Goldilocks and the Three ATM Attacks

hello good afternoon everyone let's welcome David from x-force ready to give you the 130 talk hi folks how's everybody doing today excellent excellent good good so hopefully you're through right talk Goldilocks and the three ATMs does it talk about breaking into ATM machines a little bit about some of the controls that are missing some of the things that I'm seeing and how one company lost 7 million US dollars or 131 million Mexican pesos tell you a little bit about myself David Bryan I'm an opera for thought con which is a Chicago based hacking conference it's pretty fun it's happening pretty soon I think our tickets already sold out but you know keep us in mind next

time I've also been involved with Def Con for 20 years now started out doing physical security gooning moved into network was in the into network for quite a while and now I actually run the department that streams DC TV - everybody's hotel room so if you ever get to sit and watch the hotel rooms in your or the talks in your hotel room you can thank the team that I'm working with also tour camp is a really great thing that happens every other year I'm I'm really proud of it I'm I'm participant there I think it's really important to be part of the community and if you haven't participate in your local DEFCON groups dc-6 one to was one that I

started 10 years ago and has been going strong ever since it's actually it's a really good way to meet other people in your community it's a good way to network find jobs find out about threats etc I also really am frustrated with how a lot of the Internet service providers are treating privacy and net neutrality right they're kind of going out the window so I started a wireless ISP in Minnesota because I wanted to have some option for people in my neighborhood to have better internet I also work for a company called IBM I they've been around for a while however x-force red is a new group inside of IBM we've only been around for

three years it's basically a pen testing group it's pretty fun pretty pretty crazy stuff that we see so this this talk if you guys want there's some seats down upfront here and I think I see a few kind of in between up up in the third and fourth row so in this case when I submitted this talk it was three as of two weeks ago it's now four I'm gonna give each of the ATMs designation of ATM alpha Bravo Charlie and Delta pretty much so that they're anonymous instead of being named out I don't want to call out any of the offenders I'm not gonna read the slide there but essentially it it was it was interesting

you know we had some ATMs that had very strong security they actually locked the stuff down and we had some ATMs that assumed that the security software that was installed was actually going to prevent a lot of the attacks that we ran and that's not the case and then the last couple talked about some physical some electronic but much more physical controls right some of the flaws we found in one of the ATMs with two UDP packets we're actually able to compromise the system in ATM Bravo because they hadn't patched the system right it was it was a vulnerable to eternal blue which is almost two years out of date for patches that's insane to have a Windows machine that is that

far out of date ATM Charlie as we will call it had some really poor physical security around the computer compartment right they did have a little bit of a problem with their full disk encryption and thus they had millions in cash stolen so ATM a this was actually an ATM that they had gone through and they had hardened the OS there was I think all but two services listening on the machine they had actually disabled SMB and and anything that an attacker could potentially leverage it was quite a feat and the ATM software itself was not running as a privileged user was an unprivileged user that the ATM software was running on would which is uncommon most of the

times when we see these devices that are doing kiosks or some sort of function like this the software that's actually dispensing the cash is running his admin which is unfortunate it didn't use full disk encryption right and so that was a that's a big risk to me right from the perspective that these could be anywhere you don't know what your taxon Aereo is gonna be if they gain access to the hard drive you know they're they're now going to be able to clone and write to the data to the disk or whatever we're also able to boot from our own operating systems so we could throw a Kali boot in it boot it up dump the SMB password pull

it out move and we had a TM bravo this ATM was definitely super easy to compromise right without having to open the box or even gain access to anything physical we could plug into the network and basically run eternal blue attacks against this machine and compromise it it was it was pretty bad the other thing is the ATM software was running as administrator right so there was no separation of privileges if I had gotten access to the the maintenance window or maintenance computer or screen I should say screen or display there's essentially a maintenance display that flips out you can plug a USB Drive in it's game over right there's no separation of duties or separation of privileges now

we were able to pull the drive out obviously and mount it again not using full disk encryption it was just it was really bad ATM charlie was actually a lot better in this case they had they had gone through in hardened system they had antivirus software actually deployed on this system they had something called gvm checker which is a company that's put out this software specifically for ATMs to lock down ATMs right there's they do full disk encryption for them they'll lock out USB HIDs and this is a pre boot control right so pre boot means that before Windows actually starts booting it loads a linic little tiny Linux kernel that then locks down the USB devices and then loads

windows I was actually quite impressed with it because we couldn't couldn't mount the drive to start out with couldn't boot from our own OS all the network traffic was encrypted but they had this problem that's pretty big problem where they had lost a ton of money and in fact we went out on site to one of the grocery stores where this their ATMs were deployed and basically I'd identified an issue and I'll show you the issue in a little bit here but you know they had all these ATMs sitting empty with no cash in them right because they had a risk a huge risk that it already you know they'd hit 100 over 100 ATMs

at this point all right so ATM a right ATM alpha this is the one they said was hardened I were able to boot it into Kali dump the Sam files we also found the admin password in log files right this is like security 101 stop writing passwords to log files stop writing passwords to log files stop writing passwords to log files we also pulled a binary the binary was a custom written application specifically for this ATM and it was a management app that the company who created the ATM made so they could deploy patches so they could do maintenance all sorts of stuff we pulled the binary off of it and we started reversing it and we were on site for two

weeks right you know in this in this case this was an ATM in Japan so you know it was it was a good time but you know you're away from your family for two weeks it gets to be a little long anyway in this case my coworker John hoops started going through used Ida Pro to sort of watch the memory and watch how stuff was flowing was like he's like I think there's a problem here so he pulls up a decompiler goes through and figures out that there's a certain offset that the software looks for a byte offset in a packet and if you just bypass that at some point it just runs the command

so you know we only had 1,500 or 1,400 bytes to be able to send a payload to this machine so thus why we have two packets the first packet is hey go download this second packet is hey run what I just downloaded it's pretty bad

so in this case even though we've hardened this system there was some pretty immense flaws in the management software that obviously hadn't been reviewed I talked about all this stuff well okay so the other component is the front end was a flash app right it's a flash app that runs inside the ATM and then there's a java web application that this flash app would actually post to and that's the thing that would the Java app is the thing that would actually dispense cash thankfully they had left behind the debugger tool so we could pull up the debugger tool and just trap the time where it says hey dispense this cash or vice-versa hey I've given you

this cash like let's say I put in a certain denomination of bills I can now just multiply that and post it to their back-end servers so now all of a sudden instead of having a million dollars in my bank account err thousand dollars right I can have ten thousand or a hundred thousand right just by changing that multiplier an example Java debugger is this right basically be able to go through the code set a breakpoint when you're at that breakpoint come up and prompt me for an input

we found all sorts of other issues with this particular ATM logs weren't being encrypted logs were trusting the time on the ATM right I mean there's all sorts of like inconsistencies with how these systems are set up it's pretty bad I think they're only saving grace for ATM off alpha and Bravo was that they're using what's called the buy lock right it uses sidebar technology to prevent picking it's fairly pick resistant you know I could probably spend a couple hours trying to pick open this lock and I may not get it that said like I said we were on site for two weeks for this one engagement we got a little bored and that week that we were on site our

president was on national news with this segment and we decided that we will we've compromised this ATM we should probably put this up on the screen so we replaced the flash video archive that showed please take your cash with one of our own videos basically that's what was going on there that is from the actual ATM it was pretty fun all right so let's go back to ATM see right talking about it's got basically everything that we want right system is hardened antivirus it's got this like control software that actually goes through and locks down the ATM locks down the USB HIDs how could they have stolen seven million dollars from this machine right does anybody

know what type of lock this is I see one hand is anybody awake okay good good so this is a wafer lock and this is the lock that was used to protect the computer compartment of ATM charlie right this is insane it takes seconds to open this lock right the other problem is this GBM checker software allows the user to say just use the hardware to generate the hard drive of the full disk encryption key does anybody see a problem with that so what we think happened they had a a pop-up event like a tent event and the this company that we did the work for brought these ATMs on site at the end of the

event tents were torn down loaded on the truck ATMs were loaded on the truck and the truck was stolen so what I'm assuming is that these criminals are actually taking these drives and running to the ATMs with that they had stolen putting the drives in and sideloading their malware right it was it's pretty interesting

so here's a security law here's a lock on this this ATM it's super easy to bypass that little flippity bit there and then this is me picking it yeah take seconds right and then this is just the front cover of this ATM again this is the wafer lock technology right like if you're using real box it should be twenty minutes maybe or five minutes three minutes so yeah that was not good so the story goes is that they actually had video of one attacker that came in I think they either taking a screwdriver and hitting that little release button on the top or maybe even a screwdriver and jamming open the lock which could be

but opening the computer compartment they took the hard drive out and they left for forty-five minutes and then they came back and shoved the hard drive back in the machine right and it's at that point that that hard drive is now infected with some sort of malware then what would happen is they would go away right that's their disc mule and then they would have a cache meal right this is somebody who would then show up they had codes that would get texted to them they were only valid for 24 hours I'd go to the ATM pull up a maintenance screen and then enter in the codes and the machine would dispense cash right and

that's because they've loaded malware on the machine that hooks the DLL that dispenses the cash it's a pretty pretty crazy stuff

so here's another one that I just did two weeks ago this is this is kind of crazy a little intro on this one in this case the this is an ATM that previously I was like oh these these these machines are good from a physical security perspective however this time the vendor decided to add electronic locks which I can understand like it's it's good to have an audit trail right it's good to have some sort of privilege of or knowing what privilege a user has unfortunately in this case their electronic lock mechanisms allowed me to very quickly and easily bypass these super secure locks right so in this case I argued with pre insured it inserted a

shim right just a long shim that becomes a bypass tool because they had a gate that was controlled by a solenoid it's like whoa so that's the outside that gets me access to the hard drive gets me access to the computer gets me access to the USB bus the second network port all that fun stuff once you're inside the ATM the electronic control box was secured by four screws and the power rail was also exposed so I just had to figure out with a multimeter which of the wires was the the one that controlled the solenoid inside that protected the cash vault and essentially Hotwire it it's like what so I guess the way to prevent this stuff

like test your stuff test your stuff test your stuff as you deploy it before you deploy it once you deploy it the bank in Mexico City which had millions in cash taken from it I can't say so the bank had thousands of these ATMs deployed in production right so it's uh it's a it's a big issue so you have to make sure to test so the other thing you need to do is make sure you're locking down the application right I think that's that's one of the things is that you need to run the apps as unprivileged users you need to make sure there's some sort of privilege separation and even run antivirus right I think one of the

things that we're seeing is there is a tool that will or does it's solid core is a tool that will say oh these are the only binaries that I can run and one of them is PowerShell how many people have owned a machine using PowerShell yeah right so we basically we would take a PowerShell or take a meterpreter payload encoded in PowerShell paste it into PowerShell at the console and we'd have a remote shell back to where where we were right so that that is a viable attack from you've maybe paid off a maintenance person or you've figured out how to open up the back of the door right and I think one of the

other things is hold your vendors accountable and they should be doing this testing like well why aren't they testing these things before they go out into the world why why is it that we have to have a criminal ring identify this stuff for us before it happens I should note the ATMs in Japan had there wasn't a criminal ring against them it was more due diligence testing which is good right there Tokyo is getting prepared for the Olympics so you know then I think there is some understanding that foreigners may not adhere to the same rules that Japanese culture does all right so what can you do personally right make sure you review your bank statements ensure

you have withdrawal limits on your your card right call your bank if you see unauthorized transactions your bank accounts are federally protected which is really good right whenever I go up to an ATM I kind of pulled the shard like if I can pull it off or it feels loose I'm not touching it I'm walking away there's a really good chance there's a card skimmer skimmer on it although from what I understand the skimmers people with card skimmers have gotten much better at putting covers on the on the ATMs now to the point you can't even tell it is a cover but yeah I think I have a couple minutes for questions here so we have a

couple questions from the audience they're wondering where you will upload the presentation that I can figure that out later I don't know where I can hand it off to B sides and they can post it okay and then Franco from the audience asked do ATMs only use windows or do some use some Linux variant is there a way to track the attackers so in this case the cheapest and easiest route to market is Windows unfortunately right all of these ATMs their core OS is Windows which is kind of unfortunate there's a little tear right here in my corner corner my eye I wish they would run Linux because then we wouldn't have these problems and one more question is

what was the bid about vendor collusion was the vendor providing the limited time access code to the cache miles so there is there's there's a code right that some vendors can give to their maintenance people to gain access to the ATMs right that needs to also be provided to a user right yeah it's it's a it's a very interesting bit right i what do you recommend as the best method for deriving the keys for full disk encryption given that apparently the only ATM you mentioned that had any full disk encryption derived their keys in a way that was the same across devices so in this case the software has the option to go online and pull down a

unique key per machine but because these ATMs were deployed into into places where they can't trust the network like literally a satellite feed that's maybe 64 K right so they air it on the side of the machine actually being booted so that when the user comes to take out money it works or the the latency is the time that it takes to check the network and then dispense the cache versus the Machine just not working because it can't actually download its disk encryption key and I totally understand what they're they're doing there but unfortunately it's cost them a lot of money and to what extent are I factory default passwords on cheaper minor ATMs in convenience stores still an issue in

to what extent are unpatched Windows XP ATMs deployed in the wild is still an issue so I haven't personally done research on that so I can't make comments on that all right let's Thank You Daniel for coming to be sighs s off thank you