“Hack ATM with an anti-hacking feature and walk away with $1M in 2 minutes”
In general, the subject of our research is ATM security.
We will regard an ATM simply as a safe deposit, which is controlled by a computer. Currency
is put into boxes, which are loaded into two devices in the safe: one for withdrawal (dispenser)
and another for deposit (bunch note acceptor). The computer is connected to a card
processing server through an isolated network.
There are many people involved in the making of, installing, and operating ATMs. Potentially,
they can exploit their access for theft. These people and their capabilities are reflected in a
typical model of threats to a bank owning ATMs.
- Software developers: creating backdoors and errors in code
- Contractors: handing cryptographic keys over to attackers
- Service engineers: spoofing hardware and software components, malicious use of keys,
negligence (leaving a safe open)
- Cash-In-Transit guards: stealing currency boxes••
- Bank clients: manipulation of banknotes during cash-in (gluing, threads, etc.) and
cashout (retrieving a part of a stack of notes)
- Attackers without expertise: theft of an ATM, attack on cash-in-transit guards, social
- Attackers with expertise and mechanical tools: destruction of the device, accessing the
safe, manipulation of the deposit slot
- Attackers with expertise and hardware and software for local influence: skimming, Black
Box attack, card cloning, accessing the PC inside the ATM
- Attackers with expertise and hardware and software for remote influence: unauthorized
access through the local network, malware installing, exploitation of software and OS
Our expertise covers threats coming impacting programmable components of a device.
In this article, we analyze the capabilities of an attack that exploits software vulnerabilities
on the ATM’s built-in PC. Exploitation of these vulnerabilities should lead to arbitrary code
execution at the highest level of the execution environment.
The benefit of executing your own code on a built-in computer is that it allows sending
commands to the dispenser, what usually happens each time we insert a card. However,
our code, unlike built-in software, leaves out all irrelevant details, such as entering a PIN or
requesting balance. It is just about cash – and all at once.