Everyone loves money. This allows
us a certain level of freedom for the items we use, where we would like to
travel, gifts to our friends, and a level of comfort for the future. They say
cash is king, and certainly, during this time period, it has tended to be. One piece
of equipment that holds a mass amount of cash is the ATM. People have dreamed
of simply walking by and money flying out at them. As bizarre as this sounds,
these attacks have been part of the proof-of-concept since at least 2010. The
history lesson begins with Black Hat in 2010. Barnaby Jack’s presentation showed
two different methods to the jackpot, or direct the ATM to spew out the bills it
contained. One of the attacks was done over the internet and the other required
hardware access through the front of the machine. The audience was naturally
excessively impressed by his expertise. At the time he was the Director of
Security Research at IOActive Labs. Over the years, the research continued and
other methods to jackpot the ATMs were found and published.
The new attack is focused on the Diebold
Nixdorf machines. Diebold Nixdorf made $3.3B from ATM sales and the associated
service plans in 2019. This is one of the favored and notable manufacturers for
ATM machines.
New Attack
Well, there is a new ATM attack in
town. This does not work on all ATMs. The attackers have been using the new method
against Diebold’s ProCash 2050xe USB terminals. The newly published attack utilizes
a black box applying proprietary code to the attack surface in the ATM. The
code is from the ATM manufacturer (Diebold). The attackers have to connect the
black box to the ATM to complete the attack. This is done through unlocking the
ATM chassis, drilling holes into the chassis at selected points, or otherwise
physically bypassing the physical security. At this point, the attacker would plug
their patch cord into the CMD-V4 dispenser in the place of the cord already
plugged in. At this point, the ATM pwned as the attacker issues the malicious
dispense commands.
The end result is for the cash to
flow from the machine to the attackers, who are not authorized to receive the
money. Depending on the inventory held in the ATM, this could be as many as 40
bills every 23 seconds or $800/23 seconds if the machine only holds $20’s.
From what is known, the attacks
appear to use a portion of the ATM software stack. It isn’t known for certain
how the attackers were able to gain access to the code, as the software is
proprietary and anyone isn’t able to simply goto Dr. Google and download it.
They may have, however, gained the requisite information from an unencrypted hard
drive that was unaccounted for.
PoC or not?
By noting an attack is workable and
potentially viable is one thing. To show this and also show where this has been
done outside of the lab in the real world is another issue completely. In this
case, this attack has been used across Europe.
Mitigations
All is not lost and there does not
need to be a 24-hour security guard at these specifically affected machines.
Diebold has provided mitigations for this and urgently recommended their
customers verify if these were in place yet. These include using the firmware
version 2011 or later for CMD V4, enabling the firmware fuse, secure encryption
handling, enhanced keystore format, 3DES encryption, and verify this encryption
is active and verify this is actually being done. The document from Diebold is very
helpful in the implementation.
Potential
Yes, indeed this is a viable attack
and not just a lab exercise. This, however, would need to be done is a very
limited scope of potential events. After all, if one of these was in the mall,
someone isn’t going to waltz up at noon on a Saturday and gingerly pry open the
front of the ATM and hope no one notices or calls law enforcement, or better
yet drill through the aluminum plating several times and thread a patch cord
through a hole. There is always the key to unlock the ATM, however, this would probably
appear a bit fishy also as the attackers plug in the cord to the machine. If
the machine were to be outside, perhaps the attack could be done in the
darkness. The issue with this is there are cameras everywhere in the
environment. The attackers probably would be recorded, and they also run the
risk of law enforcement stopping by.
It is also notable that the black
box does not need to be a 13-inch monitor laptop. This could be built with an Arduino
or Raspberry Pi. The housing for these is also very small comparatively. While
this would indeed appear a little odd to the shoppers in our scenario or
others, the hardware is easily hiding and manipulated.
Resources
Diebold Nixdorf. (2020,
July 15). 020-27/0003-Jackpotting with black box in Europe. Retrieved from https://dd80b675424c132b90b3-e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/diebold-nixdorf-security-alert-2.pdf
Diebold Nixdorf.
(n.d.). Cyber attacks are on the rise. Find out how you can protect your network
comprehensively. Retrieved from https://www.dieboldnixdorf.com/-/media/diebold/files/banking/insights/brochures/dn_brochure_security-jackpotting-overview_fa_20181005.pdf
Goodin, D. (2020,
July 20). Crooks have acquired proprietary diebold software to “jackpot” ATMs.
Retrieved from https://arstechnica.com/information-technology/2020/07/crooks-are-using-a-new-way-to-jackpot-atms-made-by-diebold/
ThreatPost.
(2020, July 21). Diebold ATM terminals jackpotted using machine’s own software.
Retrieved from https://www.newsbreak.com/news/1604274576845/diebold-atm-terminals-jackpotted-using-machines-own-software
and https://www.thetechstreetnow.com/tech/diebold-atm-terminals-jackpotted-using-machines-own-software/1305153191397515153/1305153191397515153/
and https://threatpost.com/diebold-atm-terminals-jackpotted-using-machines-own-software/157575/
Zetter, K. (2010,
July 20). Researcher demonstrates ATM ‘jackpotting’ at black hat conference.
Retrieved from https://www.wired.com/2010/07/atms-jackpotted/
No comments:
Post a Comment