discussion Thresholds for

CWD Advisory Group Meeting 3 Revisiting the CWD Prevalence Threshold Discussion Thresholds for chronic wasting disease management Estimating CWD Impacts on Doe Survival Simple calculation (back of envelope literally)* Based on

445 views • 17 slides
Revisiting EW Constraints at a Linear Collider Work done by S. Heinemeyer P. Rowson U. Baer G.

Revisiting EW Constraints at a Linear Collider Work done by S. Heinemeyer P. Rowson U. Baer G.

Revisiting EW Constraints at a Linear Collider Work done by S. Heinemeyer P. Rowson U. Baer G. Weiglein M. Woods + many others K. Moenig B. Schumm R. Hawkings D. Gerdes G. Wilson L. Orr Lawrence Gibbons Cornell University Why improve

541 views • 21 slides
Revisiting the Fetishism Objection Sebastian stlund (kontakt@sebastianostlund.se) KTH Royal

Revisiting the Fetishism Objection Sebastian stlund (kontakt@sebastianostlund.se) KTH Royal

Revisiting the Fetishism Objection Sebastian stlund (kontakt@sebastianostlund.se) KTH Royal Institute of Technology, Division of Philosophy Overview 1. Instrumental Values and Commodities 2. Capabilities and Functionings as Ambiguously

508 views • 25 slides

More recommend