Content
Iron boxes with money standing on the streets of the city cannot but attract the attention of lovers of quick money. And if earlier purely physical methods were used to hack ATMs, now more and more skillful methods of hacking associated with computers are being used. Now the most relevant of them is "BlackBox" or as we say "Black box" with a single-board microcomputer inside. We will talk about how BlackBox works and how ATMs are hacked using this device in this article.
A typical ATM is a collection of off-the-shelf electromechanical components housed in a single enclosure. ATM manufacturers assemble them from a banknote dispenser, card reader, and other components already developed by third-party vendors. A sort of LEGO constructor for adults. The finished components are housed in an ATM enclosure, which usually consists of two compartments: an upper ("cabinet" or "service area") and a lower (safe). All electromechanical components are connected via USB and COM ports to the system unit, which in this case acts as a host. On older models of ATMs, you can also find connections via the SDC bus.
Evolution of ATM carding
At first, carders exploited only the gross physical flaws of ATM security - they used skimmers and shimmers to steal data from magnetic stripes, fake PIN pads and cameras to view PIN codes, and even fake ATMs. Then, when ATMs began to be equipped with unified software that works according to uniform standards, such as XFS (eXtensions for Financial Services), carders began to break into ATMs with computer viruses. Among them are Trojan.Skimer, Backdoor.Win32.Skimer, Ploutus, ATMii and other named and unnamed malware, which carders add to the ATM host either through a bootable USB flash drive or through a TCP port for remote control.
ATM infection scheme
Having captured the XFS subsystem, the malware can issue commands to the banknote dispenser or card reader without authorization: read the magnetic stripe of a bank card, write to it, and even extract the transaction history stored on the EMV card chip. EPP (Encrypting PIN Pad) deserves special attention. It is generally accepted that the PIN-code entered on it cannot be intercepted. However, XFS allows you to use EPP PIN pad in two modes: open (for entering various numeric parameters, such as the amount to be cashed) and secure (EPP switches to it when you need to enter a PIN or encryption key).
This XFS feature allows the carder to launch an MITM attack: intercept the safe mode activation command that is sent from the host to the EPP, and then tell the EPP PIN pad to continue in open mode. In response to this message, EPP sends keystrokes in clear text.
How the BlackBox works
In recent years, according to Europol, malware for ATMs has evolved significantly. Carders no longer need to have physical access to an ATM in order to hack it. They can infect ATMs using remote network attacks using the bank's corporate network. In 2020, according to GroupIB, ATMs were attacked remotely in more than ten European countries.
ATM attack via remote access
Antiviruses, blocking firmware updates, blocking USB ports, and hard disk encryption to some extent protect the ATM from virus attacks by carders. But what if the card does not attack the host, but directly connects to the peripherals (via RS232 or USB) - to a card reader, PIN pad or cash dispenser?
First acquaintance with BlackBox
Today, tech-savvy carders do just that, using BlackBox black boxes - specifically programmed single-board microcomputers like the Raspberry Pi - to steal cash from an ATM. BlackBoxes empty ATMs cleanly, in a completely magical way (from a banker's point of view). The carders connect their device directly to the banknote dispenser and extract all the money from it. Such an attack bypasses all security software deployed on the ATM host (antiviruses, integrity control, full disk encryption, etc.).
Raspberry Pi based BlackBox
Major ATM makers and government intelligence agencies, faced with multiple BlackBox implementations, report that these dodgy computers cause ATMs to spit out all available cash, forty notes every twenty seconds. Also, intelligence agencies warn that carders most often target ATMs in pharmacies, shopping centers and ATMs that serve motorists "on the go".
At the same time, in order not to shine in front of the cameras, the most cautious carders take on the help of some not too valuable partner, a "mule". And so that he could not assign the BlackBox to himself, the following scheme is applied. The key functionality is removed from the BlackBox and a smartphone is connected to it, which is used as a channel for remote transmission of commands to a stripped-down "black box" over IP.
Modification of the "black box" with activation via remote access
Analysis of ATM communications
As noted above, the system unit and peripherals communicate via USB, RS232, or SDC. The carder connects directly to the peripheral port and sends commands to it - bypassing the host. It's pretty straightforward because the standard interfaces don't require any specific drivers. And the proprietary protocols, through which the peripheral and the host interact, do not require authorization (after all, the device is inside the trusted zone), so these unprotected protocols, through which the peripheral and the host interact, are easily listened to and easily amenable to a replay attack.
Thus, carders can use a software or hardware traffic analyzer by connecting it directly to a port on a specific peripheral device (such as a card reader) to collect the transmitted data. Using the traffic analyzer, the carder learns all the technical details of the ATM operation, including the undocumented functions of its periphery (for example, changing the firmware of a peripheral device). As a result, the attacker gains complete control over the ATM. At the same time, it is rather difficult to detect the presence of a traffic analyzer.
Direct control over the banknote dispenser means that ATM cassettes can be emptied without any fixation in the logs, which are normally entered by the software deployed on the host. For those unfamiliar with the hardware and software architecture of an ATM, this may sound like magic.
Where do BlackBox come from
ATM vendors and subcontractors are developing debug utilities to diagnose the ATM hardware, including the electromechanics responsible for cash withdrawals. Among such utilities are ATMDesk, RapidFire ATM XFS. The figure below shows a few more of these diagnostic tools.
ATMDesk control panel
RapidFire ATM XFS Control Panel
Comparative characteristics of several diagnostic utilities
Access to such utilities is normally limited to personalized tokens, and they only work when the door of the ATM safe is open. However, simply by replacing a few bytes in the utility's binary code, hackers can “test” cash withdrawals - bypassing the checks provided by the utility's manufacturer. Carders install these modified utilities on their laptop or single-board microcomputer, which they then plug directly into a banknote dispenser.
Last mile and fake processing center
Direct interaction with peripherals without communicating with the host is just one of the effective carding techniques. Other techniques are based on the fact that we have a wide variety of network interfaces through which the ATM communicates with the outside world, from X.25 to Ethernet and cellular. Many ATMs can be identified and localized using the Shodan service (the most concise instructions for its use are presented here) - followed by an attack that parasitizes the vulnerable security configuration, administrator laziness and vulnerable communications between various bank divisions.
The last mile of communication between the ATM and the processing center is rich in a wide variety of technologies that can serve as an entry point for a carder. There are wired (telephone line or Ethernet) and wireless (Wi-Fi, cellular: CDMA, GSM, UMTS, LTE) communication methods. Security mechanisms can include:
One of the main requirements of PCI DSS is that all sensitive data must be encrypted when transmitted over a public network. And after all, we really have networks that were originally designed so that data in them is completely encrypted! Therefore, it is tempting to say: "Our data is encrypted because we use Wi-Fi and GSM." However, many of these networks do not provide sufficient protection. Cellular networks of all generations have long been hacked. Finally and irrevocably. And there are even suppliers who offer devices for intercepting data transmitted through them.
Therefore, either in an insecure communication or in a "private" network, where each ATM broadcasts about itself to other ATMs, an MITM attack "fake processing center" can be initiated, which will lead to the carder taking control of the data streams transferred between ATM and processing center.
Thousands of ATMs are potentially vulnerable to such MITM attacks. On the way to a genuine processing center, the hacker inserts his own, fake one. This fake processing center instructs the ATM to dispense banknotes. At the same time, the carder sets up its processing center in such a way that cash is issued regardless of which card is inserted into the ATM - even if its validity period has expired or it has zero balance. The main thing is for the fake processing center to "recognize" her. A fake processing center can be either a handicraft or a processing center simulator originally designed to debug network settings (another gift from the "manufacturer" to carders).
The following figure shows a dump of commands for issuing forty banknotes from the fourth cassette, sent from a fake processing center and stored in ATM software journals. They almost look real.
Dump commands of the fake processing center
Conclusion
As you can see, the classic maxim “a truly protected computer is in an iron box and is not connected to any network, including an electrical one,” finds more and more confirmation every year. Everything is vulnerable, and bank property is no exception.
By the way. The chief of the ATM Association International (ATMIA) singled out black boxes as the most serious threat to ATMs.
- 1. Evolution of ATM carding
- 2. First acquaintance with BlackBox
- 3. Analysis of ATM communications
- 4. Where do BlackBox come from
- 5. "Last mile" and a fake processing center
- 6. Conclusion
Iron boxes with money standing on the streets of the city cannot but attract the attention of lovers of quick money. And if earlier purely physical methods were used to hack ATMs, now more and more skillful methods of hacking associated with computers are being used. Now the most relevant of them is "BlackBox" or as we say "Black box" with a single-board microcomputer inside. We will talk about how BlackBox works and how ATMs are hacked using this device in this article.
A typical ATM is a collection of off-the-shelf electromechanical components housed in a single enclosure. ATM manufacturers assemble them from a banknote dispenser, card reader, and other components already developed by third-party vendors. A sort of LEGO constructor for adults. The finished components are housed in an ATM enclosure, which usually consists of two compartments: an upper ("cabinet" or "service area") and a lower (safe). All electromechanical components are connected via USB and COM ports to the system unit, which in this case acts as a host. On older models of ATMs, you can also find connections via the SDC bus.
Evolution of ATM carding
At first, carders exploited only the gross physical flaws of ATM security - they used skimmers and shimmers to steal data from magnetic stripes, fake PIN pads and cameras to view PIN codes, and even fake ATMs. Then, when ATMs began to be equipped with unified software that works according to uniform standards, such as XFS (eXtensions for Financial Services), carders began to break into ATMs with computer viruses. Among them are Trojan.Skimer, Backdoor.Win32.Skimer, Ploutus, ATMii and other named and unnamed malware, which carders add to the ATM host either through a bootable USB flash drive or through a TCP port for remote control.
ATM infection scheme
Having captured the XFS subsystem, the malware can issue commands to the banknote dispenser or card reader without authorization: read the magnetic stripe of a bank card, write to it, and even extract the transaction history stored on the EMV card chip. EPP (Encrypting PIN Pad) deserves special attention. It is generally accepted that the PIN-code entered on it cannot be intercepted. However, XFS allows you to use EPP PIN pad in two modes: open (for entering various numeric parameters, such as the amount to be cashed) and secure (EPP switches to it when you need to enter a PIN or encryption key).
This XFS feature allows the carder to launch an MITM attack: intercept the safe mode activation command that is sent from the host to the EPP, and then tell the EPP PIN pad to continue in open mode. In response to this message, EPP sends keystrokes in clear text.
How the BlackBox works
In recent years, according to Europol, malware for ATMs has evolved significantly. Carders no longer need to have physical access to an ATM in order to hack it. They can infect ATMs using remote network attacks using the bank's corporate network. In 2020, according to GroupIB, ATMs were attacked remotely in more than ten European countries.
ATM attack via remote access
Antiviruses, blocking firmware updates, blocking USB ports, and hard disk encryption to some extent protect the ATM from virus attacks by carders. But what if the card does not attack the host, but directly connects to the peripherals (via RS232 or USB) - to a card reader, PIN pad or cash dispenser?
First acquaintance with BlackBox
Today, tech-savvy carders do just that, using BlackBox black boxes - specifically programmed single-board microcomputers like the Raspberry Pi - to steal cash from an ATM. BlackBoxes empty ATMs cleanly, in a completely magical way (from a banker's point of view). The carders connect their device directly to the banknote dispenser and extract all the money from it. Such an attack bypasses all security software deployed on the ATM host (antiviruses, integrity control, full disk encryption, etc.).
Raspberry Pi based BlackBox
Major ATM makers and government intelligence agencies, faced with multiple BlackBox implementations, report that these dodgy computers cause ATMs to spit out all available cash, forty notes every twenty seconds. Also, intelligence agencies warn that carders most often target ATMs in pharmacies, shopping centers and ATMs that serve motorists "on the go".
At the same time, in order not to shine in front of the cameras, the most cautious carders take on the help of some not too valuable partner, a "mule". And so that he could not assign the BlackBox to himself, the following scheme is applied. The key functionality is removed from the BlackBox and a smartphone is connected to it, which is used as a channel for remote transmission of commands to a stripped-down "black box" over IP.
Modification of the "black box" with activation via remote access
On recordings from video cameras, something like the following happens: a certain person opens the upper compartment (service area), connects a "magic box" to the ATM, closes the upper compartment and leaves. A little later, several people, seemingly ordinary customers, come to the ATM and withdraw huge amounts of money. Then the carder comes back and removes his little magic device from the ATM. Usually, the fact of an ATM attack using a BlackBox is detected only after a few days, when the empty safe and the cash withdrawal journal do not match. As a result, the employees of the bank can only scratch their heads.
Analysis of ATM communications
As noted above, the system unit and peripherals communicate via USB, RS232, or SDC. The carder connects directly to the peripheral port and sends commands to it - bypassing the host. It's pretty straightforward because the standard interfaces don't require any specific drivers. And the proprietary protocols, through which the peripheral and the host interact, do not require authorization (after all, the device is inside the trusted zone), so these unprotected protocols, through which the peripheral and the host interact, are easily listened to and easily amenable to a replay attack.
Thus, carders can use a software or hardware traffic analyzer by connecting it directly to a port on a specific peripheral device (such as a card reader) to collect the transmitted data. Using the traffic analyzer, the carder learns all the technical details of the ATM operation, including the undocumented functions of its periphery (for example, changing the firmware of a peripheral device). As a result, the attacker gains complete control over the ATM. At the same time, it is rather difficult to detect the presence of a traffic analyzer.
Direct control over the banknote dispenser means that ATM cassettes can be emptied without any fixation in the logs, which are normally entered by the software deployed on the host. For those unfamiliar with the hardware and software architecture of an ATM, this may sound like magic.
Where do BlackBox come from
ATM vendors and subcontractors are developing debug utilities to diagnose the ATM hardware, including the electromechanics responsible for cash withdrawals. Among such utilities are ATMDesk, RapidFire ATM XFS. The figure below shows a few more of these diagnostic tools.
ATMDesk control panel
RapidFire ATM XFS Control Panel
Comparative characteristics of several diagnostic utilities
Access to such utilities is normally limited to personalized tokens, and they only work when the door of the ATM safe is open. However, simply by replacing a few bytes in the utility's binary code, hackers can “test” cash withdrawals - bypassing the checks provided by the utility's manufacturer. Carders install these modified utilities on their laptop or single-board microcomputer, which they then plug directly into a banknote dispenser.
Last mile and fake processing center
Direct interaction with peripherals without communicating with the host is just one of the effective carding techniques. Other techniques are based on the fact that we have a wide variety of network interfaces through which the ATM communicates with the outside world, from X.25 to Ethernet and cellular. Many ATMs can be identified and localized using the Shodan service (the most concise instructions for its use are presented here) - followed by an attack that parasitizes the vulnerable security configuration, administrator laziness and vulnerable communications between various bank divisions.
The last mile of communication between the ATM and the processing center is rich in a wide variety of technologies that can serve as an entry point for a carder. There are wired (telephone line or Ethernet) and wireless (Wi-Fi, cellular: CDMA, GSM, UMTS, LTE) communication methods. Security mechanisms can include:
- hardware or software for VPN support (both standard, built into the OS, and from third parties);
- SSL / TLS (both specific to a specific ATM model and from third-party manufacturers);
- encryption;
- message authentication.
One of the main requirements of PCI DSS is that all sensitive data must be encrypted when transmitted over a public network. And after all, we really have networks that were originally designed so that data in them is completely encrypted! Therefore, it is tempting to say: "Our data is encrypted because we use Wi-Fi and GSM." However, many of these networks do not provide sufficient protection. Cellular networks of all generations have long been hacked. Finally and irrevocably. And there are even suppliers who offer devices for intercepting data transmitted through them.
Therefore, either in an insecure communication or in a "private" network, where each ATM broadcasts about itself to other ATMs, an MITM attack "fake processing center" can be initiated, which will lead to the carder taking control of the data streams transferred between ATM and processing center.
Thousands of ATMs are potentially vulnerable to such MITM attacks. On the way to a genuine processing center, the hacker inserts his own, fake one. This fake processing center instructs the ATM to dispense banknotes. At the same time, the carder sets up its processing center in such a way that cash is issued regardless of which card is inserted into the ATM - even if its validity period has expired or it has zero balance. The main thing is for the fake processing center to "recognize" her. A fake processing center can be either a handicraft or a processing center simulator originally designed to debug network settings (another gift from the "manufacturer" to carders).
The following figure shows a dump of commands for issuing forty banknotes from the fourth cassette, sent from a fake processing center and stored in ATM software journals. They almost look real.
Dump commands of the fake processing center
Conclusion
As you can see, the classic maxim “a truly protected computer is in an iron box and is not connected to any network, including an electrical one,” finds more and more confirmation every year. Everything is vulnerable, and bank property is no exception.
By the way. The chief of the ATM Association International (ATMIA) singled out black boxes as the most serious threat to ATMs.
