Hack Your ATM with Friend's Raspberry.Py

Presented at Black Hat Europe 2014, Oct. 16, 2014, 3:30 p.m. (60 minutes).

At all times there have been bad guys, who tried to steal money. ATM machines containing vast amounts of money have always been attractive targets. Until recently, criminals were only using physical weaknesses. Skimmers and shimmers for stealing magstripe-tracking data, fake pin pads and cameras for stealing pin codes, and even fake ATMs were created.

Time passed and ATM software started to unify. Where there is unification, there are viruses. Trojan.Skimmer.*, Ploutus and other named or unnamed trojans.

And what did we see on the public scene? Vendors started discussing the skimmers problem only after they were detected in the wild. As you remember, Barnaby Jack presented "Jackpotting Automated Teller Machines" at Black Hat USA 2010. He used some vulnerabilities in ATM software. He showed that malware, was injected into the OS of the ATM via bootable flash drive or via remote management TCP port.

Barnaby Jack's work was based on assumptions that most vulnerabilities were concentrated in the host machine and that we can and should reuse software made by ATM vendors. And that's quite true, but... antiviruses, locked firmware upgrades, blocked USB connectors, and encrypted hard drives can mitigate such risks. But, what about connecting not to the host machine, but to devices themselves? What countermeasures exist, when we will try to impersonate ourselves as an ATM host? Hacking ATMs with small computer like Raspberry Pi should be impossible, but it isn't.

The point of our presentation is to draw attention to the problem, which has existed for quite a long time. The problem is usage of common interfaces (like RS232 or USB) and protocols of communication from host machine to such devices as card readers, pin pads and/or dispenser units.


Presenters:

  • Alexey Osipov
    Alexy is a specialist on a Web Application Security Team. He also participates in development of the international forum on practical security Positive Hack Days. He was the winner of the PHDays 2012 $natch competition. He is a security tools developer and a club-mate addict.
  • Olga Kochetova
    Olga spent several years as a Senior Engineer at an ATM manufacturing company. For last two years, she has served as an information security expert. She is the author of multiple articles in the field of ATM (in-)security. Olga has spoken at many different conferences. She is also an active participant in development of the international forum on practical security Positive Hack Days.

Links:

Similar Presentations: