Planning to rob a Windows ATM? Ditch the sledgehammer and bring a USB STICK Cash machines have been emptied using USB sticks in a series of real world attacks that hark back to exploits first demonstrated by security researcher Barnaby Jack three years ago. Crybercrooks have created a strain of malware that creates a backdoor on compromised ATMs using a bootable USB stick. The crooks cut a hole into …
quite clearly been working with someone closely associated with the software
Also the physical positioning of the pc case relative to the monitor may be specific to that bank, i know the one where i worked in had them facing away from the user, and even between branches the pc might be in different positions depending on the size of the cabinet it's in (ie internal or external machine) but it sounds like they're drilling very precisely toward the usb area? (as i heard they were covering the holes to re-use the same infected machine again later)
> Terminator 2 wasn't a documentary.
Well, that "time machine" business was a bit far out but those hunter-killer drones were spot on.
Afraid not, there's still very much a culture of denial amongst the business community when it comes to cybercrime. Many cling to the myth that hackers are few and far between with a strong aversion to sunlight seldom venturing from their darkened liars.
Having worked for FTSE100 financial companies for 14 odd years, I can assure you that IT security is taken very seriously indeed and none of the companies I worked for thought that hackers were synonymous with cellar dwellers.
You forgot the joke icon.
A large bank that I worked at not so long ago, had unsecured wireless routers on the main network in their London office. This was to appease management, who didn't want the "inconvenience" of security when using their laptops. Once you were on the main network, you could go anywhere (the trading servers in New York for example).
A large financial services company I worked for had unsecured WiFi for management. However that WiFi was on separate connections, not connected to the internal networks in any way (ADSL, to an ISP) and the users had to use a vpn to get at their email/files etc. This is not an arrangement I would have a problem with.
Were a bank to really be running unsecured WiFi into their production networks various regulatory bodies would come down on them like a ton of bricks. For this reason alone, I suspect your don't have the full story.
Were a bank to really be running unsecured WiFi into their production networks various regulatory bodies would come down on them like a ton of bricks. For this reason alone, I suspect your don't have the full story.
I was on site at the bank since we wrote some of their trading software. I was able to log into their unsecured wireless routers and SSH into Solaris servers running their production trading platform in New York. The regulatory bodies are unlikely to find out, and even if they did, they would do bugger all.
Here's another example of how messed up this particular bank was. They had outsourced all routine IT operations to a German firm who then sub-contracted an Indian one. The turnaround for a password reset was ten working days, and cost several hundred pounds (everything was chargeable and that was the minimum cost for doing anything). As a result, a domain controller that one of the visiting Indian techies forgot to log out of was surreptitiously used for resetting passwords by the regular IT staff - to make this clear, a machine with access to the domain controller, with the screen lock disabled, and just the monitor switched off when not in use.
Yet another example of manufacturers leaving a handy little back door in there, just in case they might want to run some diagnostics or do an update.
Just like the other story about wireless routers. And no doubt shedloads of other systems we don't know about yet because hackers haven't got round to them.
"the attack vector - booting from an infected USB stick - will have many security veterans rolling their eyes in disbelief that the targeted bank hadn't already mitigated the threat"
But to be fair; an ATM is not simply a PC accessible to anyone and everyone. It seems the real problem is not lack of mitigation but that what mitigation efforts there were proved ineffective. Having a plastic chassis which could be drilled through rather than a decent steel enclosure looks to be a fundamental failing. There were a lot more failings here than not disabling booting from USB.
"But to be fair; an ATM is not simply a PC accessible to anyone and everyone."
Ah, but it is. Perhaps not intentionally, but it is.
Seen a generic ATM at a pub some time back, that had a Windows NT style dialog box complaining that the date entered was not valid (it was).
This tells me that they're using a commonly available operating system, and putting a dress on it, so it looks like an appliance. There's nothing wrong with that per se, except that if you're making an appliance, you had better make sure it *REALLY* does behave like an appliance. It also tells me if they can't at least get the dress right, they won't get the important factors like security right either.
I remember back in the day that Netware 3 had just added a bunch of changes relating to protecting against hacking via the network cable. They went out of their way to say the server itself had to be physically secured at all cost. If you had physical access to the server, you owned it. No security, no software, nothing at all will save you if you leave that avenue open.
It appears the ATM designers haven't learn that lesson yet, and sadly from the looks of things, they've got a while to go.
"It appears the ATM designers haven't learn that lesson yet"
No, it seems somebody has managed to unlearn that lesson. In the last millennia, at least 4 large ATM vendors did it quite reasonably - sensitive bits were at the bottom of the cash safe. Admittedly, USB was not used back then, I/O devices were connected via weird assortment of buses.
Snip the USB port off or fill it liberally with epoxy resin. And don't make ATMs with USB ports in future or at least adequately protect them so they won't boot from untrusted USB sticks, e.g. use modified firmware to only accept certain sticks based on some security criteria.
As an aside I used to write set top box code and most STBs have a serial out somewhere on the motherboard. The production boards would have the pins snipped, but we would still put a very strong password prompt (randomly generated, not even written down) on the serial port so even if someone soldered pins they wouldn't get in. The only supported way to access the box was a port knock which opened ssh. The ssh was ssl cert protected and even the port knock had to be accompanied by a PGP signed message. And that was just for a box which did cable TV. I would think the incentive to protect cash machines would be even higher - individual authentication keys for machines and so forth.
"But perhaps different motivations to protect the devices: in the cable industry if hackers "steal" free movies or TV channels then it's the company's own money being lost. "
Not just stealing content. The set top box was subsidized with the presumption that the cable provider would recoup their investment. Having people hacking the box wasn't good for them and they were contractually obliged to do everything they could to protect the content too.
"However it seems that banks don't seem to worry about losing "our" money in the same way..."
This attack appears to allow the criminal to punch in a code to the machine and it will just dispense money. So it's the bank's money, and even if it was stealing customer money, most consumer protection would still leave the bank on the hook. Which is all the more reason they should take security that little bit more seriously.
Well first of all we are talking about ATMs they need USB, otherwise we would need to connect all the peripherals with serial ports again which is just crazy talk. ;)
Then with the cable box, securing it was the wrong thing to do since you are securing it against the wrong attacker. If I buy such a box I have the right to fully access it in any way. So the serial port should have been open.
However the network access is something the user doesn't benefit from. Instead of port knocking it should have been enabled by a hardware switch on the device. Otherwise attackers who manage to get the crypto keys have access.
Suspect the USB port was left boot enabled for maintenance purposes. Suspect also that an assumption was that the ATM would reside in a 'secure' container within a secure location, hence once someone with a 'key' would have physical access. However, at some stage someone obviously trying to save cost thought that a plastic enclosure was secure without doing any in-depth risk assessment...
It is no longer there to protect the people.
It is no longer there to protect the people in power.
It is now there to protect itself.
Without proper oversight these secretive 3-letter agencies soon become paranoid about the outside world. Everyone else is the enemy and they end up spending vast amounts of their resources protecting themselves.
What puzzles me is the disinterest the bank staff showed in some random stranger wandering in and taking a Black'n'Decker to the back of the ATM. All the ATMs I have encountered are secured-by-location, ie, it's physical location prevents you getting to anything other than the publicly-facing keypad.
This post has been deleted by its author
The ATM manufacturers could disable booting form USB, but some manufacturer will surely just disable USB booting in the BIOS, and then add a BIOS password of 1111, so that the attacker will have to go to the extraordinary lengths of plugging in a USB keyboard first.
On the other hand, if they have accessible USB ports on ATMs, then homeless people will have somewhere to charge up their phones.
If the ATM's computer is accessible, there are any number of possible attacks. There's got to be a wire from the computer to the secured cash box, to tell it to dispense cash. Anyone want to bet on whether these ATMs with unprotected computers use some unencrypted signals over this wire that would be easily reverse engineered?
In my last job I had the 'pleasure' of visiting the datacentre of a large banking institution to do some noddy system updates on a SUSE Enterprise Linux server. The root password, the MySQL root password & the main admin user passwords were all the same as on my last visit more than a year previous - and were still the *same* 12 character 'complex' password. So maybe banks don't take IT security as seriously as their procedures say they have to. Oh, bypass the hardware firewall/proxy? Sure (patch, patch...)
With regard to this case - wouldn't you have to make the ATM reboot in order to boot from the USB stick in the first place? I find it just as shocking that another tech news article mentions a .BAT file on the offending stick - so are we to assume the machine's OS also didn't have Autoplay disabled?
Regularly changing the password can often be detrimental...
Chances are the root password for suse and mysql cannot be directly used externally, SSH is likely configured to disallow root logons and mysql is often configured not to allow remote connections, making the root password only useful if you have physical access to the console or access to an unprivileged account that is able to run 'su'...
Similarly if using modern hashing its unlikely a 12 character password will be cracked unless its dictionary based, and thats assuming you can get a copy of the hashes.. If you can get the hashes you usually already have root, but people reuse passwords across multiple systems and hashes can sometimes be lifted from backups or installation images.
If your password is complex and rarely changed, people who need it can remember it...
If your password has to be changed regularly, then people are unlikely to keep remembering new random passwords, instead they will cheat - either using simplistic passwords (dictionary words, formulaic and predictable passwords etc), or write their passwords down. Most companies require users to change their passwords monthly, and huge numbers of those users use a dictionary word as their password with a number on the end that either relates to the month/year in which the password was set, or simply increments with each change.
Personally i never change the root passwords on my servers either. To use them you need physical access, all remote access is via SSH with keys.
I recall reading an article where activating an ATM required a visit from two operatives, required them to enter a unique key from a hand-held device. The ATMs didn't run on Windows and weren't connected to the Internet. The article was in relation to 'phantom withdrawals'', as in the criminals had managed to infiltrate the PIN generating facility and programed the machine to produce only three unique PINs for all cards issued. At the other end once they managed to acquire cloned cards, it only took three goes to withdraw money.
... if some philanthropic hacker left something really useful on ATMs. I'm thinking something like an entry code to make the terminal play Pong, Space Invaders or Rocket Raid to pass away a few minutes now and then while waiting for a bus/train/taxi etc. For a bonus win it could credit the score in the currency of your choice to an account of your choice.
All you need is a specifically crafted image on the usb dongle, then the server is yours. Boot from usb is disabled in the bios ? Enable it, that is easy part.
Write the software to spit out cash is the hard bit, because you actually need to know what exact software is running and how to 0wn it ....
Changing the focus - how many people have had similar experience of the ATM actually robbing you? On hols last summer in UK used an external ATM from a publicly subsidised bank - only to have a receipt and no cash! Went in to complain - only to see bank employer had the back off it's twin and loading notes into the hopper. Told that I would have to complain to my own bank - who investigated and we're told that there was no error with the machine. £50 down.
The lesson - don't try to withdraw more than you are willing to lose!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
