Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DTS Solution - Hacking ATM Machines - The Italian Job Way

DTS Solution - Hacking ATM Machines - The Italian Job Way

  • Login to see the comments

DTS Solution - Hacking ATM Machines - The Italian Job Way

  1. 1. Hacking ATM Machines – The Italian Job Way www.dts-solution.com Shah H Sheikh – Sr. Security Solutions Consultant MEng CISSP CISA CISM CRISC CCSK shah@dts-solution.com Mohamed Bedewi – Sr. Penetration Testing Consultant Network+ | CCNA | MCSE | Linux+ | RHCE | Security+ | CEH | PWB | CWHH mohamed@dts-solution.com
  2. 2. DTS Solution
  3. 3. Introduction ATM machines has always been a very hot target by cyber criminals, it’s like a candy machine in the middle of the street but instead of candy it’s money and everyone would love free money Getting free money from a candy machine lying in the middle of the street is not an easy job in terms of physical security but once you overcome this obstacle, it’s a piece of cake! WARNING I think and act like a criminal with very evil twisted mind but I am actually NOT, I already had million of chances to get rich illegally and I turned them all down, I have very strict ethics and if I didn’t earn it fair and square, I am not interested at all, this presentation is for educational purpose ONLY and to raise awareness, don’t be a fool
  4. 4. Facts About ATM Machines • An estimated 95% of bank ATMs run on Windows XP which is not supported. • Opening the control panel hatch is very simple via paper clip or a master key. • ATM machines have activated USB ports and sometimes even a CD/DVD drive. • ATM cameras aren’t monitored properly and most of the time they fail to tape. • ATM machines must have internet connectivity to update various transactions. Physical Security Removable Media Poorly Monitored Internet Connected Outdated Systems
  5. 5. ATM Hacking Examples Attacks by Skimer-A Trojan against Diebold One of the first serious attacks against ATMs in Eastern Europe back in 2009 which was aimed at Diebold Opteva ATMs. Skimer-A primary objectives were the following: • Steal information (Card Numbers and PINs) • Allow remote access to the infected ATM • Drop more malwares to the infected ATM The hack required physical access to the machine, the perpetrators used social engineering to persuade stores to allow them physical access to the machine after hours so they could install the trojan.
  6. 6. ATM Hacking Examples ATM Jackpotting by Barnaby Jack Early in 2010 IO Active security expert Barnaby Jack presented his "ATM Jackpotting" at Blackhat, he was able to write a rootkit "Scrooge" which is capable of remotely exploiting an ATM machine. Barnaby Jack ordered three different ATMs and got them delivered at home, he told the curious delivery man that he had ordered the ATMs to avoid withdrawal fees. Barnaby Jack studied the three different ATMs to come up with "Scrooge" which once installed you can walk up to the ATM machine and enter a keys sequence to fully empty the cassette or you can even do it remotely incase the machine is having a connection and you know it’s physical location already.
  7. 7. ATM Attack Methodology Gathering Accrued Information Bypassing Physical Security Abusing Windows XP Weakness Manipulating Firmware Defaults Installing Malicious Malware Emptying Cassettes Silently Getting Free Money From an ATM Machine is Easier Than I Expected Mohamed Bedewi
  8. 8. Hacking ATMs The Italian Way Gathering Accrued Information ATM machines are located in the street and every person is indirectly guarding it, you need a legitimate pattern to follow and the best way to get one is to deeply observe an invoked one. Getting a Legitimate Pattern Invoking Pattern Legitimate patterns won’t happen much often specially in a country like UAE that’s why you have to invoke the pattern manually! Get the target ATM machine out of order Report the target ATM machine to it’s bank Observing Pattern Without gathering accrued information, the entire activity will fail because eventually you can’t hack what you don’t know! Observe the ATM technicians fixing the ATM Take various photos of their uniform and IDs
  9. 9. Hacking ATMs The Italian Way Bypassing Physical Security At this stage you should have a fake ID badge and a costume for ATM technician, now get dressed, act and behave like an ATM technician and if someone wanted to use the machine just say “Sir, this machine is under maintenance, please use another machine”. Challenges IP Camera Just put a reflective film on it, use a cover or mirror. Control Panel Hatch Just use a paper clip, bobby pin or purchase a master key online. Bank Security Never target an ATM which is placed in front of a bank. Walking People Ignore them, you are a technician who’s doing his job.
  10. 10. Hacking ATMs The Italian Way Abusing Windows XP Weakness Windows XP has been criticized for it's vulnerabilities due to buffer overflows and it's susceptibility to malware such as viruses, trojan horses and worms, also support for Windows XP has ended April 8, 2014. There will be no more security updates or technical support. Weakness Default Admin Media Autorun Ring Zero Access Lack of UAC High Target No Updates
  11. 11. Hacking ATMs The Italian Way Manipulating Firmware Defaults The firmware for an ATM machine is the user interface for clients which is responsible of taking instructions and execute them on the backend system to eventually generate a result. Company Model Operator Master Service Admin Diebold CSP 200 N/A 626243 N/A N/A Hyosung MB1500 159951 375876 965733 N/A Mandrake ecash2000 N/A 159951 N/A N/A Tranax 1700 N/A 000000 N/A 000000 Triton 9100 N/A 123456 N/A 987654 This is just a preview, we already have almost every default access code
  12. 12. Hacking ATMs The Italian Way Installing Malicious Malware Backdoor.MSIL.Tyupkin Tyupkin only works on ATMs that run Windows 32-bit operating systems and it accepts commands only in the dead of night on certain days of the week, keeping the exploit well-hidden most of the time. Features: Interacts through standard library MSXFS. Runs in infinite loop waiting for user input. Uses session keys to prevent random users. Dispenses 40 banknotes from any cassette. Tyupkin in Action Backdoor.Ploutus Ploutus works on a single SMS pattern in which, attacker sends a simple SMS to compromised ATM and can easily collect the cash, this technique is currently in use by attackers across the world. Features: Requires a phone connected via tethering. Passes commands to ATM using TCP/UDP. Receives two SMS to initiate and dispense. Dispenses the entire default four cassettes. Ploutus in Action
  13. 13. Hacking ATMs The Italian Way Emptying Cassettes Silently After installing you malicious malware, your job is done and you’re ready to go so put everything back the same it was and leave. Observe your candy machine remotely for the next 24 hours to make sure that everything went undetected an as planned. Come back later as a legitimate customer and start dispensing free money and the good news is, it will take them a while to notice it.
  14. 14. Thanks and Have a Good Day
  15. 15. Shah H Sheikh – Sr. Security Solutions Consultant MEng CISSP CISA CISM CRISC CCSK shah@dts-solution.com

×