Iron boxes with money standing on the streets of the city cannot but attract the attention of lovers of quick money. And if earlier purely physical methods were used to empty ATMs, now more and more skillful tricks associated with computers are being used. Now the most relevant of them is the "black box" with a single-board microcomputer inside. We will talk about how it works in this article.
A typical ATM is a collection of off-the-shelf electromechanical components housed in a single enclosure. ATM manufacturers assemble them from a banknote dispenser, card reader, and other components already developed by third-party vendors. A sort of LEGO constructor for adults. The finished components are housed in an ATM enclosure, which usually consists of two compartments: an upper ("cabinet" or "service area") and a lower (safe). All electromechanical components are connected via USB and COM ports to the system unit, which in this case acts as a host. On older models of ATMs, you can also find connections via the SDC bus.
Evolution of ATM carding
At first, carders exploited only gross physical flaws in ATM security - they used skimmers and shimmers to steal data from magnetic stripes, fake PIN pads and cameras to view PIN codes, and even fake ATMs. Then, when ATMs began to be equipped with unified software that works according to uniform standards, such as XFS (eXtensions for Financial Services), carders began to attack ATMs with computer viruses. Among them are Trojan.Skimer, Backdoor.Win32.Skimer, Ploutus, ATMii and other named and unnamed malware, which carders add to the ATM host either through a bootable USB flash drive or through a TCP port for remote control.
ATM infection scheme.
Having captured the XFS subsystem, the malware can issue commands to the banknote dispenser or card reader without authorization: read the magnetic stripe of a bank card, write to it, and even extract the transaction history stored on the EMV card chip. EPP (Encrypting PIN Pad) deserves special attention. It is generally accepted that the PIN-code entered on it cannot be intercepted. However, XFS allows you to use EPP in two modes: open (for entering various numeric parameters, such as the amount to be cashed) and secure (EPP switches to it when you need to enter a PIN or encryption key). This XFS feature allows the carder to launch an MITM attack: intercept the safe mode activation command that is sent from the host to the EPP, and then tell the PIN pad to continue in open mode.
How the black box works
In recent years, according to Europol, ATM malware has evolved significantly. Carders no longer need to have physical access to an ATM to infect it. They can infect ATMs using remote network attacks using the bank's corporate network. In 2016, according to Group IB, ATMs were attacked remotely in more than ten European countries.
ATM attack via remote access
Antiviruses, blocking firmware updates, blocking USB ports, and hard disk encryption to some extent protect the ATM from virus attacks by carders. But what if the card does not attack the host, but directly connects to the peripherals (via RS232 or USB) - to a card reader, PIN pad or cash dispenser?
The first acquaintance with the "black box"
Today, tech-savvy carders do just that , using so-called "black boxes" to steal cash from an ATM - specifically programmed single-board microcomputers like the Raspberry Pi. "Black boxes" empty ATMs cleanly, in a completely magical (from the point of view of bankers) way. The carders connect their device directly to the banknote dispenser and extract all the money from it. Such an attack bypasses all security software deployed on the ATM host (antiviruses, integrity control, full disk encryption, etc.).
Raspberry Pi Black Box.
Major ATM makers and government intelligence agencies, faced with multiple black box implementations, report that these dodgy computers force ATMs to spit out all available cash, forty notes every twenty seconds. Also, intelligence agencies warn that carders most often target ATMs in pharmacies, shopping centers and ATMs that serve motorists "on the go."
At the same time, in order not to shine in front of the cameras, the most cautious carders take on the help of some not too valuable partner, a "mule". And so that he could not appropriate the "black box" for himself, the following scheme is applied. The key functionality is removed from the "black box" and a smartphone is connected to it, which is used as a channel for remote transmission of commands to the truncated "black box" over IP.
Modification of the "black box" with activation via remote access.
How does it look from the bankers' point of view? On recordings from video cameras, something like the following happens: a certain person opens the upper compartment (service area), connects a "magic box" to the ATM, closes the upper compartment and leaves. A little later, several people, seemingly ordinary customers, come to the ATM and withdraw huge amounts of money. Then the carder comes back and removes his little magic device from the ATM. Usually, the fact of an ATM attack by a "black box" is discovered only after a few days, when the empty safe and the cash withdrawal journal do not match. As a result, the employees of the bank can only scratch their heads.
Analysis of ATM communications
As noted above, the system unit and peripherals communicate via USB, RS232, or SDC. The carder connects directly to the peripheral port and sends commands to it - bypassing the host. It's pretty straightforward because the standard interfaces don't require any specific drivers. And the proprietary protocols, through which the peripheral and the host interact, do not require authorization (after all, the device is located inside the trusted zone), so these unprotected protocols, through which the peripheral and the host interact, are easily listened to and easily amenable to a replay attack.
Thus, carders can use a software or hardware traffic analyzer by connecting it directly to a port on a specific peripheral device (such as a card reader) to collect the transmitted data. Using the traffic analyzer, the carder learns all the technical details of the ATM operation, including the undocumented functions of its periphery (for example, changing the firmware of a peripheral device). As a result, the attacker gains full control over the ATM. At the same time, it is rather difficult to detect the presence of a traffic analyzer.
Direct control over the banknote dispenser means that ATM cassettes can be emptied without any fixation in the logs, which are normally entered by the software deployed on the host. For those unfamiliar with the hardware and software architecture of an ATM, this may sound like magic.
Where do black boxes come from?
ATM vendors and subcontractors are developing debug utilities to diagnose the ATM hardware, including the electromechanics responsible for cash withdrawals. Among such utilities are ATMDesk, RapidFire ATM XFS. The figure below shows a few more of these diagnostic tools.
ATMDesk control panel.
RapidFire ATM XFS Control Panel.
Comparative characteristics of several diagnostic utilities.
Access to such utilities is normally limited to personalized tokens, and they work only when the door of the ATM safe is open. However, simply by replacing a few bytes in the utility's binary code, hackers can “test” cash withdrawals - bypassing the checks provided by the utility's manufacturer. Carders install these modified utilities on their laptop or single-board microcomputer, which they then plug directly into a banknote dispenser.
Last mile and fake processing center
Direct interaction with peripherals without communicating with the host is just one of the effective carding techniques. Other techniques are based on the fact that we have a wide variety of network interfaces through which the ATM communicates with the outside world, from X.25 to Ethernet and cellular. Many ATMs can be identified and localized using the Shodan service (the most concise instructions for its use are presented) - followed by an attack that parasitizes the vulnerable security configuration, administrator laziness and vulnerable communications between various bank departments.
The "last mile" of communication between the ATM and the processing center is rich in a wide variety of technologies that can serve as an entry point for a carder. There are wired (telephone line or Ethernet) and wireless (Wi-Fi, cellular: CDMA, GSM, UMTS, LTE) communication methods. Security mechanisms can include:
However, it seems that the banks listed technology is very complex, so they do not bother the special protection of the network or implement it correctly. In the best case, the ATM connects to the VPN server and connects to the processing center within the private network. In addition, even if banks manage to implement the above protective mechanisms, the carder already has effective attacks against them. So even if security is PCI DSS compliant, ATMs are still vulnerable.
One of the main requirements of PCI DSS is that all sensitive data must be encrypted when it is sent over a public network. And after all, we really have networks that were originally designed so that data in them is completely encrypted! Therefore, it is tempting to say: "Our data is encrypted because we use Wi-Fi and GSM." However, many of these networks do not provide sufficient protection. Cellular networks of all generations have long been hacked. Finally and irrevocably. And there are even suppliers who offer devices for intercepting data transmitted through them.
Therefore, either in an insecure communication or in a “private” network, where each ATM broadcasts about itself to other ATMs, a “fake processing center” MITM attack can be initiated, which will lead to the carder taking control of the data flows transmitted between ATM and processing center.
Thousands of ATMs are potentially vulnerable to such MITM attacks. On the way to a genuine processing center, the hacker inserts his own, fake one. This fake processing center instructs the ATM to dispense banknotes. At the same time, the carder sets up its processing center in such a way that cash is issued regardless of which card is inserted into the ATM - even if its validity period has expired or it has zero balance. The main thing is for the fake processing center to "recognize" her. A fake processing center can be either a handicraft or a processing center simulator originally designed for debugging network settings (another gift from the "manufacturer" to carders).
The following figure shows a dump of commands for issuing forty banknotes from the fourth cassette, sent from a fake processing center and stored in ATM software journals. They almost look real.
Dump commands of a fake processing center.
Conclusion
As you can see, the classic maxim “a truly protected computer is in an iron box and is not connected to any network, including an electrical one”, finds more and more confirmation every year. Everything is vulnerable, and bank property is no exception.
xakep.ru
A typical ATM is a collection of off-the-shelf electromechanical components housed in a single enclosure. ATM manufacturers assemble them from a banknote dispenser, card reader, and other components already developed by third-party vendors. A sort of LEGO constructor for adults. The finished components are housed in an ATM enclosure, which usually consists of two compartments: an upper ("cabinet" or "service area") and a lower (safe). All electromechanical components are connected via USB and COM ports to the system unit, which in this case acts as a host. On older models of ATMs, you can also find connections via the SDC bus.
Evolution of ATM carding
At first, carders exploited only gross physical flaws in ATM security - they used skimmers and shimmers to steal data from magnetic stripes, fake PIN pads and cameras to view PIN codes, and even fake ATMs. Then, when ATMs began to be equipped with unified software that works according to uniform standards, such as XFS (eXtensions for Financial Services), carders began to attack ATMs with computer viruses. Among them are Trojan.Skimer, Backdoor.Win32.Skimer, Ploutus, ATMii and other named and unnamed malware, which carders add to the ATM host either through a bootable USB flash drive or through a TCP port for remote control.
ATM infection scheme.
Having captured the XFS subsystem, the malware can issue commands to the banknote dispenser or card reader without authorization: read the magnetic stripe of a bank card, write to it, and even extract the transaction history stored on the EMV card chip. EPP (Encrypting PIN Pad) deserves special attention. It is generally accepted that the PIN-code entered on it cannot be intercepted. However, XFS allows you to use EPP in two modes: open (for entering various numeric parameters, such as the amount to be cashed) and secure (EPP switches to it when you need to enter a PIN or encryption key). This XFS feature allows the carder to launch an MITM attack: intercept the safe mode activation command that is sent from the host to the EPP, and then tell the PIN pad to continue in open mode.
How the black box works
In recent years, according to Europol, ATM malware has evolved significantly. Carders no longer need to have physical access to an ATM to infect it. They can infect ATMs using remote network attacks using the bank's corporate network. In 2016, according to Group IB, ATMs were attacked remotely in more than ten European countries.
ATM attack via remote access
Antiviruses, blocking firmware updates, blocking USB ports, and hard disk encryption to some extent protect the ATM from virus attacks by carders. But what if the card does not attack the host, but directly connects to the peripherals (via RS232 or USB) - to a card reader, PIN pad or cash dispenser?
The first acquaintance with the "black box"
Today, tech-savvy carders do just that , using so-called "black boxes" to steal cash from an ATM - specifically programmed single-board microcomputers like the Raspberry Pi. "Black boxes" empty ATMs cleanly, in a completely magical (from the point of view of bankers) way. The carders connect their device directly to the banknote dispenser and extract all the money from it. Such an attack bypasses all security software deployed on the ATM host (antiviruses, integrity control, full disk encryption, etc.).
Raspberry Pi Black Box.
Major ATM makers and government intelligence agencies, faced with multiple black box implementations, report that these dodgy computers force ATMs to spit out all available cash, forty notes every twenty seconds. Also, intelligence agencies warn that carders most often target ATMs in pharmacies, shopping centers and ATMs that serve motorists "on the go."
At the same time, in order not to shine in front of the cameras, the most cautious carders take on the help of some not too valuable partner, a "mule". And so that he could not appropriate the "black box" for himself, the following scheme is applied. The key functionality is removed from the "black box" and a smartphone is connected to it, which is used as a channel for remote transmission of commands to the truncated "black box" over IP.
Modification of the "black box" with activation via remote access.
How does it look from the bankers' point of view? On recordings from video cameras, something like the following happens: a certain person opens the upper compartment (service area), connects a "magic box" to the ATM, closes the upper compartment and leaves. A little later, several people, seemingly ordinary customers, come to the ATM and withdraw huge amounts of money. Then the carder comes back and removes his little magic device from the ATM. Usually, the fact of an ATM attack by a "black box" is discovered only after a few days, when the empty safe and the cash withdrawal journal do not match. As a result, the employees of the bank can only scratch their heads.
Analysis of ATM communications
As noted above, the system unit and peripherals communicate via USB, RS232, or SDC. The carder connects directly to the peripheral port and sends commands to it - bypassing the host. It's pretty straightforward because the standard interfaces don't require any specific drivers. And the proprietary protocols, through which the peripheral and the host interact, do not require authorization (after all, the device is located inside the trusted zone), so these unprotected protocols, through which the peripheral and the host interact, are easily listened to and easily amenable to a replay attack.
Thus, carders can use a software or hardware traffic analyzer by connecting it directly to a port on a specific peripheral device (such as a card reader) to collect the transmitted data. Using the traffic analyzer, the carder learns all the technical details of the ATM operation, including the undocumented functions of its periphery (for example, changing the firmware of a peripheral device). As a result, the attacker gains full control over the ATM. At the same time, it is rather difficult to detect the presence of a traffic analyzer.
Direct control over the banknote dispenser means that ATM cassettes can be emptied without any fixation in the logs, which are normally entered by the software deployed on the host. For those unfamiliar with the hardware and software architecture of an ATM, this may sound like magic.
Where do black boxes come from?
ATM vendors and subcontractors are developing debug utilities to diagnose the ATM hardware, including the electromechanics responsible for cash withdrawals. Among such utilities are ATMDesk, RapidFire ATM XFS. The figure below shows a few more of these diagnostic tools.
ATMDesk control panel.
RapidFire ATM XFS Control Panel.
Comparative characteristics of several diagnostic utilities.
Access to such utilities is normally limited to personalized tokens, and they work only when the door of the ATM safe is open. However, simply by replacing a few bytes in the utility's binary code, hackers can “test” cash withdrawals - bypassing the checks provided by the utility's manufacturer. Carders install these modified utilities on their laptop or single-board microcomputer, which they then plug directly into a banknote dispenser.
Last mile and fake processing center
Direct interaction with peripherals without communicating with the host is just one of the effective carding techniques. Other techniques are based on the fact that we have a wide variety of network interfaces through which the ATM communicates with the outside world, from X.25 to Ethernet and cellular. Many ATMs can be identified and localized using the Shodan service (the most concise instructions for its use are presented) - followed by an attack that parasitizes the vulnerable security configuration, administrator laziness and vulnerable communications between various bank departments.
The "last mile" of communication between the ATM and the processing center is rich in a wide variety of technologies that can serve as an entry point for a carder. There are wired (telephone line or Ethernet) and wireless (Wi-Fi, cellular: CDMA, GSM, UMTS, LTE) communication methods. Security mechanisms can include:
- hardware or software for VPN support (both standard, built into the OS, and from third parties);
- SSL / TLS (both specific to a specific ATM model and from third-party manufacturers);
- encryption;
- message authentication.
However, it seems that the banks listed technology is very complex, so they do not bother the special protection of the network or implement it correctly. In the best case, the ATM connects to the VPN server and connects to the processing center within the private network. In addition, even if banks manage to implement the above protective mechanisms, the carder already has effective attacks against them. So even if security is PCI DSS compliant, ATMs are still vulnerable.
One of the main requirements of PCI DSS is that all sensitive data must be encrypted when it is sent over a public network. And after all, we really have networks that were originally designed so that data in them is completely encrypted! Therefore, it is tempting to say: "Our data is encrypted because we use Wi-Fi and GSM." However, many of these networks do not provide sufficient protection. Cellular networks of all generations have long been hacked. Finally and irrevocably. And there are even suppliers who offer devices for intercepting data transmitted through them.
Therefore, either in an insecure communication or in a “private” network, where each ATM broadcasts about itself to other ATMs, a “fake processing center” MITM attack can be initiated, which will lead to the carder taking control of the data flows transmitted between ATM and processing center.
Thousands of ATMs are potentially vulnerable to such MITM attacks. On the way to a genuine processing center, the hacker inserts his own, fake one. This fake processing center instructs the ATM to dispense banknotes. At the same time, the carder sets up its processing center in such a way that cash is issued regardless of which card is inserted into the ATM - even if its validity period has expired or it has zero balance. The main thing is for the fake processing center to "recognize" her. A fake processing center can be either a handicraft or a processing center simulator originally designed for debugging network settings (another gift from the "manufacturer" to carders).
The following figure shows a dump of commands for issuing forty banknotes from the fourth cassette, sent from a fake processing center and stored in ATM software journals. They almost look real.
Dump commands of a fake processing center.
Conclusion
As you can see, the classic maxim “a truly protected computer is in an iron box and is not connected to any network, including an electrical one”, finds more and more confirmation every year. Everything is vulnerable, and bank property is no exception.
xakep.ru
