Hacker Develops ATM Rootkit

alphadogg writes "One year after his Black Hat talk on automated teller machine security vulnerabilities was yanked by his employer, security researcher Barnaby Jack plans to deliver the talk and disclose a new ATM rootkit at the computer security conference. He plans to give the talk, entitled "Jackpotting Automated Teller Machines," at the Black Hat Las Vegas conference, held July 28 and 29. Jack will demonstrate several ways of attacking ATMs, including remote, network-based attacks."

Re:Lawsuit?

[Anonymous Coward]

Did they win?

Re:Lawsuit?

[baKanale]

Financially bankrupting someone for pointing out security flaws might dissuade others from doing so in the future, for fear of the same consequences.

Re:Lawsuit?

[MBGMorden]

Don't recall that one. Depends on the circumstances though. I remember a ton of other cases where the "showing they were insecure" part included hacking into the network in question. That's illegally accessing a computer system.

It'd be akin to you telling your neighbor that his lock sucks and him just dismissing your idea.

One of two possible scenarios then play out:

a. You show at the next town meeting that your neighbor - John Q. Noob, is using a Lockatron LT-200 front door lock, and then proceed to show pictures, diagrams, and and example lock and how to pick it.

b. He comes home the next day, and you're standing in his living room yelling "I TOLD YOU THE LOCK WASN'T ANY GOOD!!!!".

A is fine. He'll get pissed and change his lock. B is trespassing. Too often in computer security terms people consider them the same action, and they aren't.

Re:What OS?

[Anonymous Coward]

I used to repair Wincor-Nixdorf ATMs a few years ago (2006) Its basically a PC runnign winXP with some usb peripherals attached, and a few serial ones. Very simple electronics inside. Having a dedicated OS would be the best for security.

Re:What OS?

[Miser]

Seconded. Diebold (specifically, Opteva line) run plain old Windows XP. Some of them run Win XP Embedded. All of the "peripherals" in this case such as the cash dispenser, card reader, depositor if equipped, etc are just USB devices. The computer is NOT in the vault portion of the ATM, so if you can get into the flimsy door, you can get access to the computer.

If you know the passwords (they are surprisingly easy ... or just use Hiren's to blank them out) you can get into the OS itself.

I'm not sure why Diebold picked Windows, I would have preferred Linux of course, or perhaps back in the old days when the ATM wasn't a general purpose computer - it was a board with discrete circuitry and firmware. Everything to the network may be 3DES encrypted, but since it's Windows just get yourself a piece of malware on there and capture everything. Come back, retrieve the data, make yourself some cards, PROFIT. Of course, this required physical access.

The older model ATMs (like the Cashsource Plus 200/400) still run eComstation (OS/2) and can connect via modem (really just serial) or TCP.

NOT posting anonymously either. It's not like it's some big secret. If they secured their stuff, they wouldn't have to worry about it.

-Miser

Re:Lawsuit?

[evilandi]

The threat alone is enough because no individual (or group) can afford to spend as much money on a bogus lawsuit as any of these companies

Perhaps, in America. But civilised countries have systems of taxpayer-funded legal aid for those unable to mount their own defence, or have strict rules about misuse of court process. This kind of tomfoolery simply doesn't happen in the UK, for example; the most recent attempt being some chiropractors who tried to sue a British science journalist for proving their profession was bunkum. The chiropractors suffered the judicial equivalent of having flaming oil poured over them.

Re:Lawsuit?

[ClosedSource]

Perhaps you're thinking of a night deposit box which isn't an ATM. There were no ATMs in the 1950s.

Re:What OS?

[Anonymous Coward]

1. The flimsy door is rigged. Fiddle with it for a while and a big red light goes off at the bank telling them to check their security cameras as some bozo is playing with an ATM. Break into it and they'll just call police. You have maybe 5 minutes from when you get access to the computer to when you need to be leaving in a hurry. The computer can't be in the safe as that would require air circulation in the safe, which introduces a weak point.

2. The bank sets the passwords, the banks I'm aware of used random strings of 20-30 characters. Not guessable. That's for the OS password, the password to the software to just do normal tasks like restock the ATM or print off some data would be simpler.

3. Windows is the industry standard. Diebold, Wincor, and NCR all use it. They all used OS/2 before Windows. The presentation layer is a *huge* part of an ATM's duty, and at the time Linux wasn't up to the task. Or do you not remember swearing at your X.conf files for days?

4. I wrote ATM software at one point. Even with the program to send signals to the hardware and direct access to the PC inside getting cash out is not trivial. There's generally a sequence of 6-7 events that need to be sent to the right pieces of hardware in the right order to get the cash from the drawer to the slot. IIRC some ATMs also have a 'production mode' that requires some form of shared key to be exchanged on every hardware event.

Re:Lawsuit?

[Zenaku]

The entire purpose of a man-in-the-middle attack is work around the fact that the attacker cannot eavesdrop directly on an encrypted channel. The attacker wants the authentication credentials for your bank account, but the communication is encrypted. So instead he tricks the client device into opening an encrypted channel to HIM instead, by poisoning a DNS cache for instance, and gets you to send him the credentials directly. The whole point is to get access to what he needs to access your account.

If the data is transmitted in the clear, MITM is completely unnecessary. He just eavesdrops on the communication and gets the credentials.

It's not about "seeing your money." It's about seeing the secret numbers needed to access your money. Perhaps it would have been a better analogy if I had said that it was akin to thinking that posting the combination to your safe on a sign right next to it would protect you from safe-crackers, but I still fail to see your point.