Hacker Develops ATM Rootkit 181
alphadogg writes "One year after his Black Hat talk on automated teller machine security vulnerabilities was yanked by his employer, security researcher Barnaby Jack plans to deliver the talk and disclose a new ATM rootkit at the computer security conference. He plans to give the talk, entitled "Jackpotting Automated Teller Machines," at the Black Hat Las Vegas conference, held July 28 and 29. Jack will demonstrate several ways of attacking ATMs, including remote, network-based attacks."
OK, That's It! (Score:5, Funny)
Re:OK, That's It! (Score:5, Funny)
If you can't trust a Deibold ATM, what can you trust?
Weren't they voted as the #1 ATM?
Re:OK, That's It! (Score:5, Funny)
By 107% of the respondents.
Re: (Score:2)
By readers of "What ATM?" magaine?
Lawsuit? (Score:4, Interesting)
Can the banks file a lawsuit at him?
I can't stand companies not taking security seriously.
Remember when ATMs first came out? The data being sent from ATM to the bank's systems had NO encryption.
Re:Lawsuit? (Score:5, Insightful)
Can the banks file a lawsuit at him?
I can't stand companies not taking security seriously.
Remember when ATMs first came out? The data being sent from ATM to the bank's systems had NO encryption.
Why? For pointing out security flaws? I know people love litigation as a means to prevent actions, however once information can be presented at a conference, any conference, don't you think that the cat is already out of the bag somewhere else.
Everyone should know that a lock can be picked. It's just a matter of return for a thief. Making the lock so time consumable to pick that it's not worth it. So the ATM manufactures have to create security that is not worth the criminals time. Now if these hacks are easy, then I think the consumers have a right to hold the banks accountable.
Re:Lawsuit? (Score:5, Insightful)
Don't you remember Verizon and other companies SUED people when they showed their websites were UNSECURE?
Re:Lawsuit? (Score:5, Informative)
Don't recall that one. Depends on the circumstances though. I remember a ton of other cases where the "showing they were insecure" part included hacking into the network in question. That's illegally accessing a computer system.
It'd be akin to you telling your neighbor that his lock sucks and him just dismissing your idea.
One of two possible scenarios then play out:
a. You show at the next town meeting that your neighbor - John Q. Noob, is using a Lockatron LT-200 front door lock, and then proceed to show pictures, diagrams, and and example lock and how to pick it.
b. He comes home the next day, and you're standing in his living room yelling "I TOLD YOU THE LOCK WASN'T ANY GOOD!!!!".
A is fine. He'll get pissed and change his lock. B is trespassing. Too often in computer security terms people consider them the same action, and they aren't.
Re:Lawsuit? (Score:5, Interesting)
The problem is that it's a catch-22: usually the only way to find these vulnerabilities is to exploit them in the first place. And companies often don't grant access to white-hats because they think their systems are secure (or at least want to believe so), which can't be disproven until said hackers show them wrong.
One would hope that a company wouldn't press charges unless there was malicious intent (he dispensed and pocketed several hundred dollar for himself to 'test' the system). Of course, this is America, and I have nowhere near that much faith in our corporations or justice system...
Re:Lawsuit? (Score:5, Insightful)
No, the real reason is liability.
If you sell the machine and believe it to be secure and sell it as such with out the review & audit, and then it's proven to be insecure, fine, unknown bug.
If you audit the machine with white hat hackers, they tell you of issues, you sell the machine anyways, it's hacked, you're on a very big hook.
Re: (Score:2)
Exactly, and so the only way for people like us to have dependably secure systems to use (ATMs, banks, CCs, anything with a logon or PII) is for white-hat hackers to break the law. That needs to be fixed, one way or the other.
Re: (Score:2)
its not a catch-22, you just need a dev environment. now that might be difficult in some [most] situations, but if you work for the firm in question they will probably have one.
Even a clean environment might not be a reasonable protection. One could still run afoul of the DMCA if you break any encryption along the way. As well, such a development environment is expensive in itself, which further pushes the ideal research environment back to the very companies that don't want to fund them.
Re: (Score:2)
One could still run afoul of the DMCA if you break any encryption along the way.
IIRC, breaking encryption isn't in and of itself a DMCA violation (well, breaking ENCRYPTION isn't a violation at all - it's the breaking of copy protection that's the hangup - copy protection just happens to often involve encryption). Neither is creating tools to do so. DISTRIBUTING those tools is whats illegal. If you make the tools to do it, and demonstrate to others that it can be done, but without handing out the tools to do so, then you're still ok as far as the DMCA goes.
Re: (Score:2, Insightful)
Re:Lawsuit? (Score:4, Informative)
Financially bankrupting someone for pointing out security flaws might dissuade others from doing so in the future, for fear of the same consequences.
Re: (Score:3, Funny)
Not a chance. To get the cash to pay the fines, he'll just break into a bunch of ATMS.
"Here's your $100,00, in $20 and $50s."
Re: (Score:2)
Re:Lawsuit? (Score:4, Interesting)
No it doesnt, you point out the flaws without any info about you attached. I.E. Publish all the info outside the country.
Honestly it blows my mind that any Computer nerd tries to do the white hat thing and tell a company about a problem. Simply send it in a letter that is untraced and say, "I'm publishing this in 90 days. you are getting a heads up because I'm a nice guy"
Then in 90 put it on the net.
They cant sue you if they have no idea who you are. Problem is most of these white hats are looking more for street "cred" and getting their name out than actually being a good guy.
Re:Lawsuit? (Score:4, Insightful)
In the case of academics getting their names on the publications is more than an ego thing- it actually influences their chances of staying employed.
Re: (Score:2)
I tend to agree with your approach, if we had less people trying to get cred, and more that did exactly as you mentioned, you have 90 days to fix your bug or i go REALLY public with a how to video that way even your grandmother can do this hack, then they have no choice.
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
As much as it's true that a thief won't bother with something that's not worth his time, there's another side of the coin to keep in mind. If it costs considerably more to make something more secure, the customer isn't going to purchase the product to begin with.
I've gotta believe that the banks have accepted a certain amount of risk, and therefore they've determined what those ATM's are worth to them given the cost of the unit itself as well as the cost of dealing with any issues that arise - including penetration.
Very good point. So how do you deal with that concerning your customers? Do you warn them with a signed statement that says there is a risk of theft on atm systems? Or are banks willing to eat the cost of a break in (reimbursement) when it happens and not warn customers.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The FDIC and NCUA do not insure banks against robbery, they insure the depositors (you) against the failure of the bank. Anyway, yes it would basically be the same thing, and the loss would be covered by the banks insurer.
So why would anyone be upset by the presentation then if the security flaws are already covered by the FDIC and NCUA? Could it be that then the cost of protection starts to eat away profits?
Re: (Score:2)
Let's make off-line analogy:
Ominpresent part of off-line security system nowadays is a security camera. Suppose you know that a particular building has blind spots that could be used by perpetrators to avoid identification during their physical approach to the building before or after attack.
Would it be ethical to publicize those blind spots?
Re: (Score:2)
There is also a factor of cost. Suppose, it's a mom-and-pop store and they actually knew already about their blind spots when they bought their cameras from "securitate kameras, ltd". They know they do not have money to invest in better security.
Is it ethical to publicize the information about blind spots in this case?
You can see that this example is partially applicable to any target, since the factor of cost is there.
Re: (Score:2)
If all a criminal could do is bankrupt Mom and Pop, it probably isn't ethical to release the information on the blind spots.
But if customer records are stored in the store, then it probably is ethical to still reveal the blind spots, as Mom and Pop probably have an ethical responsibility to the
Re: (Score:3, Informative)
The threat alone is enough because no individual (or group) can afford to spend as much money on a bogus lawsuit as any of these companies
Perhaps, in America. But civilised countries have systems of taxpayer-funded legal aid for those unable to mount their own defence, or have strict rules about misuse of court process. This kind of tomfoolery simply doesn't happen in the UK, for example; the most recent attempt being some chiropractors who tried to sue a British science journalist for proving their profession was bunkum. The chiropractors suffered the judicial equivalent of having flaming oil poured over them.
Re: (Score:2)
Even if we didn't have legal aid, I'm pretty sure the "loser pays" system would get rid of most spurious lawsuits.
Re: (Score:2)
Perhaps, in America. But civilised countries have systems of taxpayer-funded legal aid for those unable to mount their own defence, or have strict rules about misuse of court process. This kind of tomfoolery simply doesn't happen in the UK, for example; the most recent attempt being some chiropractors who tried to sue a British science journalist for proving their profession was bunkum. The chiropractors suffered the judicial equivalent of having flaming oil poured over them.
Actually the British libel laws were and still are fairly far in favor of those like the British Chiropractic Association. The case was dropped when Simon won his appeal over an earlier judgment that was going to force him to defend an interpretation of his words which any sane person would see wasn't what he meant. He would have been doomed had that appeal not gone his way, and even with the win it was still more of a 50/50 shot under British law (from my understanding as an American having loosely follo
Re: (Score:2)
"A year ago or so there were students who wanted to hold a speech on how easily they hacked some transportation company's bus/subway tickets."
It was MIT students and the MA Transit Authority. They weren't exactly "buried" in legal threats. A judge just issued a court order telling them not to discuss the vulnerabilities they had discovered. Not sure what ultimately happened.
http://www.ft.com/cms/s/0/72ed83e0-58ac-11df-a0c9-00144feab49a.html [ft.com]
Re: (Score:2)
)*(&^%#! cut and paste. Ignore the previous link about Fannie Mae and Freddie Mac. Sorry.
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=210002185 [informationweek.com]
Re:Lawsuit? (Score:5, Interesting)
"There's a difference between pointing out that a lock can be picked and demonstrating in detail how to do it. Especially when the audience isn't limited to the owner of the lock."
Not legally, there isn't. I'll be giving a talk on exactly this subject in 6 weeks. Marc Tobias, a lawyer, has co-authored an extremely detailed book on picking, bypassing, and completely ignoring the security of Medeco Biaxial locks. Find a better analogy.
Re: (Score:3, Insightful)
Re: (Score:3, Interesting)
Re:Lawsuit? (Score:5, Interesting)
I'll reserve judgement on his expose until i read of the details; i understand why he wouldn't want to advertise the juicy details before his presentaiton, but on the other hand I'm skeptical around what he's implying.
Re: (Score:2)
Lol. The 'top end' NCR ATM is little more than a pc with a cash handler glued on. Also the cash handler is somewhat flaky and fragile and seems like a prototype rather than something that had been developed for and made on a production line.
Mind you, Wincor Nixdorf aren't much better, although they look like they have been designed with CAD.
Re:Lawsuit? (Score:5, Interesting)
Remember when ATMs first came out? The data being sent from ATM to the bank's systems had NO encryption.
Dude, it was the 1950s.How were they supposed to encrypt punch cards? Colour them in?
The data was "sent" using the secure process of having a burly security guard open the little door at the back and carry the deposits, punch cards and microfilm (they took a photo of all deposits) over to the back office.
Re:Lawsuit? (Score:4, Informative)
Perhaps you're thinking of a night deposit box which isn't an ATM. There were no ATMs in the 1950s.
Re: (Score:2)
Re: (Score:2)
And authentication without encryption protects you from eavesdroppers how exactly?
Re: (Score:2)
Re:Lawsuit? (Score:4, Funny)
That's like saying that keeping your money in a big pile on your front lawn will protect you from safe-crackers.
Re: (Score:3, Informative)
The entire purpose of a man-in-the-middle attack is work around the fact that the attacker cannot eavesdrop directly on an encrypted channel. The attacker wants the authentication credentials for your bank account, but the communication is encrypted. So instead he tricks the client device into opening an encrypted channel to HIM instead, by poisoning a DNS cache for instance, and gets you to send him the credentials directly. The whole point is to get access to what he needs to access your account.
If the
Re: (Score:2)
You don't really need to MITM the transaction if it's being transmitted in the clear. I know you were just being pedantic, but honestly, nobody cares about the subtle differences between MITM and eavesdropping in this situation. The point is there was a serious issue.
Re: (Score:2)
That isn't even slightly true. Authentication without encryption is more like having a see-through safe: everyone can see how much money you have, but they still can't touch it.
hmm... (Score:3, Interesting)
I know this is the sort of thing that goes on at black hat conferences, but could this guy potentially get in some sort of legal trouble for demonstrating what he has found?
Re: (Score:3, Insightful)
I know this is the sort of thing that goes on at black hat conferences, but could this guy potentially get in some sort of legal trouble for demonstrating what he has found?
I'm sure he can.
Which is stupid.
Because if he knows this stuff he probably isn't the only one. And just the news that these machines can be hacked is going to have other people trying to figure out what he knows, even if he doesn't say anything. So whether he opens his mouth or not really isn't going to change how secure these machines are.
All it will do, hopefully, is scare the manufacturers into improving their security.
Re: (Score:2)
I know this is the sort of thing that goes on at black hat conferences, but could this guy potentially get in some sort of legal trouble for demonstrating what he has found?
I would think only if he shows himself, either in pre-recorded video or live, actually performing the hack on a real ATM. At that point, he could be charged under the computer fraud and abuse act. But simply doing a presentation on the topic, with details of the hacks? No, I don't think there's any law, yet, that makes *that* illegal,
Re: (Score:2)
Probably yes ...
Any case would be trying to prove he used protected information illegally or actually hacked an ATM for gain ..... ...he can't be prosecuted for publishing known information (freedom of the press)
Re: (Score:2)
Re: (Score:3, Insightful)
And that will be a good thing. Which the publishing will help bring about. I don't follow your argument, unless it's that you don't want this published widely so *you* can personally exploit it.
Re: (Score:2)
Our money is blue, brown, purple and red!
Re: (Score:3, Insightful)
What pisses me off is that he is n't publishing this.
FTFY, considering the tone of the rest of your comment.
You want him to publish so the banks have to fix it, not have him keep it secret and leave the rest to exploit it.
Re:hmm... (Score:5, Insightful)
What pisses me off is that he is publishing this.
Why does that make you mad?
Only two groups of people should be upset by this revelation: any thieves exploiting the weakness who may soon lose their money stream, and the banks who have to plug these holes.
The only reason the banks should have to be mad is that they may not have budgeted the costs of these fixes for this year. Well that's too bad, I'm all broke up for them.
So again I ask, why you are mad? Are you a banker or a thief? (And yes those are usually different unless you're on Wall Street.)
Re:hmm... (Score:5, Insightful)
His talk is a year old already. You don't think he's disclosed it to the banks long ago? No, they've had all the warning they need. Now it's time to prove they've fixed their equipment.
Seriously, if he never releases his info, it will never get fixed. You can talk to the I.T. staff for a year about the problems and nothing will get done. The banks can even have a guy inside I.T. shouting "we gotta fix this!!" and he'll be ignored.
Post it on the internet, deliver it to a roomful of blackhats, THEN something will get done. Until then, however, we're all still vulnerable to the bad guys who are already exploiting this kind of crap.
Re: (Score:2, Interesting)
I don't know about banks but credit unions care about security and keeping their ATMs up to date. Unfortunately, they are at the mercy of the ATM manufacturers, vendors and whoever provides the maintenance. I suppose banks could have different maintenance contract due to their size but normally software updates are part of the annual support contract.
Re: (Score:2)
Re: (Score:2)
ATM machine (Score:5, Funny)
You almost made it through the whole summary without saying it.
Re: (Score:2)
But is it his personal PIN number?
Why can't the ATM suppliers just... (Score:5, Funny)
Pick one (Score:2, Funny)
...just get a deal going with McAfee? Then there systems would be completely safe or always online!
Fixed that for you.
XKCD already did that one... (Score:3, Funny)
http://xkcd.com/463/ [xkcd.com]
Come on Taco, more imagination! (Score:5, Funny)
"from the well-that-doesn't-make-me-feel-better dept."
Where's the zip, the punch in your writing? This is the news business! If Larry Wall can be funny AND write Perl code, so can you!
Suggestions:
"from the All Your ATM Are Belong To Us dept"
"from the Who Says Cybercrime Doesn't Pay dept."
"from the Your Money Is In Good Hands -- NOT dept"
"from the Can We Have Human Tellers Again dept"
"from the It'll Be The Debit Of Me dept."
Same hack that was used on diebold voting systems? (Score:2)
Same hack that was used on diebold voting systems?
Re:Same hack that was used on diebold voting syste (Score:2)
Same hack that was used on diebold voting systems.
Operating System specific? (Score:3, Interesting)
To me it would seem better to create a system that would raise the "your-not-with-OUR-bank-so-we-can-stiff-you" charge (charge em 3.50 for the transation then send 2 back to the bank per normal). Slow but would make money over time if EVERY atm had your code.
Re: (Score:3, Insightful)
You get charged for using ATMs that aren't from your own bank? What weird kind of economy is that? The only way you generally get charged in the UK is a) if you're using a credit instead of a debit card (and then it is your card company charging you "cash advance" fees), b) if you're using one of those "convenience" ATMs that are in a pub etc or c) if you're not in the UK, at which point it is to "cover" international fees and talking with other banks in other countries (apparently).
Re: (Score:2)
Absolutely!! Actually, I'm surprised that isn't a universal thing..guess you learn something new every day,eh?
Yep, usually if you use an ATM that is not from your bank, that ATM will charge you about $2.50 fee at time of transaction, and later, your bank will charge you another $3 or so for using an out of bank machine.
That's why when choosing a bank, I first look to see how many ATM's they have around town (and the country if it happens t
Re: (Score:2)
ATM Machines (Score:5, Funny)
Can anyone determine if these are Automated ATM Machines?
I'd better be careful entering my personal PIN number into these from now on.
Re: (Score:2, Funny)
Yes, they're Automated Automated Teller Machines. It's the extra level of automation that is really insecure.
I remember when things were only automated once. Simpler times.
(Your question was so daft I'm half waiting for a 'Whoosh!')
Re: (Score:2)
No, it's automated automated teller machines machines.
Re: (Score:2)
Ugh, no kidding. That's one of my biggest language pet peeves. (sig related)
Re: (Score:3, Funny)
What OS? (Score:4, Insightful)
As far as I can tell, all ATMs are based on data processing OSes - either ones with a desktop heritage then multi-processing and networking added on (Windows) or with a data processing/networking heritage with desktop added on (*nix families). It seems to me that they ought to be based on real-time control OSs, such as those used in the automotive and aerospace industry, I don't see how an ATM is any more complicated than a Digital Engine Control system, especially for state-of-the art engines. People who design such systems know about reliability, which can include security in a limited function machine. The problem with general-purpose machines is that they have generalized functionality, just hidden away. Such systems can be subverted and the extra functionality exploited. Machines built from the ground up to do only what they have to do do not have the functionality to be subverted.
I see no reason why such fixed-function machines should be much more expensive that those based on general purpose machines. There is an up-front cost in getting started, probably compensated by reduced security testing later. Wat will be harder is all the dreams the marketing people will have, of using the ATM to do other things, such as sell insurance. It will do only what it is built to do. Inflexible, but secure.
Re: (Score:2, Interesting)
Re:What OS? (Score:5, Informative)
Seconded. Diebold (specifically, Opteva line) run plain old Windows XP. Some of them run Win XP Embedded. All of the "peripherals" in this case such as the cash dispenser, card reader, depositor if equipped, etc are just USB devices. The computer is NOT in the vault portion of the ATM, so if you can get into the flimsy door, you can get access to the computer.
If you know the passwords (they are surprisingly easy ... or just use Hiren's to blank them out) you can get into the OS itself.
I'm not sure why Diebold picked Windows, I would have preferred Linux of course, or perhaps back in the old days when the ATM wasn't a general purpose computer - it was a board with discrete circuitry and firmware. Everything to the network may be 3DES encrypted, but since it's Windows just get yourself a piece of malware on there and capture everything. Come back, retrieve the data, make yourself some cards, PROFIT. Of course, this required physical access.
The older model ATMs (like the Cashsource Plus 200/400) still run eComstation (OS/2) and can connect via modem (really just serial) or TCP.
NOT posting anonymously either. It's not like it's some big secret. If they secured their stuff, they wouldn't have to worry about it.
-Miser
Re: (Score:2, Insightful)
I'll address some of your points - you weren't totally wrong, but it is also not as cut and dry as you say. Never think what is malice could not be mistaken for stupidity, or whatever the saying goes. The human element is in play here more than the technological one, even more so when you have short sighted MBA's at the helm of some of these financial institutions ...
1. The flimsy door is rigged. Fiddle with it for a while and a big red light goes off at the bank telling them to check their security cameras as some bozo is playing with an ATM.
Not necessarily. In all of the offsite (10+) ATMs I have had experience with, they were all for small, mid, and largish institutions. You
Not Sarah, John This Time! (Score:4, Funny)
MITM? (Score:3, Insightful)
I'm wondering if this is more of a Man-in-the-Middle attack on the ATM's communication with the EFT network.
The ATMs I've seen that aren't stuck right in a bank building's wall use some form of dial-up, be it a land line or a GSM modem.
Great way to get money out of ATMS (Score:5, Interesting)
I hope (Score:3, Funny)
ATM Security (Score:3, Insightful)
I live in Europe, during my time having all sorts of cards that works in ATM's I've came to the conclusion that.. Most of them seem to run Windows (I've seen more BSOD's than its decent to mention).
I'm not wanting to get in to a debate about Windows security here; rather the point that there are plenty of rootkits for any given platform on the go today.
The interesting point would be the actual attack vector; getting in to a bank's internal network to access the ATM nodes would mean (from my point of view) that the ATM's are pretty uninteresting, however what else might lurk on the bank's network would be worth a lot more? On the other hand, if you could perform the "hack" quickly with just regular customer access to the machine, that'd be interesting... (thinking of terminator movie here...) ;)
According to my bank balance that is my... well, I've no cents left, damn recession!
Re:"ATM's are pretty uninteresting" (Score:2)
Imagine if you tell your partner "at 2am it's gonna dispense all the money, make sure you're standing there with a big bag to catch it all".
That's be very interesting to most thieves.
Re: (Score:2)
> Imagine if you tell your partner "at 2am it's gonna dispense all the money, make sure you're standing there with a big bag to catch it all".
Sure, that is not my main point, however valid :) A big bag of cash is of course nice, but what you can perhaps access without being detected for some time, is another point. Hence the importance of the attack vector [in my point].
An empty ATM machine with no logs; where the money went to should sound off immediate alarm bells...
Fair game if you empty half a countr
Again with the security through obfuscation... (Score:2)
By the way people, though the banks are the front, the ultimate responsibility for ATM device security lies in the manufacturer.
Re: (Score:3, Funny)
Re:My friend is a Linux hacker... (Score:5, Funny)
So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!
Re: (Score:2)
There is NOT always a paper trail (Score:3, Insightful)
Re: (Score:3, Insightful)
"But don't you want a debit card?" asks the bank manager when opening the account.
"Nope. I use a credit card."
Yes, my bank account can be raided electronically, but I have very plausible deniability. Can't say that I used my ATM card to withdraw the funds, or my debit card to buy all that junk.
Re: (Score:2)
I would agree, as the ARM cards, or other pieces of plastic, are only entry/authentication mechanisms to get into the banking network. In this case the perpetrator is working from within the network, and all that is needed to ruin your day is some carefully crafted electrons. No plastic necessary, and no denyability since plastic was not required to empty the account in the first place.
All you need is to have
Re: (Score:2)
A lot of ATMs in the UK take a picture. The lens is clearly visible.
You know us, cameras everywhere and that's the way we like it!
Re:"personal pin code" (Score:2)
Maybe you meant to say "personal PIN number"...?
Re: (Score:2)
ATM? Teller? Who uses those anymore?
direct deposit -> wire transfer to account.
Credit card -> wire transfer to merchant.
I haven't used an ATM in 3 years. I haven't used a teller in 7.
Cash? Who carries cash anymore? I Know it's a slippery slope to a cashless society where everything can be taxed multiple times, but I like not having cash on me.
Re: (Score:2)
I hand them my credit card like everyone else in the place. In fact most will swipe your card once and run your tab on it if you are a regular. My favorite Irish Pub in Dublin even does this, same as the die Kneipe I was in 12 weeks ago in a little town outside of Berlin.
Have you ever been in a pub?
Re: (Score:2)
Have you ever been in a pub?
Yes, but only the really dodgy ones that are cash only. Ones that take plastic forms of payment are a little too classy for the likes of me.