SlideShare a Scribd company logo

ATM Compromise with and without Whitelisting

Alexandru Gherman
Alexandru Gherman

ATM compromise through the use of malicious software is on the increase across the world. At EAST FCS 2015 a demonstration showed how a Windows ATM platform can be compromised by known malware. The demo featured a virtual ATM machine running on Windows 7, emulating a XFS layer.

Software
1 of 24
Download to read offline
ATM  Compromise  with  or  without  Whitelisting
Agenda   1.  whoami   2.  Application  Whitelisting   3.  Threat  -­‐  ATM  Jackpotting  malware   4.  Software  mitigations  have  improved  but  we  still  see   weaknesses   5.  Recommendations   23/06/15 2© FortConsult
whoami   Alexandru  Gherman   Head  of  Research  |  Principal  Security  Consultant   FortConsult  Denmark  |  NCC  Group   Reverse  engineering  *  Firmware  *  UEFI  *  Finding  Bugs  *  Malware  analysis     @alexgherman     23/06/15 © NCC Group 3
What  we  do  @FortConsult   Ø  Reverse  engineering   Ø  Penetration  Testing   Ø  ATM  security  testing  (Physical  and  Software  attacks)   Ø  Security  assessments   Ø  Audits  *  Source  Code  Review  *  Static  and  dynamic  analysis   Ø  Hardware  security  testing  -­‐  ATM  controllers,  CCTV,  Bluetooth,   Smart  TV,  Physical  Security  and  other  smart  devices   Ø  Malware  analysis   Ø  Threat  analysis  and  research  *  Incident  Response  *  Forensics       23/06/15 © NCC Group 4
Application  Whitelisting       23/06/15 5© FortConsult ♦  Appropriate  for  ATM  devices   ♦  It  blocks  each  load/execute  attempt   (hooks  into  Windows  APIs  such  as  LoadLibrary,  WinExec,  CreateProcess)   ♦  Unique  way  to  secure  against  unauthorized  software   ♦  Reduces  the  risk  but  does  not  make  the  solution  infallible  to   buffer  overflow  type  of  attacks    
However  there  is  still  a  risk     23/06/15 6© FortConsult Only one of these has to be vulnerable … So that a system could be compromised! Why? Still buffer overflows and other development errors…
  23/06/15 7© FortConsult
Still  vulnerable  on  the  network     23/06/15 8© FortConsult
Tyupkin  Malware  –  Backdoor.MSIL.Tyupkin   ♦  What  is  Tyupkin  ?   ♦  Stage  1       §  Physical  access  to  the  ATM   §  Insert  bootable  CD   §  Once  the  ATM  is  rebooted  the  infected  ATM  is  under  control   ♦  Stage  2   §  Infinite  loop  waiting  for  a  command   §  Only  accepts  commands    at  specific  times     23/06/15 © FortConsult 9
Tyupkin  Malware  –  Backdoor.MSIL.Tyupkin     23/06/15 © FortConsult 10
23/06/15 © NCC Group 11 Tyupkin  Malware  –  Backdoor.MSIL.Tyupkin  
23/06/15 © NCC Group 12
  23/06/15 13© FortConsult Bypassing  Whitelisting  can  lead   to  jackpotting     Ø  FortConsult  performed  a  lot  of  research  and  developed  own  XFS-­‐ compliant  code   Ø  Although  we  worked  with  ATM  emulated  environments,  what  we   developed,  seems  to  work  on  any  XFS  compliant  ATM!   Ø  Administrative  privilege  is  not  necessarily  required  to  jackpot   Ø  Let  us  try  it  with  your  setup  ?  J    
  23/06/15 14© FortConsult
  All  this  can  happen  while  offline  and  without   network  connectivity!   Without  being  monitored…     On  a  priority  scale,  you  don't  need  O-­‐day  detection,  you  need  compromise   detection  first.  Knowing  how  you  were  compromised  is  less  important  than   knowing  that  you  were.     23/06/15 © NCC Group 15
The  path  to  the  risk   ♦  In  every  application  there  are  design/development  Errors   ♦  It  takes  only  “whitelisted”  vulnerable  applications  and  other  underlying   components  to  compromise  a  system   ♦  “Buffer  overflow  detections”  don’t  work  always  as  advertised   ♦  Exploitation   §  Develop  exploit   §  Control  EIP   §  Gain  arbitrary  code  execution         23/06/15 16© FortConsult
        23/06/15 17© FortConsult Unlike Tyupkin’s Physical Access, we used a buffer overflow in a Whitelisted Application! An attacker would always look for a door that allows a bypass!
Software  Development     ♦  Software  mitigations  introduced  in  Windows  Vista/7/8  are  good,  but  they   are  not  invincible         23/06/15 18© FortConsult ASLR in Windows!
Demo  time!         23/06/15 19© FortConsult
Recommendations  ?   Probably  not  Uninstall/Disable.  It’s  still  one  of  the  Only!   If  not,  probably  the  best  right  now!      Ø  Thorough  application  inventory  review  of  all  the  applications  installed  on  the  ATM   Ø  Internet  Explorer   Ø  Java/Flash  Runtime  engines   Ø  Image  renderers,  Virtual  Browsers   Ø  Communications  and  message  parsers   Ø  ATM  security  test  (Blackbox/Greybox)   Ø  Physical  attacks   Ø  Network  attacks   Ø  Application  attacks   Ø  Source  Code  review  of  the  custom  applications  installed        23/06/15 20© FortConsult
Recommendations  ?   Probably  not  Uninstall/Disable.  It’s  still  one  of  the  Only!   If  not,  probably  the  best  right  now!      Ø  Build  a  Lockdown  Suite  of  Security  Controls  formed  out  of  a   corroboration  of   Ø  Windows  Security  Features  (through  use  of  ASLR;  DEP,  Stack  Canaries)   Ø  Disk  Encryption   Ø  Whitelisting   Ø  And  other  security  controls  which  we  usually  see  Unleveraged!     Ø  We  can  help  you  Here!         23/06/15 21© FortConsult
Europe   Manchester    -­‐  Head  Office   Amsterdam   Cheltenham       Copenhagen   Edinburgh     Leatherhead     London   Luxembourg   Milton  Keynes   Munich   Zurich   Sweden   Vilnius   Portugal       North  America   Atlanta   Austin   Chicago   New  York   San  Francisco   Seattle   Sunnyvale   Australia   Sydney     Russia     Moscow  
      A  very  special  thank  you  to  the  expert  team  at  KAL  ATM  Software,  they  are   one  of  the  only  companies  worldwide  who  support  advanced  testing  and   research.           23/06/15 © NCC Group 23
23/06/15 © NCC Group 24

Recommended

Leave ATM Forever Alone
Leave ATM Forever AloneLeave ATM Forever Alone
Leave ATM Forever AloneOlga Kochetova
 
Revisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’sRevisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’sOlga Kochetova
 
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Olga Kochetova
 
How to hack stuff for cash
How to hack stuff for cashHow to hack stuff for cash
How to hack stuff for cashMarco Schuster
 
[CB19] Hardware Wallet Security
[CB19] Hardware Wallet Security[CB19] Hardware Wallet Security
[CB19] Hardware Wallet SecurityCODE BLUE
 
Atm hacking and cracking to steal money with atm backdoor default master pass...
Atm hacking and cracking to steal money with atm backdoor default master pass...Atm hacking and cracking to steal money with atm backdoor default master pass...
Atm hacking and cracking to steal money with atm backdoor default master pass...FREDDY KEKANA
 
RCS Demo HackingTeam
RCS Demo HackingTeam RCS Demo HackingTeam
RCS Demo HackingTeam OWASP Foundation
 
Hacking ATM machines for fun and profit!
Hacking ATM machines for fun and profit!Hacking ATM machines for fun and profit!
Hacking ATM machines for fun and profit!Zigoo0
 

Recommended

Leave ATM Forever Alone
Leave ATM Forever AloneLeave ATM Forever Alone
Leave ATM Forever AloneOlga Kochetova
 
Revisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’sRevisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’sOlga Kochetova
 
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Olga Kochetova
 
How to hack stuff for cash
How to hack stuff for cashHow to hack stuff for cash
How to hack stuff for cashMarco Schuster
 
[CB19] Hardware Wallet Security
[CB19] Hardware Wallet Security[CB19] Hardware Wallet Security
[CB19] Hardware Wallet SecurityCODE BLUE
 
Atm hacking and cracking to steal money with atm backdoor default master pass...
Atm hacking and cracking to steal money with atm backdoor default master pass...Atm hacking and cracking to steal money with atm backdoor default master pass...
Atm hacking and cracking to steal money with atm backdoor default master pass...FREDDY KEKANA
 
RCS Demo HackingTeam
RCS Demo HackingTeam RCS Demo HackingTeam
RCS Demo HackingTeam OWASP Foundation
 
Hacking ATM machines for fun and profit!
Hacking ATM machines for fun and profit!Hacking ATM machines for fun and profit!
Hacking ATM machines for fun and profit!Zigoo0
 
CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their assCONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their assPROIDEA
 
Neo900: Crafting The Private Phone
Neo900: Crafting The Private PhoneNeo900: Crafting The Private Phone
Neo900: Crafting The Private PhoneSebastian Krzyszkowiak
 
Disabling Ports 135 and 445 to protect the Road Warrior
Disabling Ports 135 and 445 to protect the Road WarriorDisabling Ports 135 and 445 to protect the Road Warrior
Disabling Ports 135 and 445 to protect the Road WarriorDavid Sweigert
 
Remote control
Remote controlRemote control
Remote controlCarlos Laos Cabrera
 
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortEuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortCristofaro Mune
 
Tek systems it guidelines
Tek systems it guidelinesTek systems it guidelines
Tek systems it guidelinesviplavsarkar
 
Fingerprint & GSM based ATM Access Security System
Fingerprint & GSM based ATM Access Security SystemFingerprint & GSM based ATM Access Security System
Fingerprint & GSM based ATM Access Security SystemOmer Faroug Hassan
 
Secure Real Time Embedded System For ATM Using Web Server
Secure Real Time Embedded System For ATM Using Web ServerSecure Real Time Embedded System For ATM Using Web Server
Secure Real Time Embedded System For ATM Using Web Serverijcite
 
Hta t17
Hta t17Hta t17
Hta t17SelectedPresentations
 
Tek systems it guidelines - animation
Tek systems it guidelines - animationTek systems it guidelines - animation
Tek systems it guidelines - animationviplavsarkar
 
Sequrity policy
Sequrity policySequrity policy
Sequrity policyBhavesh Salunkhe
 
Comelit 8513IM Data Sheet
Comelit 8513IM Data SheetComelit 8513IM Data Sheet
Comelit 8513IM Data SheetJMAC Supply
 
Sn setup
Sn setupSn setup
Sn setupDharamendra Singh
 
F18
F18F18
F18Access Control
 
The Future Mobile Security
The Future Mobile Security The Future Mobile Security
The Future Mobile Security Qualcomm Developer Network
 
CCTV UAE, DVR CCTV Camera, IP Camera UAE
CCTV UAE, DVR CCTV Camera, IP Camera UAECCTV UAE, DVR CCTV Camera, IP Camera UAE
CCTV UAE, DVR CCTV Camera, IP Camera UAEsecuritysytem
 
Mender.io | Securing the Connected Car
Mender.io | Securing the Connected CarMender.io | Securing the Connected Car
Mender.io | Securing the Connected CarMender.io
 
ATM
ATMATM
ATMDr. S. Bulomine Regi
 
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...CODE BLUE
 
Best practice for_physical_atm_security
Best practice for_physical_atm_securityBest practice for_physical_atm_security
Best practice for_physical_atm_securitybillhien
 
Mobile jammer by venkatesh akkisetty
Mobile jammer by venkatesh akkisettyMobile jammer by venkatesh akkisetty
Mobile jammer by venkatesh akkisettyVenky Venkatesh
 
Atm security
Atm securityAtm security
Atm securitySajan Sahu
 

More Related Content

What's hot

CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their assCONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their assPROIDEA
 
Disabling Ports 135 and 445 to protect the Road Warrior
Disabling Ports 135 and 445 to protect the Road WarriorDisabling Ports 135 and 445 to protect the Road Warrior
Disabling Ports 135 and 445 to protect the Road WarriorDavid Sweigert
 
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortEuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortCristofaro Mune
 
Tek systems it guidelines
Tek systems it guidelinesTek systems it guidelines
Tek systems it guidelinesviplavsarkar
 
Fingerprint & GSM based ATM Access Security System
Fingerprint & GSM based ATM Access Security SystemFingerprint & GSM based ATM Access Security System
Fingerprint & GSM based ATM Access Security SystemOmer Faroug Hassan
 
Secure Real Time Embedded System For ATM Using Web Server
Secure Real Time Embedded System For ATM Using Web ServerSecure Real Time Embedded System For ATM Using Web Server
Secure Real Time Embedded System For ATM Using Web Serverijcite
 
Tek systems it guidelines - animation
Tek systems it guidelines - animationTek systems it guidelines - animation
Tek systems it guidelines - animationviplavsarkar
 
Comelit 8513IM Data Sheet
Comelit 8513IM Data SheetComelit 8513IM Data Sheet
Comelit 8513IM Data SheetJMAC Supply
 
CCTV UAE, DVR CCTV Camera, IP Camera UAE
CCTV UAE, DVR CCTV Camera, IP Camera UAECCTV UAE, DVR CCTV Camera, IP Camera UAE
CCTV UAE, DVR CCTV Camera, IP Camera UAEsecuritysytem
 
Mender.io | Securing the Connected Car
Mender.io | Securing the Connected CarMender.io | Securing the Connected Car
Mender.io | Securing the Connected CarMender.io
 

What's hot (17)

CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their assCONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
 
Neo900: Crafting The Private Phone
Neo900: Crafting The Private PhoneNeo900: Crafting The Private Phone
Neo900: Crafting The Private Phone
 
Disabling Ports 135 and 445 to protect the Road Warrior
Disabling Ports 135 and 445 to protect the Road WarriorDisabling Ports 135 and 445 to protect the Road Warrior
Disabling Ports 135 and 445 to protect the Road Warrior
 
Remote control
Remote controlRemote control
Remote control
 
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortEuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
 
Tek systems it guidelines
Tek systems it guidelinesTek systems it guidelines
Tek systems it guidelines
 
Fingerprint & GSM based ATM Access Security System
Fingerprint & GSM based ATM Access Security SystemFingerprint & GSM based ATM Access Security System
Fingerprint & GSM based ATM Access Security System
 
Secure Real Time Embedded System For ATM Using Web Server
Secure Real Time Embedded System For ATM Using Web ServerSecure Real Time Embedded System For ATM Using Web Server
Secure Real Time Embedded System For ATM Using Web Server
 
Hta t17
Hta t17Hta t17
Hta t17
 
Tek systems it guidelines - animation
Tek systems it guidelines - animationTek systems it guidelines - animation
Tek systems it guidelines - animation
 
Sequrity policy
Sequrity policySequrity policy
Sequrity policy
 
Comelit 8513IM Data Sheet
Comelit 8513IM Data SheetComelit 8513IM Data Sheet
Comelit 8513IM Data Sheet
 
Sn setup
Sn setupSn setup
Sn setup
 
F18
F18F18
F18
 
The Future Mobile Security
The Future Mobile Security The Future Mobile Security
The Future Mobile Security
 
CCTV UAE, DVR CCTV Camera, IP Camera UAE
CCTV UAE, DVR CCTV Camera, IP Camera UAECCTV UAE, DVR CCTV Camera, IP Camera UAE
CCTV UAE, DVR CCTV Camera, IP Camera UAE
 
Mender.io | Securing the Connected Car
Mender.io | Securing the Connected CarMender.io | Securing the Connected Car
Mender.io | Securing the Connected Car
 

Viewers also liked

[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...CODE BLUE
 
Best practice for_physical_atm_security
Best practice for_physical_atm_securityBest practice for_physical_atm_security
Best practice for_physical_atm_securitybillhien
 
Mobile jammer by venkatesh akkisetty
Mobile jammer by venkatesh akkisettyMobile jammer by venkatesh akkisetty
Mobile jammer by venkatesh akkisettyVenky Venkatesh
 
[CB16] 基調講演: セキュリティはどれくらいが適量? – How much security is too much? – by Karsten Nohl
[CB16] 基調講演: セキュリティはどれくらいが適量? – How much security is too much? – by Karsten Nohl[CB16] 基調講演: セキュリティはどれくらいが適量? – How much security is too much? – by Karsten Nohl
[CB16] 基調講演: セキュリティはどれくらいが適量? – How much security is too much? – by Karsten NohlCODE BLUE
 
ATM Security by using Fingerprint Recognition And GSM
ATM Security by using Fingerprint Recognition And GSMATM Security by using Fingerprint Recognition And GSM
ATM Security by using Fingerprint Recognition And GSMAlpesh Kurhade
 
ATM Frauds and Solutions
ATM Frauds and SolutionsATM Frauds and Solutions
ATM Frauds and SolutionsClarice_Wilson
 
automated teller machines
automated teller machinesautomated teller machines
automated teller machinestejinderubs
 
10 Slides to ATM
10 Slides to ATM10 Slides to ATM
10 Slides to ATMseanraz
 

Viewers also liked (14)

ATM
ATMATM
ATM
 
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
 
Best practice for_physical_atm_security
Best practice for_physical_atm_securityBest practice for_physical_atm_security
Best practice for_physical_atm_security
 
Mobile jammer by venkatesh akkisetty
Mobile jammer by venkatesh akkisettyMobile jammer by venkatesh akkisetty
Mobile jammer by venkatesh akkisetty
 
Atm security
Atm securityAtm security
Atm security
 
[CB16] 基調講演: セキュリティはどれくらいが適量? – How much security is too much? – by Karsten Nohl
[CB16] 基調講演: セキュリティはどれくらいが適量? – How much security is too much? – by Karsten Nohl[CB16] 基調講演: セキュリティはどれくらいが適量? – How much security is too much? – by Karsten Nohl
[CB16] 基調講演: セキュリティはどれくらいが適量? – How much security is too much? – by Karsten Nohl
 
ATM Security by using Fingerprint Recognition And GSM
ATM Security by using Fingerprint Recognition And GSMATM Security by using Fingerprint Recognition And GSM
ATM Security by using Fingerprint Recognition And GSM
 
ATM Frauds and Solutions
ATM Frauds and SolutionsATM Frauds and Solutions
ATM Frauds and Solutions
 
Security
SecuritySecurity
Security
 
Atm security
Atm securityAtm security
Atm security
 
Ppt on atm machine
Ppt on atm machinePpt on atm machine
Ppt on atm machine
 
automated teller machines
automated teller machinesautomated teller machines
automated teller machines
 
10 Slides to ATM
10 Slides to ATM10 Slides to ATM
10 Slides to ATM
 
Atm System
Atm SystemAtm System
Atm System
 

Similar to ATM Compromise with and without Whitelisting

Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Implementing a Security strategy in IoT, Practical example Automotive Grade L...Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Implementing a Security strategy in IoT, Practical example Automotive Grade L...LibreCon
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor FiorimTI Safe
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network ArchitecturesEnergySec
 
Program Analysis: a security perspective
Program Analysis: a security perspectiveProgram Analysis: a security perspective
Program Analysis: a security perspectiveAntonio Parata
 
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...FFRI, Inc.
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseChris Sistrunk
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoTWSO2
 
Common NonStop security hacks and how to avoid them
Common NonStop security hacks and how to avoid themCommon NonStop security hacks and how to avoid them
Common NonStop security hacks and how to avoid themGreg Swedosh
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)Digital Bond
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson
 
Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]Setia Juli Irzal Ismail
 
Sec285 final presentation_joshua_brown
Sec285 final presentation_joshua_brownSec285 final presentation_joshua_brown
Sec285 final presentation_joshua_brownJoshuaBrown233
 
Endpoint Security Shifting Paradigms 5
Endpoint Security Shifting Paradigms 5Endpoint Security Shifting Paradigms 5
Endpoint Security Shifting Paradigms 5tafinley
 
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdfdino715195
 
Managed Vulnerability Scan
Managed Vulnerability ScanManaged Vulnerability Scan
Managed Vulnerability ScanShawn Jordan
 
Ticket to Ride - Bus Fleet Operated and Managed with OSGi - C Larsson
Ticket to Ride - Bus Fleet Operated and Managed with OSGi - C LarssonTicket to Ride - Bus Fleet Operated and Managed with OSGi - C Larsson
Ticket to Ride - Bus Fleet Operated and Managed with OSGi - C Larssonmfrancis
 

Similar to ATM Compromise with and without Whitelisting (20)

Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Implementing a Security strategy in IoT, Practical example Automotive Grade L...Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Implementing a Security strategy in IoT, Practical example Automotive Grade L...
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network Architectures
 
Program Analysis: a security perspective
Program Analysis: a security perspectiveProgram Analysis: a security perspective
Program Analysis: a security perspective
 
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA Defense
 
AXENT-Everything-IDS
AXENT-Everything-IDSAXENT-Everything-IDS
AXENT-Everything-IDS
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoT
 
Common NonStop security hacks and how to avoid them
Common NonStop security hacks and how to avoid themCommon NonStop security hacks and how to avoid them
Common NonStop security hacks and how to avoid them
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT Security
 
Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]Chapter 9 system penetration [compatibility mode]
Chapter 9 system penetration [compatibility mode]
 
Sec285 final presentation_joshua_brown
Sec285 final presentation_joshua_brownSec285 final presentation_joshua_brown
Sec285 final presentation_joshua_brown
 
Endpoint Security Shifting Paradigms 5
Endpoint Security Shifting Paradigms 5Endpoint Security Shifting Paradigms 5
Endpoint Security Shifting Paradigms 5
 
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
2019-12-11-OWASP-IoT-Top-10---Introduction-and-Root-Causes.pdf
 
UK Gov Report Summary
UK Gov Report SummaryUK Gov Report Summary
UK Gov Report Summary
 
Managed Vulnerability Scan
Managed Vulnerability ScanManaged Vulnerability Scan
Managed Vulnerability Scan
 
Check Point NGFW
Check Point NGFWCheck Point NGFW
Check Point NGFW
 
Hugo Fiennes - Security and the IoT - Electric Imp
Hugo Fiennes - Security and the IoT - Electric ImpHugo Fiennes - Security and the IoT - Electric Imp
Hugo Fiennes - Security and the IoT - Electric Imp
 
Ticket to Ride - Bus Fleet Operated and Managed with OSGi - C Larsson
Ticket to Ride - Bus Fleet Operated and Managed with OSGi - C LarssonTicket to Ride - Bus Fleet Operated and Managed with OSGi - C Larsson
Ticket to Ride - Bus Fleet Operated and Managed with OSGi - C Larsson
 

Recently uploaded

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendArshad QA
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 

Recently uploaded (20)

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and Backend
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 

ATM Compromise with and without Whitelisting

  • 1. ATM  Compromise  with  or  without  Whitelisting
  • 2. Agenda   1.  whoami   2.  Application  Whitelisting   3.  Threat  -­‐  ATM  Jackpotting  malware   4.  Software  mitigations  have  improved  but  we  still  see   weaknesses   5.  Recommendations   23/06/15 2© FortConsult
  • 3. whoami   Alexandru  Gherman   Head  of  Research  |  Principal  Security  Consultant   FortConsult  Denmark  |  NCC  Group   Reverse  engineering  *  Firmware  *  UEFI  *  Finding  Bugs  *  Malware  analysis     @alexgherman     23/06/15 © NCC Group 3
  • 4. What  we  do  @FortConsult   Ø  Reverse  engineering   Ø  Penetration  Testing   Ø  ATM  security  testing  (Physical  and  Software  attacks)   Ø  Security  assessments   Ø  Audits  *  Source  Code  Review  *  Static  and  dynamic  analysis   Ø  Hardware  security  testing  -­‐  ATM  controllers,  CCTV,  Bluetooth,   Smart  TV,  Physical  Security  and  other  smart  devices   Ø  Malware  analysis   Ø  Threat  analysis  and  research  *  Incident  Response  *  Forensics       23/06/15 © NCC Group 4
  • 5. Application  Whitelisting       23/06/15 5© FortConsult ♦  Appropriate  for  ATM  devices   ♦  It  blocks  each  load/execute  attempt   (hooks  into  Windows  APIs  such  as  LoadLibrary,  WinExec,  CreateProcess)   ♦  Unique  way  to  secure  against  unauthorized  software   ♦  Reduces  the  risk  but  does  not  make  the  solution  infallible  to   buffer  overflow  type  of  attacks    
  • 6. However  there  is  still  a  risk     23/06/15 6© FortConsult Only one of these has to be vulnerable … So that a system could be compromised! Why? Still buffer overflows and other development errors…
  • 8. Still  vulnerable  on  the  network     23/06/15 8© FortConsult
  • 9. Tyupkin  Malware  –  Backdoor.MSIL.Tyupkin   ♦  What  is  Tyupkin  ?   ♦  Stage  1       §  Physical  access  to  the  ATM   §  Insert  bootable  CD   §  Once  the  ATM  is  rebooted  the  infected  ATM  is  under  control   ♦  Stage  2   §  Infinite  loop  waiting  for  a  command   §  Only  accepts  commands    at  specific  times     23/06/15 © FortConsult 9
  • 10. Tyupkin  Malware  –  Backdoor.MSIL.Tyupkin     23/06/15 © FortConsult 10
  • 11. 23/06/15 © NCC Group 11 Tyupkin  Malware  –  Backdoor.MSIL.Tyupkin  
  • 12. 23/06/15 © NCC Group 12
  • 13.   23/06/15 13© FortConsult Bypassing  Whitelisting  can  lead   to  jackpotting     Ø  FortConsult  performed  a  lot  of  research  and  developed  own  XFS-­‐ compliant  code   Ø  Although  we  worked  with  ATM  emulated  environments,  what  we   developed,  seems  to  work  on  any  XFS  compliant  ATM!   Ø  Administrative  privilege  is  not  necessarily  required  to  jackpot   Ø  Let  us  try  it  with  your  setup  ?  J    
  • 15.   All  this  can  happen  while  offline  and  without   network  connectivity!   Without  being  monitored…     On  a  priority  scale,  you  don't  need  O-­‐day  detection,  you  need  compromise   detection  first.  Knowing  how  you  were  compromised  is  less  important  than   knowing  that  you  were.     23/06/15 © NCC Group 15
  • 16. The  path  to  the  risk   ♦  In  every  application  there  are  design/development  Errors   ♦  It  takes  only  “whitelisted”  vulnerable  applications  and  other  underlying   components  to  compromise  a  system   ♦  “Buffer  overflow  detections”  don’t  work  always  as  advertised   ♦  Exploitation   §  Develop  exploit   §  Control  EIP   §  Gain  arbitrary  code  execution         23/06/15 16© FortConsult
  • 17.         23/06/15 17© FortConsult Unlike Tyupkin’s Physical Access, we used a buffer overflow in a Whitelisted Application! An attacker would always look for a door that allows a bypass!
  • 18. Software  Development     ♦  Software  mitigations  introduced  in  Windows  Vista/7/8  are  good,  but  they   are  not  invincible         23/06/15 18© FortConsult ASLR in Windows!
  • 19. Demo  time!         23/06/15 19© FortConsult
  • 20. Recommendations  ?   Probably  not  Uninstall/Disable.  It’s  still  one  of  the  Only!   If  not,  probably  the  best  right  now!      Ø  Thorough  application  inventory  review  of  all  the  applications  installed  on  the  ATM   Ø  Internet  Explorer   Ø  Java/Flash  Runtime  engines   Ø  Image  renderers,  Virtual  Browsers   Ø  Communications  and  message  parsers   Ø  ATM  security  test  (Blackbox/Greybox)   Ø  Physical  attacks   Ø  Network  attacks   Ø  Application  attacks   Ø  Source  Code  review  of  the  custom  applications  installed        23/06/15 20© FortConsult
  • 21. Recommendations  ?   Probably  not  Uninstall/Disable.  It’s  still  one  of  the  Only!   If  not,  probably  the  best  right  now!      Ø  Build  a  Lockdown  Suite  of  Security  Controls  formed  out  of  a   corroboration  of   Ø  Windows  Security  Features  (through  use  of  ASLR;  DEP,  Stack  Canaries)   Ø  Disk  Encryption   Ø  Whitelisting   Ø  And  other  security  controls  which  we  usually  see  Unleveraged!     Ø  We  can  help  you  Here!         23/06/15 21© FortConsult
  • 22. Europe   Manchester    -­‐  Head  Office   Amsterdam   Cheltenham       Copenhagen   Edinburgh     Leatherhead     London   Luxembourg   Milton  Keynes   Munich   Zurich   Sweden   Vilnius   Portugal       North  America   Atlanta   Austin   Chicago   New  York   San  Francisco   Seattle   Sunnyvale   Australia   Sydney     Russia     Moscow  
  • 23.       A  very  special  thank  you  to  the  expert  team  at  KAL  ATM  Software,  they  are   one  of  the  only  companies  worldwide  who  support  advanced  testing  and   research.           23/06/15 © NCC Group 23
  • 24. 23/06/15 © NCC Group 24