Guys, I couldn't stand it. We will now talk about the ATM virus discovered more than a year ago in Diebold ATMs, and the basic principle of its operation. This topic is ancient, the peak of hysteria has long passed, but the public never found out what really happened, which is why even IT people make a lot of guesses and tell myths. Many articles have been written about this virus, from technical descriptions to political education of housewives, but the most important trick was never revealed to us. I will try to explain it more simply, because it is important for us to understand the essence, and not to delve into the details of a specific implementation of something.
Start over. A year ago, there was a panic in the media: “there are viruses in ATMs!”, as a result of which all self-respecting bank managers supported this panic and began to try to do something. The panic arose for a reason: there are many lovers of freebies wandering around the world, the so-called. carders whose goal is to obtain your bank card details, including your PIN code, in order to then make a duplicate of it and withdraw all the money or purchase something. To achieve this, various methods of deception are being invented, but before the advent of the virus, they were all physical in nature. But the virus is very interesting, because it brought the technology to a fundamentally new level - PIN codes began to be stolen at the software level. It should be noted that the virus can still issue cash in an unlimited amount using a special card, but we, as clients, don’t care about this, here the bank gets the money, not us.
Now let's take a superficial excursion into the ATM itself and figure out where the viruses might be coming from. I'll tell you a secret: the vast majority of ATMs run Windows XP. A quick-witted reader will understand that in this case the threat is obvious, and we must begin to be afraid. But not everything is as bad as it seems. Firstly, conscientious suppliers of ATM software severely cut down this Windows, disabling everything possible in it, protecting ports, blocking access, and so on. And secondly, the ATM never looks directly at the Internet - it is either in a dedicated segment of the corporate network, or connected through some kind of encryption system, such as Cisco or Checkpoint, and there is, to put it mildly, no way for a virus to get there. Accordingly, the only way out here is an insider, because it is problematic to slip something into an ATM from the outside.
What is typical ATM software? Here's what. The architecture of this software is similar to client-server. The server in this case is able to work with specific hardware (of which there is a lot of it in an ATM) and publishes software interfaces common to each type of hardware (dispenser, card reader, printer, keyboard, etc.). The client, i.e. the business application itself, in turn, using these interfaces, shows us advertising, issues the long-awaited salary, prints checks and happily blinks the lights. This whole thing is called the CEN/XFS standard. I'll probably attach a picture.
Having learned this news, we immediately begin writing our own ATM softwarewith blackjack and whores , fortunately there are no secrets here, and no one is hiding all the emulators and specifications from us. We will read the magnetic stripe from the card reader when the client inserts the card, and the PIN code from the PIN keyboard when the client enters it. Here it is, as they say, profit. And in appearance, everything seems to be fine. But it’s too early to rejoice, a small bummer awaits us. The fact is that the PIN code cannot be read from the keyboard in its pure form. Only possible in encrypted mode.
Let’s make a lyrical digression for the general development of those interested. The PIN code in its pure form does not go anywhere except the keyboard itself and the special HSM device, which is in processing. The process for entering the PIN is as follows. The software sends the card number and the command to enter a PIN code to the keyboard. Further, during the input process, the keyboard returns only the fact that a key was pressed, but does not indicate which one. Then the keyboard forms a structure from the two-digit length of the PIN code, the PIN code itself, then adds up to 16 characters with the number F and makes an “exclusive or” over this with the right 12 digits of the card number, except for the last verification digit. For example, for PIN code 1234 and card 4987.6543.2109.8765, we will take 04.1234.FFFFFFFFFF, XOR this with 0000.765432109876 and get 0412.42AB.CDEF.6789. And then this last number is encrypted with the working key, which is already in the keyboard, and the cipher is returned to the application that ordered the operation of entering the PIN code.
Now let's look at encryption keys, since we're talking about them. These keys are located in the keyboard itself and cannot be read from there. Typically, before operating an ATM, bank security officers manually enter a so-called master key (MK) into the keypad. Then, periodically, a special working key (WK) is sent from processing to the ATM, encrypted with the same master key, which, apart from the keyboard and the special HSM device mentioned above, no one knows (the officers each enter their own component and also do not know the full key) . In total, we have MK and MK(WK) in our keyboard.
Let's begin to smoothly approach the climax. In fact, many different keys can be written to the keyboard. You can also feed it a PIN block, force it to decrypt it with a working key, encrypt it with another key and return the result. That is, we will never receive the key in its pure form, but encrypted with some kind of key - please. So why don’t we write down our obviously known master key there and give the keyboard a command to encrypt the PIN block with it, and not some other one? And then we will decrypt it, since the key is now known to us. This is exactly what our virus does.
That's the trick, guys. Nothing complicated, right?
Finally, I’ll tell you what’s the catch here. It is no coincidence that the virus was active on Diebold ATMs. The fact is that some Diebold ATMs were equipped with old keyboards that did not meet modern security requirements. And modern security requirements state that ATM keyboards must provide a hierarchy of keys. This means that if we command the keyboard to decrypt the PIN block with the working key, then we can then encrypt it only with the master key that was used to encrypt the working one. This is logical, because if we were able to download the working key, then we know this master key (we used it to encrypt the working one) and we can be trusted. But if we ask to encrypt the PIN block with some key from a neighboring branch, they will not give it to us - there are signs of evil intentions.
That's all. It turned out a bit long, I shouldn’t have written about PIN blocks, but oh well. I hope I have clarified the situation a little, and there will be fewer different myths and interpretations circulating in certain circles. This is especially true for large bank managers who dream of installing antivirus software on ATMs, not realizing that they will end up with hemorrhoids many times more than they benefit. Normal guys have been using solutions a la Solidcore for a long time and live in peace.
Start over. A year ago, there was a panic in the media: “there are viruses in ATMs!”, as a result of which all self-respecting bank managers supported this panic and began to try to do something. The panic arose for a reason: there are many lovers of freebies wandering around the world, the so-called. carders whose goal is to obtain your bank card details, including your PIN code, in order to then make a duplicate of it and withdraw all the money or purchase something. To achieve this, various methods of deception are being invented, but before the advent of the virus, they were all physical in nature. But the virus is very interesting, because it brought the technology to a fundamentally new level - PIN codes began to be stolen at the software level. It should be noted that the virus can still issue cash in an unlimited amount using a special card, but we, as clients, don’t care about this, here the bank gets the money, not us.
Now let's take a superficial excursion into the ATM itself and figure out where the viruses might be coming from. I'll tell you a secret: the vast majority of ATMs run Windows XP. A quick-witted reader will understand that in this case the threat is obvious, and we must begin to be afraid. But not everything is as bad as it seems. Firstly, conscientious suppliers of ATM software severely cut down this Windows, disabling everything possible in it, protecting ports, blocking access, and so on. And secondly, the ATM never looks directly at the Internet - it is either in a dedicated segment of the corporate network, or connected through some kind of encryption system, such as Cisco or Checkpoint, and there is, to put it mildly, no way for a virus to get there. Accordingly, the only way out here is an insider, because it is problematic to slip something into an ATM from the outside.
What is typical ATM software? Here's what. The architecture of this software is similar to client-server. The server in this case is able to work with specific hardware (of which there is a lot of it in an ATM) and publishes software interfaces common to each type of hardware (dispenser, card reader, printer, keyboard, etc.). The client, i.e. the business application itself, in turn, using these interfaces, shows us advertising, issues the long-awaited salary, prints checks and happily blinks the lights. This whole thing is called the CEN/XFS standard. I'll probably attach a picture.
Having learned this news, we immediately begin writing our own ATM software
Let’s make a lyrical digression for the general development of those interested. The PIN code in its pure form does not go anywhere except the keyboard itself and the special HSM device, which is in processing. The process for entering the PIN is as follows. The software sends the card number and the command to enter a PIN code to the keyboard. Further, during the input process, the keyboard returns only the fact that a key was pressed, but does not indicate which one. Then the keyboard forms a structure from the two-digit length of the PIN code, the PIN code itself, then adds up to 16 characters with the number F and makes an “exclusive or” over this with the right 12 digits of the card number, except for the last verification digit. For example, for PIN code 1234 and card 4987.6543.2109.8765, we will take 04.1234.FFFFFFFFFF, XOR this with 0000.765432109876 and get 0412.42AB.CDEF.6789. And then this last number is encrypted with the working key, which is already in the keyboard, and the cipher is returned to the application that ordered the operation of entering the PIN code.
Now let's look at encryption keys, since we're talking about them. These keys are located in the keyboard itself and cannot be read from there. Typically, before operating an ATM, bank security officers manually enter a so-called master key (MK) into the keypad. Then, periodically, a special working key (WK) is sent from processing to the ATM, encrypted with the same master key, which, apart from the keyboard and the special HSM device mentioned above, no one knows (the officers each enter their own component and also do not know the full key) . In total, we have MK and MK(WK) in our keyboard.
Let's begin to smoothly approach the climax. In fact, many different keys can be written to the keyboard. You can also feed it a PIN block, force it to decrypt it with a working key, encrypt it with another key and return the result. That is, we will never receive the key in its pure form, but encrypted with some kind of key - please. So why don’t we write down our obviously known master key there and give the keyboard a command to encrypt the PIN block with it, and not some other one? And then we will decrypt it, since the key is now known to us. This is exactly what our virus does.
That's the trick, guys. Nothing complicated, right?
Finally, I’ll tell you what’s the catch here. It is no coincidence that the virus was active on Diebold ATMs. The fact is that some Diebold ATMs were equipped with old keyboards that did not meet modern security requirements. And modern security requirements state that ATM keyboards must provide a hierarchy of keys. This means that if we command the keyboard to decrypt the PIN block with the working key, then we can then encrypt it only with the master key that was used to encrypt the working one. This is logical, because if we were able to download the working key, then we know this master key (we used it to encrypt the working one) and we can be trusted. But if we ask to encrypt the PIN block with some key from a neighboring branch, they will not give it to us - there are signs of evil intentions.
That's all. It turned out a bit long, I shouldn’t have written about PIN blocks, but oh well. I hope I have clarified the situation a little, and there will be fewer different myths and interpretations circulating in certain circles. This is especially true for large bank managers who dream of installing antivirus software on ATMs, not realizing that they will end up with hemorrhoids many times more than they benefit. Normal guys have been using solutions a la Solidcore for a long time and live in peace.
