I wonder how they get access to a communication line or access port or whatever to load their malware onto the ATM. I would think that's the tough part - once you get that, it's probably easy to compromise.
A lot of ATMs sit in places like convince stores or strip clubs or other places where you might need quick cash. They are profit centers for those places, because those places get to keep some of the fees collected.
They are also very very insecure. You can literally just walk around behind them and attach stuff without anyone really noticing.
I was renewing my registration at a DMV kiosk, which is like an ATM that spits out registration tags instead of money. The machine was broken, and the supermarket said to just call the number on the side. I did so, and they told me to unplug it and plug it back in. So I went around the back and did exactly that. No one questioned me.
Then they remotely logged in, messed around on it (which I could watch them do on the display) and it was fixed.
But my point here is that no one questioned me when I went around back, no one questioned a mouse moving around on a touch screen, no one questioned random control panels coming up, and the people who owned it (the DMV) didn't seem to care about the information leaks they were providing me.
Still, though, what sort of data lines do ATMs use? Ethernet? If so, how would you exploit it?
It seems like the ATM's software might work like this: on bootup, connect to server atm.foobar.com at port xyz.
Oh, right. In that case, you'd write an MITM server. You could sneak a raspberry pi so that it goes ATM <-> RPI <-> ethernet, and then set up the RPI to broadcast all the network traffic via a wifi dongle to your laptop.
But... certificate pinning would trivially subvert that. I guess ATM manufacturers might not have done any pentests though, so perhaps they don't do cert pinning.
The number of times I've heard people in the tech community mention certificate pinning as a valuable security mechanism is like the amount of times I've heard about zombies, despite the fact that they just don't exist.
I've worked on a team that reverse engineered and did security audits on a lot of commercial and consumer applications. We've seen cert pinning implemented correctly was maybe like once or twice a year by companies large enough to where their security team was larger than most software companies entire payroll.
Basically, it's not a thing that exist because it is really hard to implement properly. The threat model for being MITM'ed with cert spoofing is pretty exotic. In the end, cert pinning means your application is not working if something goes wrong with the certs, which EVERYONE at some point forgets to renew, or, worse, you CA inadvertently gets hosed.
Would love some pointers too, I've run into it once implement in a way j could t circumvent and was blown away. I'd love to develop the skills to do the same myself.
The kind of ATM I see at gas stations usually seem to involve a legacy ethernet cable of some sort (I've been told it's probably RJ12) and/or a small antenna magnet-mounted to the top of it. Not sure if they both serve the same communications purpose.
The few times I've used one they also take a ridiculous amount of time to connect/return anything, on the order of 30s-1m.
Many of these even now remain on dial-up, so they just have a modem and the cable is a phone jack. If you have a favorite bodega ATM that always takes 15 seconds to respond after you type your PIN, it's probably dialing. Newer ATMs almost certainly use wireless modems, if they aren't just connected to the Internet.
Fun fact, the modems still negotiate at 2400 or 9600 baud, because the extended negotiation times of higher-speed protocols more than negate time saved in transferring the small payload.
For remote attacks what usually happens is the malicious actor will first get access to a banks network and from there pivot to the ATMs. Often times they have some remote tool to shoot off commands and so forth. The malware itself is rather basic and easy to understand-the security layer once remotely accessed is rather moot. Depending on the malware strain they can than program the ATM to be “cashed out” during certain time or even if certain cards will be inserted.
This was my exact question as well, and I wish the article did a better job answering it. There was a linked article that explained how it worked with physical access, i.e. popping the top of the ATM panel (it said the physical lock that keeps this down is like a "bathroom lock" and easily picked), and then there are USB or SIM card ports you can interface with.
For the remote attacks, though, like the one where it said could result in many ATMs at the same time being hacked, I don't begin to understand where the attack vector starts.
ATMs generally connect to a management system to retrieve configuration and report status. Like many back-end systems, these are often poorly designed and don't receive extensive security review. So if you can compromise one, there's an opportunity to potentially deliver a malicious configuration to a large number of machines at once.
Similarly, there are several ways that attackers can find ATMs on the internet or telephone system in bulk. Although the situation has improved, ATMs historically had very poor authentication for remote management (some likely still do) which made them vulnerable to malicious reconfiguration over the internet or telephone modem.
Find your local liquidation auction house. You'll see a lot more of the types of atms that show up at cash only businesses than bank location style atms, but sooner or later, one will show.
Just keep in mind that it's very heavy. Very. Like your building's construction code may not allow that much weight per floor area. Shipping or mooving it around would be similarly "fun".
They make motorized hand carts ("dollies") that make it easy for a single person to move large safes. Either with motorized wheels, or a motorized actuator that lifts a second set of wheels up and down which makes it possible to go over curbs and other obstacles.
It would still probably be "fun" (not easy) for someone who hasn't done it before, but not impossible.
I had an acquaintance whose side business was running ATM's in convenience stores in California (the fees are outrageously profitable) so I assume it's possible to buy/rent the latest models for personal use and hack it all you want.
> INJX_Pure .. runs a self-crafted HTTP server web interface for its purpose ..
Don't run your ATM under Windows and connected to the Internet. I recall reading an instructional manual that required the visit of two technicians, that installed and configured a black-box that required the entry of two unique codes to be activated. Communication to the back-end being done on private leased-lines. Then they upgraded the ATMs to Windows running over the Internet :o ..
I used to read how OS/2 had a niche running ATMs long after the general public had lost interest. Wonder if that's still the case. I almost think I may have seen one crash and display a Windows CE screen once.
I remember when Bluetooth skimmers started to be used on gas station pumps in my country. The attacker would wait inside a car in the signals range and siphon off cc numbers in bulk. Management then put up signs to make sure to jiggle the reader before inserting your card, to ensure that it was real.
I guess I'm out of sync with the times. For some reason, my first thought on seeing the title was that it would be about some clever new tricks with the ANSI ATM standard.
In German the go-to method of "hacking" ATMs is blowing them up. I think they use some kind of gas to funnel inside the chassis and then ignite it. That seems to work exceedingly well, the numbers of that happening are insane. Is that not a thing in the US?
Seemed to happen in Philadelphia often this year. Many gases could do the job with the right amount of oxygen.
Canada had an interesting duo that used portable welders to cut holes in just the right spot. The travelled around a lot and hit 50 indoor ATMs after-hours (interesting video): https://youtu.be/HWg6GcthZi8?t=44
The trays do blow the red ink, however there are companies that (illegally) remove the unremoveable marking ink.
Being part of a research group regarding ATM security was a really nice experience for me. It's a different world, full of unexpected things.
I would think that after you had physical possession of the ATM this would be a non-issue. You're free to do whatever you want with it, as long as it's hidden well enough it doesn't get tracked down.
How hard would it be though to have a small GPS tracker in the same secured area the money is in? I know there are a few instances of people hauling them off but it doesn't seem that well thought out or any indication this is successful more than other modest robberies.
I would assume that, as with anything else, unrestricted physical access == game over.
A GPS tracker in the money compartment is an interesting idea, but I would think that it wouldn't be to hard to defeat with either a faraday something or other or just disrupt the GPS signal [0].
That being said, this requires someone to be thinking about it, which may or may not be happening.
