Isn’t it just everybody’s dream: to walk up to an ATM, swipe your card, get a flashy screen reading “We Have A Winner,” and watch the machine spew out all its money? That dream just became reality.
At least in a great presentation from Barnaby Jack at the Black Hat Briefings in Las Vegas. “Jackpotting Automated Teller Machines Redux” was planned for last year, but was pulled, allowing Jack another year of research. He did two demos. One was walking up to an ATM, opening it, plugging in a USB device, and restarting it. The other involved remotely bypassing authentication, installing a rootkit over the network, giving him complete control over the machine, and managing it remotely or by typing a secret combination of keys on the machine to get access to the rootkit. Or by swiping a special card. The rootkit would also capture the data from any card inserted and send it to the C&C Server (still standing for command and control, not for credit card).
A very flashy presentation, but what’s behind it?
Most people tend to ignore the fact that a lot of today’s devices and machines are internally running fairly standard computers and operating systems. ATM machines, cars, medical devices, even your TV may have such a computer inside, allowing updates over a network. Software unfortunately has flaws. The more complex, the more flaws, so sometimes updates are necessary to add new functionality, instead of replacing a device with a new one, fixing flaws found, etc.
In the first case the attack is made easy as most, if not all vendors of ATMs use a master key to unlock them, giving easy access to the motherboard. Using master keys is definitely a bad security technique but other solutions may be really difficult in practice. And allowing code from a USB device to run is what makes the attack possible. In the demo it took only 5 seconds and a reboot.
In the second case Jack used a flaw in the authentication to make unauthorized changes, and run the attack program. But the principle was just the same as with millions of other computers that each quarter become victims of an attack and part of a botnet.
So these computers need some protection against unauthorized changes. Running anti-malware software on them is obviously not a good solution; it would need constant updating and would make a heavy impact on the systems you want to protect. So the future is in using application control, configuration control, and change control to lock down those systems, so you can still make authorized updates and changes but not run unauthorized code from an attacker.
OK, so much for now. I’ve seen some ATMs in the lobby that I need to look at. 😉