At Positive Hack Days 8, the good old Leave ATM Alone ATM hacking competition was once again held. Participants had two ATMs at their disposal; the hardware was provided by our banking security partner Alfa-Bank. We configured ATMs especially for the competition and embedded vulnerabilities in them. In 15 minutes it was necessary to bypass the security measures and extract money from the device. The prize fund was 40,000 rubles. About 40 participants came to try to bypass the protection. Leonid Krolle, the organizer of the competition and a specialist in the banking systems security research department of Positive Technologies, told how it happened and analyzed the tasks in detail. Participants of the Leave ATM Alone competition Participants had two ATMs at their disposal. One of them is installed with application control software from our partners, which prevents the launch of untrusted applications. It does not allow you to launch any application that is required to withdraw cash (hello, Cutlet Maker, BubbleMaker and nemagiya!). The second ATM is connected via the network to test processing, which allows you to carry out a cash withdrawal operation (which is in the ATM). However, processing sends a signal to dispense from the cassette in which there is no money. Therefore, the task of the participants is to replace the processing response to issue funds from the correct cassette. The connection cables from the ATM and test processing are located outside, with the ability to connect to them using a network cord (LAN). The players took all the money withdrawn from the system for themselves.
[
ATMs for two days of the forum: they were sad and lonely
If the blacklist of extensions that should be blocked is more or less universal and is easy to configure, then the whitelist of what is allowed to run is redundant by default - it often includes all applications from the operating system at the time of configuration.
Over the past few years, many methods have been described to bypass application control using Microsoft Windows tools (for example, “rundll32”, “regsvr32”), simply blocking which disrupts the normal operation of the OS. Therefore, fine-tuning application control is a complex and painstaking work, the result of which was given to the participants of the competition to be torn to pieces. Note that in the real world, attackers do not have that much time to bypass application control.
The first participants
In total, 15 minutes were allotted to bypass the protection on an ATM with application control: during this time, you had to run your code. Unfortunately, on the first day, all attempts by the participants to launch their exploit failed. However, one participant managed to discover a strange device installed on an ATM. It was a skimmer - a miniature portable reading device that can be attached to an ATM. Such devices help fraudsters steal bank card data: details, PIN code - all the information recorded on the magnetic stripe.
Skimmer
After discovering the skimmer, it was necessary to extract card data from it: during the preparation of the competition, the organizers recorded a dump of a non-existent card with a certain number there.
Let's tell you a little about preparing the skimmer for the competition.
The skimmer consists of a magnetic head for reading and a device for recording an audio track (sometimes with Wi-Fi or Bluetooth). This copy can be made on the basis of the Explay player-recorder or a similar USB voice recorder. Examples here . In terms of size, they just fit into the cover on the anti-skimmer and there is still room for the battery, since it was necessary to prepare and revive the mini Frankenstein: the performance test was carried out on a similar device from another ATM model. To save space, the USB port mounting area is cut off, so I had to make the necessary adapter myself.
Making an adapter
We tested the correctness of turning on the player-skimmer according to the instructions from the player from the Internet (there were no symbols on the buttons, since they remained on the body) and wrote down the card and number that the participants needed to extract from the skimmer.
This is what a card with magnetic powder applied to it looks like:
The information on the magnetic stripe of the card is recorded using F/2F-frequency encoding (what it is used for and how it can be decoded) and is represented by alphanumeric characters in a 7-bit encoding or digital characters in a 5-bit encoding. Parity and Longitudinal Redundancy Check (or Longitudinal Redundancy Check - LRC) are used to detect read errors.
Data on any track must begin with the start service character and end with the end service character. These symbols are chosen in such a way that they allow you to determine the beginning of a block of useful information, determine the direction in which the card is read, and even the information encoding format (5 bits or 7 bits).
Control characters are intended to control hardware and cannot be used to convey information (data content). Separators are used to separate data fields on a map.
In the 7-bit encoding, the characters [\] are reserved for additional national characters and should not be used as part of international information exchange, the character # is reserved for arbitrary additional graphic characters.
Here is an example of how it might look:
- standard ISO 2 track:
;XXXXXXXXXXXXXXXX=YYYYYYYYYYYYYYYYY?Z - 37 characters
X...X - card number, Z - LRC (data starts with the start character and ends with the end character, the card number is 16-digit, LRC is present)
The moment of testing and recording a dump
In fact, you can copy the data from the player in the form of an MP3 file, find where the track was recorded, enlarge it in an audio editor and parse it bit by bit, but there are simpler ways.
For example:
They allow you to convert audio track data into ASCII (transcribed data) with greater or less accuracy.
About an hour later, the card data recorded in the skimmer was provided. The well-deserved Audience Choice Award has found its owner. Congratulations to Maxim Vikhlyantsev!
The rest of the participants continued to fight for the main prizes loaded into ATMs
Someone tried to hack the security, but there were also those who were tired and lost hope of getting rich quickly. Nevertheless, the first day was stormy, although the main prize remained with the organizers...
The most persistent remained.
On the second day of the competition, the same participants could be seen at the ATM hacking sites. Persistence and perseverance in trying to find a vector to bypass the protection did not remain in vain, and behold, Stanislav Povolotsky successfully bypassed the protection and, by executing the unsigned code, won a cash prize located in the first ATM.
Demonstration of a successfully completed task
The essence of the network attack on the second ATM was as follows: the ATM contained a laptop with installed software that emulated the processing operation.
Processing emulator
The emulator was configured to issue funds with any card inserted, without a PIN code, but the cassette whose command the emulator sent in response to the request was empty. To solve this problem it was necessary:
tcpdump is a UNIX utility that has a clone for Windows and allows you to intercept and analyze network traffic passing through the computer on which this program is running.
wireshark is a similar utility, only more “charged”, with a GUI.
scapy is an interactive shell and software library for manipulating network packets in the Python programming language.
ettercap is a utility for analyzing network traffic passing through a computer interface, but with additional functionality. The program allows you to perform man-in-the-middle attacks to force another computer to transmit packets not to the router, but to the attacker.
Actually, nothing changes.
With such a difficult approach, the participants encountered difficulties, but they overcame them too. The team Information & Public, Security Center and Uzbekistan received the prize for faking the response from processing at the second ATM. For which we congratulate them! The full list of winners is on the competition page.
ATMs for two days of the forum: they were sad and lonely
Application control
There are several ways to check whether an application matches a given whitelist, from checking the path to the executable file or its hash to analyzing the digital signature and extension. Application control tools are most often used for additional protection of client computers (prohibiting the launch of software not from the white list) and ensure the security of isolated systems, such as ATMs, that do not require constant operational intervention.If the blacklist of extensions that should be blocked is more or less universal and is easy to configure, then the whitelist of what is allowed to run is redundant by default - it often includes all applications from the operating system at the time of configuration.
Over the past few years, many methods have been described to bypass application control using Microsoft Windows tools (for example, “rundll32”, “regsvr32”), simply blocking which disrupts the normal operation of the OS. Therefore, fine-tuning application control is a complex and painstaking work, the result of which was given to the participants of the competition to be torn to pieces. Note that in the real world, attackers do not have that much time to bypass application control.
First day of competition
The beginning of the first day of the competition was marked by a dense flow of forum participants who came to try their hand at bypassing application control and replacing the processing response - more than 40 people in total.
The first participants
In total, 15 minutes were allotted to bypass the protection on an ATM with application control: during this time, you had to run your code. Unfortunately, on the first day, all attempts by the participants to launch their exploit failed. However, one participant managed to discover a strange device installed on an ATM. It was a skimmer - a miniature portable reading device that can be attached to an ATM. Such devices help fraudsters steal bank card data: details, PIN code - all the information recorded on the magnetic stripe.
Skimmer
After discovering the skimmer, it was necessary to extract card data from it: during the preparation of the competition, the organizers recorded a dump of a non-existent card with a certain number there.
Let's tell you a little about preparing the skimmer for the competition.
The skimmer consists of a magnetic head for reading and a device for recording an audio track (sometimes with Wi-Fi or Bluetooth). This copy can be made on the basis of the Explay player-recorder or a similar USB voice recorder. Examples here . In terms of size, they just fit into the cover on the anti-skimmer and there is still room for the battery, since it was necessary to prepare and revive the mini Frankenstein: the performance test was carried out on a similar device from another ATM model. To save space, the USB port mounting area is cut off, so I had to make the necessary adapter myself.
Making an adapter
We tested the correctness of turning on the player-skimmer according to the instructions from the player from the Internet (there were no symbols on the buttons, since they remained on the body) and wrote down the card and number that the participants needed to extract from the skimmer.
This is what a card with magnetic powder applied to it looks like:
The information on the magnetic stripe of the card is recorded using F/2F-frequency encoding (what it is used for and how it can be decoded) and is represented by alphanumeric characters in a 7-bit encoding or digital characters in a 5-bit encoding. Parity and Longitudinal Redundancy Check (or Longitudinal Redundancy Check - LRC) are used to detect read errors.
Data on any track must begin with the start service character and end with the end service character. These symbols are chosen in such a way that they allow you to determine the beginning of a block of useful information, determine the direction in which the card is read, and even the information encoding format (5 bits or 7 bits).
Control characters are intended to control hardware and cannot be used to convey information (data content). Separators are used to separate data fields on a map.
In the 7-bit encoding, the characters [\] are reserved for additional national characters and should not be used as part of international information exchange, the character # is reserved for arbitrary additional graphic characters.
Here is an example of how it might look:
- standard ISO 2 track:
;XXXXXXXXXXXXXXXX=YYYYYYYYYYYYYYYYY?Z - 37 characters
X...X - card number, Z - LRC (data starts with the start character and ends with the end character, the card number is 16-digit, LRC is present)
The moment of testing and recording a dump
In fact, you can copy the data from the player in the form of an MP3 file, find where the track was recorded, enlarge it in an audio editor and parse it bit by bit, but there are simpler ways.
For example:
- SWipe is an application for reading magnetic stripe cards over an audio port.
- Magnetic Stripe Decoder. A program to decode a magnetic stripe card, receiving the raw data from the magnetic stripe via the sound card.
They allow you to convert audio track data into ASCII (transcribed data) with greater or less accuracy.
About an hour later, the card data recorded in the skimmer was provided. The well-deserved Audience Choice Award has found its owner. Congratulations to Maxim Vikhlyantsev!
The rest of the participants continued to fight for the main prizes loaded into ATMs
Someone tried to hack the security, but there were also those who were tired and lost hope of getting rich quickly. Nevertheless, the first day was stormy, although the main prize remained with the organizers...
Second day
The most persistent remained.
On the second day of the competition, the same participants could be seen at the ATM hacking sites. Persistence and perseverance in trying to find a vector to bypass the protection did not remain in vain, and behold, Stanislav Povolotsky successfully bypassed the protection and, by executing the unsigned code, won a cash prize located in the first ATM.
Demonstration of a successfully completed task
The essence of the network attack on the second ATM was as follows: the ATM contained a laptop with installed software that emulated the processing operation.
Processing emulator
The emulator was configured to issue funds with any card inserted, without a PIN code, but the cassette whose command the emulator sent in response to the request was empty. To solve this problem it was necessary:
- intercept the response packet of the processing emulator;
- disassemble the package and form your own - only with the correctly set cassette number;
- insert the card and, when sending a request for processing, respond to the ATM with the changed data;
- using tcpdump, wireshark, scapy or ettercap tools to carry out a replay attack or spoofing attack with modified data in order to respond to the ATM.
tcpdump is a UNIX utility that has a clone for Windows and allows you to intercept and analyze network traffic passing through the computer on which this program is running.
wireshark is a similar utility, only more “charged”, with a GUI.
scapy is an interactive shell and software library for manipulating network packets in the Python programming language.
ettercap is a utility for analyzing network traffic passing through a computer interface, but with additional functionality. The program allows you to perform man-in-the-middle attacks to force another computer to transmit packets not to the router, but to the attacker.
Actually, nothing changes.
With such a difficult approach, the participants encountered difficulties, but they overcame them too. The team Information & Public, Security Center and Uzbekistan received the prize for faking the response from processing at the second ATM. For which we congratulate them! The full list of winners is on the competition page.
