Applied Ca$h Eviction through ATM Exploitation

Presented at DEF CON 28 (2020) Virtual, Aug. 8, 2020, 12:30 p.m. (30 minutes)

ATMs are networked computers that dispense cash, so naturally they're uniquely interesting devices to examine. We all remember ATM jackpotting from a decade ago. Unfortunately, it doesn't look like ATM security has improved for some common models since then. We present our reverse engineering process for working with an ATM and modifying its firmware. For this, we became our own "bank" by creating software that's able to speak the obscure protocols used by ATMs. For working with the device software at a low level, we restored JTAG access, defeated code signing, and developed custom debugging tools. We then leveraged this research to discover two 0-day network-based attacks, which we will demonstrate live. The first vulnerability takes advantage of the ATM's remote administration interface, which can lead to arbitrary code execution and total device compromise. The second vulnerability is in the OEM's implementation of a common middleware for ATM peripherals. This allows for command injection and jackpotting of ATMs over the network. The high barrier to entry for even legally opening up one of these devices has left a lot of attack surface area unchecked. Through this talk, we want to shed light on the state of ATM security and encourage the security community to continue to challenge ATM vendors to do better.

Presenters:

• Brenda So - Security Researcher, Red Balloon Security
  Brenda is a security researcher at Red Balloon Security. She earned her Bachelors in Electrical Engineering at The Cooper Union. She has spoken about reverse engineering at Hushcon West and CSAW. She has also organized the ATM CTF challenge at major conferences such as Recon and Defcon. When not messing around with ATMs, she is brewing a nice gallon of beer at her homebrew setup. @Sosogun3
• Trey Keown - Security Researcher, Red Balloon Security
  Trey is a security researcher at Red Balloon Security focusing on securing embedded devices and firmware reverse-engineering automation. He is the co-creator of an ATM CTF challenge which has taken place at Re:con, CSAW, Hushcon, Summercon, and the IoT Village at DEF CON 27. He has also been a speaker at Hushcon West and CSAW. @TreyKeown

Links:

• https://defcon.org/html/defcon-safemode/dc-safemode-speakers.html#Keown
• https://infocon.org/cons/DEF CON/DEF CON 28/DEF CON Safe Mode video and slides/DEF CON Safe Mode - Trey Keown and Brenda So - Applied Cash Eviction through ATM Exploitation - Q&A.mp4
• https://infocon.org/cons/DEF CON/DEF CON 28/DEF CON Safe Mode video and slides/DEF CON Safe Mode - Trey Keown and Brenda So - Applied Cash Eviction through ATM Exploitation.mp4
• https://infocon.org/cons/DEF CON/DEF CON 28/DEF CON Safe Mode video and slides/DEF CON Safe Mode - Trey Keown and Brenda So - Applied Cash Eviction through ATM Exploitation.srt (subtitles)
• https://www.youtube.com/watch?v=dJNLBfPo2V8

Similar Presentations:

• BSidesSF 2019 / Goldilocks and the Three ATM Attacks
• ToorCon San Diego 20 (2018) / Goldilocks and the three ATM attacks
• THOTCON 0xA (2019) / Goldilocks and the three ATM attacks