Hacker Develops ATM Rootkit

alphadogg writes "One year after his Black Hat talk on automated teller machine security vulnerabilities was yanked by his employer, security researcher Barnaby Jack plans to deliver the talk and disclose a new ATM rootkit at the computer security conference. He plans to give the talk, entitled "Jackpotting Automated Teller Machines," at the Black Hat Las Vegas conference, held July 28 and 29. Jack will demonstrate several ways of attacking ATMs, including remote, network-based attacks."

Re:Lawsuit?

[Anonymous Coward]

is this true?

contrary to europe, i've seen a lot of in-store ATM's in the US. which obviously didn't have leased lines. so any malicious store manager could see the transactions? MITM anyone?

Re:Lawsuit?

[Capt James McCarthy]

Can the banks file a lawsuit at him?

I can't stand companies not taking security seriously.

Remember when ATMs first came out? The data being sent from ATM to the bank's systems had NO encryption.

Why? For pointing out security flaws? I know people love litigation as a means to prevent actions, however once information can be presented at a conference, any conference, don't you think that the cat is already out of the bag somewhere else.

Everyone should know that a lock can be picked. It's just a matter of return for a thief. Making the lock so time consumable to pick that it's not worth it. So the ATM manufactures have to create security that is not worth the criminals time. Now if these hacks are easy, then I think the consumers have a right to hold the banks accountable.

Re:hmm...

[Ephemeriis]

I know this is the sort of thing that goes on at black hat conferences, but could this guy potentially get in some sort of legal trouble for demonstrating what he has found?

I'm sure he can.

Which is stupid.

Because if he knows this stuff he probably isn't the only one. And just the news that these machines can be hacked is going to have other people trying to figure out what he knows, even if he doesn't say anything. So whether he opens his mouth or not really isn't going to change how secure these machines are.

All it will do, hopefully, is scare the manufacturers into improving their security.

Re:Lawsuit?

[_PimpDaddy7_]

Don't you remember Verizon and other companies SUED people when they showed their websites were UNSECURE?

Re:Lawsuit?

[Yvanhoe]

Can the clients of the banks file lawsuits at them ? I can't stand companies not taking security seriously.

Re:Operating System specific?

[IBBoard]

You get charged for using ATMs that aren't from your own bank? What weird kind of economy is that? The only way you generally get charged in the UK is a) if you're using a credit instead of a debit card (and then it is your card company charging you "cash advance" fees), b) if you're using one of those "convenience" ATMs that are in a pub etc or c) if you're not in the UK, at which point it is to "cover" international fees and talking with other banks in other countries (apparently).

Re:Lawsuit?

[Daley_G]

As much as it's true that a thief won't bother with something that's not worth his time, there's another side of the coin to keep in mind. If it costs considerably more to make something more secure, the customer isn't going to purchase the product to begin with. I've gotta believe that the banks have accepted a certain amount of risk, and therefore they've determined what those ATM's are worth to them given the cost of the unit itself as well as the cost of dealing with any issues that arise - including penetration.

Re:hmm...

[GrahamCox]

They'll only do something about it when it becomes really widespread and starts actually costing serious green

And that will be a good thing. Which the publishing will help bring about. I don't follow your argument, unless it's that you don't want this published widely so *you* can personally exploit it.

Re:Lawsuit?

[crow_t_robot]

File a lawsuit? For publishing information on security weaknesses in critical financial infrastructure that is already known by malicious individuals? Do you know how silly this is? By publishing he is forcing these companies to get their acts together. If he doesn't publish, this information will remain in the realm of people who will use it for theft without any corrective action taken by the ATM manufacturer. Don't try to fool yourself by thinking this is the only guy on the planet that has figured out these weaknesses.

What OS?

[AlecC]

As far as I can tell, all ATMs are based on data processing OSes - either ones with a desktop heritage then multi-processing and networking added on (Windows) or with a data processing/networking heritage with desktop added on (*nix families). It seems to me that they ought to be based on real-time control OSs, such as those used in the automotive and aerospace industry, I don't see how an ATM is any more complicated than a Digital Engine Control system, especially for state-of-the art engines. People who design such systems know about reliability, which can include security in a limited function machine. The problem with general-purpose machines is that they have generalized functionality, just hidden away. Such systems can be subverted and the extra functionality exploited. Machines built from the ground up to do only what they have to do do not have the functionality to be subverted.

I see no reason why such fixed-function machines should be much more expensive that those based on general purpose machines. There is an up-front cost in getting started, probably compensated by reduced security testing later. Wat will be harder is all the dreams the marketing people will have, of using the ATM to do other things, such as sell insurance. It will do only what it is built to do. Inflexible, but secure.

Re:hmm...

[L4t3r4lu5]

What pisses me off is that he is n't publishing this.

FTFY, considering the tone of the rest of your comment.

You want him to publish so the banks have to fix it, not have him keep it secret and leave the rest to exploit it.

MITM?

[ArcCoyote]

I'm wondering if this is more of a Man-in-the-Middle attack on the ATM's communication with the EFT network.

The ATMs I've seen that aren't stuck right in a bank building's wall use some form of dial-up, be it a land line or a GSM modem.

Re:Lawsuit?

[Capt James McCarthy]

As much as it's true that a thief won't bother with something that's not worth his time, there's another side of the coin to keep in mind. If it costs considerably more to make something more secure, the customer isn't going to purchase the product to begin with.

I've gotta believe that the banks have accepted a certain amount of risk, and therefore they've determined what those ATM's are worth to them given the cost of the unit itself as well as the cost of dealing with any issues that arise - including penetration.

Very good point. So how do you deal with that concerning your customers? Do you warn them with a signed statement that says there is a risk of theft on atm systems? Or are banks willing to eat the cost of a break in (reimbursement) when it happens and not warn customers.

There is NOT always a paper trail

[hAckz0r]

May I ask how using a live teller keeps someone else from empting out your bank account electronically? After all, you can't prove a negative. You simply can't prove you did not use a machine unless you are lucky enough to be out of town at the time your account was emptied out. But even that does not work if the transaction was electronic and from somewhere other than a physical ATM. We are talking about rootkits on ATM's that by definition have a direct connection into your banking system, and no doubt have a way to export whatever information they want from it.

Granted, the fact that the ATM will not be given the opportunity to capture your personal pin code is a step in the right direction, but having a corrupt hacker on the inside of your banking network cant be good for your bottom line either. There are security vulnerabilities in ALL computer systems and if a hacker has a foothold inside the network proper the rest of the system can fall like dominoes if the bank is naive enough to think they are safe from such an exploit.

Re:Lawsuit?

[Anonymous Coward]

Yes, they did. Ever heard of "No More Free Bugs"?

Re:hmm...

[plover]

What pisses me off is that he is publishing this.

Why does that make you mad?

Only two groups of people should be upset by this revelation: any thieves exploiting the weakness who may soon lose their money stream, and the banks who have to plug these holes.

The only reason the banks should have to be mad is that they may not have budgeted the costs of these fixes for this year. Well that's too bad, I'm all broke up for them.

So again I ask, why you are mad? Are you a banker or a thief? (And yes those are usually different unless you're on Wall Street.)

ATM Security

[MC68040]

I live in Europe, during my time having all sorts of cards that works in ATM's I've came to the conclusion that.. Most of them seem to run Windows (I've seen more BSOD's than its decent to mention).
I'm not wanting to get in to a debate about Windows security here; rather the point that there are plenty of rootkits for any given platform on the go today.

The interesting point would be the actual attack vector; getting in to a bank's internal network to access the ATM nodes would mean (from my point of view) that the ATM's are pretty uninteresting, however what else might lurk on the bank's network would be worth a lot more? On the other hand, if you could perform the "hack" quickly with just regular customer access to the machine, that'd be interesting... (thinking of terminator movie here...) ;)

According to my bank balance that is my... well, I've no cents left, damn recession!

Re:There is NOT always a paper trail

[Rockoon]

None of my accounts have an ATM/DEBIT card attached to them.

"But don't you want a debit card?" asks the bank manager when opening the account.

"Nope. I use a credit card."

Yes, my bank account can be raided electronically, but I have very plausible deniability. Can't say that I used my ATM card to withdraw the funds, or my debit card to buy all that junk.

Re:Lawsuit?

[HungryHobo]

In the case of academics getting their names on the publications is more than an ego thing- it actually influences their chances of staying employed.

Re:Lawsuit?

[hrieke]

No, the real reason is liability.
If you sell the machine and believe it to be secure and sell it as such with out the review & audit, and then it's proven to be insecure, fine, unknown bug.
If you audit the machine with white hat hackers, they tell you of issues, you sell the machine anyways, it's hacked, you're on a very big hook.

Re:hmm...

[plover]

His talk is a year old already. You don't think he's disclosed it to the banks long ago? No, they've had all the warning they need. Now it's time to prove they've fixed their equipment.

Seriously, if he never releases his info, it will never get fixed. You can talk to the I.T. staff for a year about the problems and nothing will get done. The banks can even have a guy inside I.T. shouting "we gotta fix this!!" and he'll be ignored.

Post it on the internet, deliver it to a roomful of blackhats, THEN something will get done. Until then, however, we're all still vulnerable to the bad guys who are already exploiting this kind of crap.

Re:Lawsuit?

[Anonymous Coward]

Do they have to?

Re:What OS?

[Miser]

I'll address some of your points - you weren't totally wrong, but it is also not as cut and dry as you say. Never think what is malice could not be mistaken for stupidity, or whatever the saying goes. The human element is in play here more than the technological one, even more so when you have short sighted MBA's at the helm of some of these financial institutions ...

1. The flimsy door is rigged. Fiddle with it for a while and a big red light goes off at the bank telling them to check their security cameras as some bozo is playing with an ATM.

Not necessarily. In all of the offsite (10+) ATMs I have had experience with, they were all for small, mid, and largish institutions. You'd be surprised how "penny wise, pound foolish" financial institutions are - they either don't connect them, or just flat out don't have the offsite ones alarmed at all. ($50 per month is too expensive for a POTS line, or $20 per month is too expensive for cellular alarm, I guess ...)

Now if this ATM is inside a bank or other F/I, well then you need to assume that it is connected to the premise alarm system - HOWEVER, that could also mean just the vault, and NOT the flimsy door. YMMV of course.

2. The bank sets the passwords, the banks I'm aware of used random strings of 20-30 characters. Not guessable. That's for the OS password, the password to the software to just do normal tasks like restock the ATM or print off some data would be simpler.

In the case of Agilis, the Diebold software for Opteva and other series ATM's, it's just all zeros to get into Agilis - that's the master password. Hardly any institution that I have seen changes it. Oh, and BTW - the Windows XP side auto logs in. There is an opportunity to "stop" the Agilis software from running, and you get - you guessed it Explorer - free to do whatever you wish with an admin level account.

3. Windows is the industry standard. Diebold, Wincor, and NCR all use it. They all used OS/2 before Windows. The presentation layer is a *huge* part of an ATM's duty, and at the time Linux wasn't up to the task. Or do you not remember swearing at your X.conf files for days?

Ok, point slightly conceded that I don't like swearing at x.conf files, HOWEVER - with a company as big as Diebold they could save the licensing costs (they may have a bad reputation here on slashdot, but they employ some smart cookies) and use that to make what essentially is a "pattern disk" with all the little intricacies already worked out. Remember: these are little more than appliances, with the only difference is peripheral mix and what network they are connected to.

4. I wrote ATM software at one point. Even with the program to send signals to the hardware and direct access to the PC inside getting cash out is not trivial. There's generally a sequence of 6-7 events that need to be sent to the right pieces of hardware in the right order to get the cash from the drawer to the slot.

I'll agree with you there, although I wasn't suggesting attacking the USB peripherals directly, I was more thinking of attacking Agilis itself. It's a windows app, leaks memory something terrible, and I'm betting could be easily exploitable by those with access to an ATM. And before you say "good luck getting one" I could easily get a refurb stand up Opteva with no safe for about $4k. Chump change for the bad guys.