Take all my money – penetrating ATMs

Good evening everybody and welcome back to B-Sides Las Vegas Proving Grounds. So our next talk is titled "Take All My Money Penetrating ATMs" and it's given by Frederick Sandstrom. A few announcements before we begin. We'd like to thank our sponsors, especially our diamond sponsors Adobe and Aikido Security, And our gold sponsors Profit and One Zero. It's their support along with our other sponsors, donors and launchers that make this event possible. These talks are being streamed live and as a courtesy to our speakers and audience, we ask that you check to make sure your cell phones are set to silent. So if you already haven't, this is your time to take out your cell phones and check that they're

silent. If you have a question, you'll be using the audience microphone that I'm holding in my hand right now so that YouTube can also hear you. So please raise your hands if you have a question, I'll bring the mic to you. As a reminder, the B-Sides Las Vegas photo policy prohibits taking pictures without the explicit permission of those in the frame. So I please advise and request you guys to refrain from taking any pictures, even if it includes just a shot of the slides. These talks are all being recorded and will be available on YouTube in the future. With that, let's get started and please welcome our speaker. Thanks everyone for taking your time to

come and listen to my talk. So I will be going through a quick overview of the ATMs, common flaws, tell me if it's not loud enough, if you can't hear me in the background, and also a small ATM heist happened in Sweden a few years ago, so I will try to kick it off. So a lot of slides in a few minutes, so try to follow with me. So quick, I've done pen testing for the last 10 years, done ATM testing, or a few countries in Europe and some other places. But you will soon learn that it doesn't really matter where you do it. So let's jump in. Yeah, that's it. So there are many

ways to hack an ATM, but you don't need to complicate it. You can just do the forklift. use your power tools at home i mean you don't even need to be so technical about it or even in europe or this time malaysia it's uh using explosive but you do get some side effects with some coloring and some bills that might be a little bit hard to use or if you're a crane excavator you can use that as well it's um it's actually one uh i group with ireland who did use excavators a hack ATMs and this one's a bit funny because I got the ATM footage of it and you can see how fast a

skilled operator can do it because this is not his first time. Yeah, just took it up. Even prepared a small car for it with I hope it's some better suspension because that's heavy. Yeah. You see it's all it, tap it. I almost left his phone in the excavator as well. So I think. Yeah, so it can be done fast. So a little bit of history lesson. So ATMs go back from like the 1960s when only the big vendors like IBM did it. But as ATMs grows more demands in like 1990s, it was like 15 providers were just growing and banks wanted to standardize. It wouldn't be easy to switch the vendors between the banks. So there was starting some kind of movement to do

with the standardization to be easy to switch out the vendors in the back end. So from and healthy like 15 and growing down to 2018 was only four vendors left because when they start standardizing It's they also meant it's easy to act to buy up a company So due to this was only like four big vendors done even two of them tried to merge So it's only gonna be free vendors But they actually stopped it due to it being too few vendors to being as safe for them for the crown so But there are some new pop-ups in Las Vegas when I landed here in the airport. You have cupcake attempts as well. So I'm looking to get a new assignment. But back to the standardization

part, because this is all great, because the standardization for hackers means that if you get an exploit working, like the jackpotting software, jackpotting is when you get the cash out with a card and pin, so it's quite handy when you forgot it. The good thing with the standardization is you get the exploiting like the jackpot in software running. You only need to maybe change a few register flags in your payloads to make it work on almost all vendors all around the world. So for us testers, standardization we do really like. So this is a little bit side effect when you do everything the same way. Because if different vendors do different differently, it will take

a little bit more time to try to figure out how to exploit it. So this backend you will learn a lot about it later on if you do ATM hacking when you google for XF or send the central pin for standardization. But like it's written, it's like Java, write it one runs it everywhere. Like the payloads. So for anyone who hasn't used an ATM, so basic buildups. You have cameras, one on the pins and one on the card. One at the people and one at the pin. And you also have a receipt printer. You know, see how much you take out. Card readers, cash dispenser, safe. You will see there's normally like four boxes, three currency boxes and one dispenser box.

The one, reject box, that's a little special that you don't know about. It's when it gives out, when it's still counting to make sure you got like the right amounts of bills. If it feels like it isn't not right, you can just go to reject box. Or if someone forgets just to take their money for a long time, it goes back into reject box. So it's a little bit extra space, like a buffer. But when you're doing pen testing, you're getting this go-do moment of it's just a normal piece inside. There's nothing really... Special is nothing magical about ATMs. So when jumping into the hardware side, you will see it's just a normal one, this

PC running there. I've been lucky enough to be doing it when it was the Windows CE, the compact edition there. So I've been actually lucky enough to be running only Windows x86 software on my ATM engagements. But as you can see, it's just normal small form for the drive. You have a power to USB expansion board for cash dispenser. General pins and outs, easy to connect things to it. It's nothing really magical to it. Maybe some younger people that's younger than 40 years old don't know that that's the right in the corner there is a DVD box with CDs. So yeah, there are some flaws with this. Normally know the basics. So we need to think like pen testers when looking into

the ATM engagements. I mean, easiest part is physical access, right? So let's look at that. If you go to the bottom part, I mean that's been around, building safe has been almost older than the ATM itself. So normally like the ATM part is really like it's fixed deals, it's actually good code locks. It takes time but of course you can use power tools to drill through them to make it easy for you to get into it. But it's quite noisy, you don't do it in a mall with other people around. I mean it's not really the good part. So for a pentastic gig you normally go for the physical security part because that security is

not so good. You can see like the locking mechanism it's more like your normal padlock to the gym. It's just a few pins. If you go to the lock picking village here at B-Sides you will see that it doesn't take too much time to get up a three pin even if you sit blindly and just sit jumping on it. there is a reason because this because you think about you need to people need to be able to go in and change receipts and ease access to it so even sometimes when the the one who changed receipts has forgot his keys or the maintenance person sometimes even they themselves break the locks so they don't have

to remember the keys when they go the service round so it's sometimes so silly and if lock picking is not your skill maybe you like Alibaba or eBay just buy the key to the vendor sometimes they will have it And if you're really lucky, you will have the safe vault key that's a little bit longer you can identify. So the one to the right, to the left of me, you can see that sometimes if you're lucky, that will be inside the top part as well. Or if you want to practice in private, you can even buy the ATMs from malls and stuff. So you can sit home, build your payloads. You can train, do software

running. So there are many ways to do it. And let's study on here. So what can you see when you open this? So you'll probably quite easily get actually to this part. You can see the top half of it. You will start seeing the PC and you will see all the hardware in there. So here you have the most common weakness is actually... You're thinking, "Oh, I got this up, but then I just connect the PC to the cash dispenser and just print." Right? No, that's actually the... Normally, the only thing they're quite commonly good at is to have the mutual authentication between the cash dispenser and the PC. That's why you often need to get into the PC part to get your payload working from there, because then

you have the authentication already between the cash dispenser and the PC. The rest of the part, I mean, you can often man in the middle like the card reader, the receipt printer, network, everything else normally doesn't have any kind of neutral authentication. So there's actually quite lack of it inside 8M when you're doing this. And you will also have a lot of room to hide your Raspberry PC or even a laptop in there sending out signals, connecting into networks. So if you, there's a lot of room inside of it. And for the system part, I mean, here is just a normal Windows XP or normal nowadays, maybe Windows 10 or 11. Normally, they're quite a bit older than the one running inside the banks.

So what you can see, it's some vendors do it really well. Some banks do it really good with having all this whitelist application. They lock down the BIOS. They have AppLocker, everything installed. So it makes a really good layer on layer security on them. But some vendors do. take shortcuts so they maybe lock down the BIOS and maybe they put up an app blocker and some kind of antivirus but then they don't do disk encryption. So what's happening is you just take out the disk and oh I don't need this antivirus and I will modify this app blocker so quite easily you will get access to it. And I would say from my experience maybe

40% of all engagements they actually don't encrypt the disks. So it's it's I don't know why they are so bad at encrypting it because it makes a lot of the next security steps lots and lots more different. Then what else? Let's jump to the network part. So inside, even if you pick up the top part normally or behind the vault in the bottom part you will have your network stuff stored. So what you can see is Normally, the vendors here don't use, I would say, commercially-grade equipment here, like homebrew routers and maybe easier D-Link stuff. So you can often see just cables hanging around. Maybe it's too hot inside, so they actually forgot to lock it just to have some

good ventilation. So it's often quite easy to get access to the TP cables or everything inside of it. And what you will see actually quite often is that When you implement this, you think if everything from the ATM to the router is secured, it's encrypted. No. A lot of people don't even encrypt it. So you have the tamper protection from the general pins and out sending out, "Oh, the case is open." But if you're man and military traffic, it's quite easy. Just plug in there and drop all package regarding tamper protections. So you start first listen and then you go in and like, "Oh, let's stop that." So it's quite easy. But actually most banks are quite good at when you go from the router

to back to the bank, you don't reach any other ATMs. So it's quite often isolated between the ATMs. But between the ATM and the router is often quite not encrypted. So that's a lot of things you can do there. Looking at traffic between the ATM and the the bank you can often see the transfers going there. I don't expect you to be able to see and read everything here, but it's normally receipt. You will see quite exactly as you get the receipt from the ATM. It's like, oh, you took out $40. They'd be nice to wildcard your credit card number so you can see it. But if you see the traffic dump, you'll see that the credit card actually goes with full

numbers with everything in the package. So it's just for the receipt. They actually often matter to what's got it out. And sometimes even you can see these numbers below, If you start analyzing it, you will see, oh, this $40 is actually for here. So it's actually four bills from the deposit two or the deposit three box. So you can start modifying that. And if it's sometimes poorly implemented, it's just enough to just up the number and you can get five bills from that box instead. That will be $40, but actually it will be much, much more. So that's another common vulnerability within this from the network side. So what else we have here? Well, some of the vulnerabilities are so imaginable that you think

that some of it should be so much better. Like the normal banks are so good protections against attacks, but it feels like it's a different vendor putting out, taking care of the ATMs and they don't always follow the best practice. Most vendors know about these vulnerabilities, and they actually give a really good like best practice implement guide but it's up to the every bank or everyone they give the mission to to actually implement the best best practice and you know that not everyone is following it by heart so someone who build is like you're not encrypted disk or this is goes on cryptic you need to document this because they will not believe you otherwise when you start reporting off what you're actually

seeing so I don't know. Kind of true. So now you're wondering, going for escalator or going for hack? I mean, it's up to you guys. But looking at actually taking this all together, I had a previous read on an investigation going for two ATM hacks in Sweden just a few years ago. And it was two Russians that was on vacation, allegedly, in Sweden that was tapped with taking out a little bit more money than they had on their account. So they managed to... taking out $75,000 from the ATM. They were doing a heist on two ATMs, but they managed to get out $75,000. If it had been full, they would actually have been able to get out $300,000 from two ATMs. But that's the hard part. You

never know how much is in it if you don't document. So what did it use? Now we are experts in this, right? So... They just use normal chisel wood working tools, pair of gloves, of course they have crowbars, I mean they are doing suspicious things. And also some metal chair. So when the police got there, and in Sweden we mostly have them inside of malls like in the walls, we don't have them so much as stand alone in the malls like other countries do. But the same modus operandi for this heist. You see, very thin metal on top. So they study well. They just pry it open, got into the connection. And from there, they were able to just connect to the cash dispenser with USB

directly. But wait, that's the thing you said were good. Well, Actually, these guys did know that this series of ATMs didn't even have, they were lacking, a neutral authentication between the cache dispenser and the PC. So they actually just opened it up, used a USB extension cable, connected to the laptop, and they had a vendor diagnostics tool so they could actually install it and just run the test run. So I wonder what happened there, what they had for insight. Regarding this, you could also see in the police logs that they had someone running the team viewer, so they had maybe the third part that was maybe a bit more expensive and had this kind of software. Because you can see they just installed

the vendor software on the laptop and started running it. So, this guy was tapped on the way out from Sweden. They had what he said, just forgotten his bag, like this extension cable from the... like you always have when you travel abroad.

he said he forgot it there and like i said they could actually been a lot more money out of it they could have almost four times as much so it's quite cheap when you're seeing what you needed to do this so this was actually a picture found in his phone when it was sent home and for people following Game of Thrones actually in the investigation they're talking about what we're doing in Westeros which is a Swedish city they will say no we're going to check out Westeros from the Game of Thrones so they was actually just using the synonym between the names saying that they're that's why they were there so what do you think how could this be possible that they had

this inside information regarding the the lack of authentication part and have the diagnostic software as well. I would love to have that if someone of you working at the able next to us. So thank you. And just want to shout out. Thank you for hosting me as well beside and for my great mentor here, Jonathan Fisher, helping me along, get this up and the sponsors. So any questions? i know you didn't name any brands but have you done a triton uh hyosung ncr to be able to compromise them yes so so that's the oh sorry just going through them so yes i've been at all of these brands and from attacking stuff it's it's doesn't really

matter it's the same kind of vulnerabilities and all of them so it's not like ncr has another common set of vulnerabilities than the Daibold or Nixle or Hitachi. Sorry for scrolling. So you mentioned that some of these ATMs do full disk encryption or I guess... Yeah. Yeah, so... Where do you store the key? Because if you put it on a hardware device, then somebody compromises the hardware and they have the key. If you have it be entered by staff, then every time there's a power outage, maintenance has to come and service it. So where's the key? I mean, you have normal encryption. You don't need without the pre-boot pin. So I mean, that's a little bit how the vendor will put it up. So of

course, there will always be an issue with the encryption if you can't store it. But I'm not really sure about different way to set up the encryption here. More about the problem when you don't have any. Good question. Next one. I'm curious where the cash is stored. Like, you know, I'm sure that different brands have or different banks have them stored somewhere separately. And you didn't go into too much detail about that. So I'm curious. Let's see. You see here, you see the below here, you have the like the three boxes below. There's the cash. And when storing the cash, you don't, you don't, for the ATM, it doesn't know which kind of value it is in the

back. So it's only the amount of bills in the box. So it's like 200, what do you say? Like it's quite, I think it's around 2000 bills in each box. Yeah, so it's 2000 bills in each box of these three boxes. And then that's why in the like the network traffic, it's only count four bills from that box. So it doesn't it's not smart enough knowing like the currency of each each one, but they're all stored in the boxes. So it's easy when you open the wall to change them out. I don't know if that answered your question or what is I'm just thinking why haven't we created a system where the cache is like filtered far away or something, you know, like not just right

up front right there. Yeah. And it helps. I have to think about if there is network connection, if they lost connectivity, they also need to be able to take out cache. So and it's normal like here it would be a mall, so different parts of it not so easy to service and put in YouTube. But maybe that's something for cryptids or so. Yeah. Some other questions.

Well, if we have no further questions. Thank you.