Sunday, June 5, 2011

ATM Hacking Techniques Revealed at BlackHat

ATM Hacking has been popular for years. With some nasty tricks, it had been easy to hack into most ATM systems.

But as the time evolved, those methods became obsolete and hardly few of those hacks still persist and the ones that remain in sight are relative harder and un-popular.

With the latest Hack, as demoed at BlackHat conference, it can get pretty easy. Barnaby Jack, director of security testing at Seattle-based IOActive, brought two ATMs onto the Black Hat conference stage and demonstrated that with a press of a button, ATM machine is spits out its cash till the last one in the Pile.

“I hope to change the way people look at devices that from the outside are seemingly impenetrable,” said Jack. He demonstrated a hack that allows the hacker to connect to the ATM through a telephone modem and, without knowing a password, instantly force it to bankrupt the ATM machine.

How the Hacking started

Initially, in order to kick start hacking, Jack said that he had bought a pair of standalone ATMs–one from Tranax Technologies (yea, its not Taranfx) and the other by Triton. His study yielded success in within few years, during which he discoverred Vulnerabilities that had let him gain complete access to those machines.

Jack seems to be so confident about his technique that he said, “Every ATM I’ve looked at, I’ve found a game-over vulnerability that allows an attacker to get cash from the machine” .

On the good note, he had been an Ethical hacker and hence had brought up vulnerabilties to the notice of both ATM companies and was fixed an year ago. However, theres a twist to the tstory. These updates were pushed to ATMs which had been under support from the companies, not every ATM had been updated, hence, a large number of the machines remain vulnerable.

Hacking ATMs: Now & then

Hacking ATMs had been popular under two techniques known as “card skimming” and “card trapping” which are now relatively uncommon coz these electronic cash-extraction techniques were limited because they didn’t rely on a deep analysis of an ATM’s code.

We got to knew what exactly happened when Cybercriminals hacked into Bank ATMs in Eastern Europe.

Most modern ATMs run on Windows CE with an ARM processor and use a dialup or leased-line connection to connect to the other branches over the interent/Intranet VPNs, ost of which is through a serial port connection. Jack used standard debugging techniques to interrupt the normal boot process and instead start Internet Explorer, and using some nasty IE hacks, he got access to the file system for copying off the files for analysis.

A remote access vulnerability was found to occur on Taranax ATMs, that allows full access to the machine, without password. The Hack uses two softwares: a utility called Dillinger, which attacks an ATM remotely, and one called Scrooge, a rootkit that inserts a backdoor and then conceals itself from discovery. Scrooge “hides itself from the process list, hides itself from the operating system, there’s a hidden pop-up menu that can be activated by a special key sequence or a custom card.”

For Triton’s ATMs, scenario was different. PC motherboard that dispenses cash from the vault was protected only by a standard (shared) key that could be purchased over the Internet for about $10. So Jack found out that he could force the machine to accept his backdoor-enabled software as a legitimate update, which then can do the damage thats irreversible.

Both companies have responded to the hacks, but necessary actions may still not have been taken place to fix all the machines. I just hope someone takes care of this sometime soon.

The difficult part in hacking the ATMs is evaluating the software for vulnerabilities, but once some one like Jack creates it, its a childsplay to empty the machine.

Read more: