 All right, all right, so we finally made it. I want to give a big thanks to my mate Alex who flew over from Europe He roadtripped the ATMs with me in an escalade from San Jose to here The whole time I'm thinking please don't get pulled over please don't get pulled over Two ATMs in the back of an escalade and about six thousand notes of novelty currency What are you boys up to you know, but we made it and got them to the casino so real good The attraction to target ATMs is fairly obvious I mean they're full of cash But for myself is kind of part of a bigger picture and a bigger plan and that's to our explore systems that when compromised Have direct and immediate consequences You know society relies on various proprietary systems where they be ATM machines medical devices Smart meters parking meters or are the computer system in a vehicle? It's important to research these systems Take you that often not designed with a secure methodology as a result of that research We can use that knowledge to design better and safer products in the future So my goal the goal of the talk is to spark discussion on the best ways to remediate and prevent the attacks So I'm going to be demonstrating the goal definitely isn't to give a cookbook recipe on how to hack ATMs You know, I find the process of finding bone release a little bit more interesting Anyway, the journey not the destination although the destination is pretty cool in this and this one And I hope to change the way people look at devices that from the outside are seemingly impenetrable So current attacks the skimmer, which is certainly a fan favorite small overlay that slides over the card slot and the pin pads Manufactured to blend seamlessly with whatever particular ATM. It's manufactured for designed to both capture the track data on the cards as well as the pin numbers and You know technology and some of these is no joke data that gets transmitted over GPS Some even have tamper protection. They wipe themselves and find out and send the remaining data back to the attacker Physical theft and ram raids you may have all seen those YouTube videos or a couple of good old boys He'll through the front window of a store Attach the chain to an ATM and the other end to their pickup truck and take off of it Not the most subtle of attacks, but That's ninja status compared to some of the other ones And we have card trapping and card snooping Card trapping where our someone will insert a small shim commonly known as the Lebanese loop into a slot Traps the card and that design is such a way that when the cards read it will be read But won't be returned to you often combined with shoulder surfing to get your pin or they'll get your pin in our ways It may not be quite as friendly then safeguarding the frontal attacks basically going at the ATM with a pair of pliers and a blowtorch Explosives which is surprisingly popular which I find a bit odd The attack is literally tying a bunch of explosives to an ATM and blowing the crap out of it Now you think blowing up an ATM will be somewhat counterproductive, but this is big in Australia. So you go figure sorry Australians and And data breaches hacking the back end so hacking the bank processor Harvesting the card data an example This would have been the compromise of the Royal Bank of Scotland will pay back end Certainly the safest and was the most technically sophisticated attack that I've seen think about 9 million was stolen during that attack And then I guess we have miscellaneous Other So there would have been the default passcode attack from a couple of years back Where if the operator password was left unchanged on the machines you could reprogram the ATM to think there was a Lower denomination in the machine and there actually was so you know you could program think it's for the $5 notes when it's really full of 20s and I'll be adding some more to the other category Practical attacks, which in my opinion blow John Connors one right out of order So I've picked standalone ATMs and there's a few reason a few reasons for that first off They're pretty easy to get a hold of you know you jump online and like anything on the internet. You just add to cart Getting the ATMs delivered to your house though is actually quite interesting I had the ATM delivery guy literally wheel in one of the ATMs And he came in he's like one after you need an ATM in your house for and And I was feeling a little bit cheeky at the time So I just looked them like I don't like the transaction fees me and he just kind of shook his head and went on his way But also they're everywhere, you know every bar convenience store market and they're often in secluded areas You know they'll be out by the restroom tucked away in corners But I will be discussing attack methods for both standalone and hole in the wall ATMs I will go over walk-up style attacks But then I'll shift focus to a far more important vector and that's the remote attacks and particularly what an attack You can leverage through a successful remote compromise and when I say remote I mean remote default because that's the only way to roll really So just to get an idea of how popular these ATMs are This is just one block on my street from a bit of a pub crawl I Must say my favorite is the guy who owns a Mexican restaurant here holding his bottle of tapatio over the top of the ATM It doesn't exactly look chuffed to be there though, but you know So this is a standard specs of a new model retail style ATM generally Windows CE running an ARM processor New models support both TCP IP and dial up by default Optional wireless when I say wireless I mean our CDMA not 802 11 because you know so no drive by ATM attacks Unfortunately thought it would be kind of cool to ride by and just have ATMs spit out cash Although maybe the grug could possibly do something with this It's a cell support and a triple desk encrypted pin pad So the pin pad performs all the encryption within the device itself has anti tampering mechanisms And I may talk a bit more about that beast a little later So this is a typical ATM internals Bit hard to see but is a receipt printer over to the right a card reader and is a serial interface at least down to the safe Which is wired to the Spencer and there's various motherboard inputs multiple USB SD cards The network connection and some debugging ports on this one. There's actually a cover in there That's protecting the circuit board. I simply just removed it for photo purposes But I guarantee both of these ATMs are completely untouched and completely unmodified Now funny funny enough all the ways that an ATM talk could possibly be disrupted It was actually almost my cat who took it down for me I had a USB keyboard plugged in and he was chasing a moth or something and He ripped out the USB port and then pulled out the process of plugging at the same time But luckily the only damage was the USB plug that was easily sold it back in but anyway bad kitty So in my opinion a presentation shouldn't really view a full-blown technical tutorial So I'll be following up later With a white paper that goes into more technical details, but rather than digging deep into the ins and outs of C internals I thought I'd sum up the security hurdles I faced with this quote We were concerned about protection, but not about security We weren't trying to design an airtight system like Windows NT And this was from Thomas Fenwick who was the creator of the Windows CE kernel And this quote came from a book called Inside Windows CE which is Interviews with the core developers of CE and it's an interesting read on design design approach that was taken But essentially there were not many roadblocks There'll be the technical information. I think lends itself better to a white paper, which I'll be following up with So before we can even think think about giving that dude from Terminator 2 a run for his money and actually start devising attacks The first step is to be able to interface with the ATM and gain access to the file system So once we have access to the file system, we can then pull the executables and be able to do some reverse engineering Now unfortunately when the ATM boots it boots directly to its own proprietary application So there's no explorer shell and we need a shell to be able to make things easier Originally, I suppose naively I thought I could just plug in a keyboard and alt tab But of course that wasn't to be the case But to get a shell we'll need to have explorer execute at boot time So the CE application boot sequence is fairly straight course straight forwards the kernel NKEXE runs falsely It's dot exe falsis sets up the registry and file system and then it executes the applications that listed in the registry key Hklm and that so the trick is to patch the application we want executed into that boot list So of course we want to get explore into the boot list and there's two approaches basically The first approach assumes you have a copy of the CE ROM image The registry file can then be extracted modified to recompile it into the image This requires a way to rewrite the flesh whether it be serial ethernet JTAG or what have you and the other approach is do patch and explore while you're debugging and this of course requires some sort of debugging capability JTAG ethernet 0 etc So I decided to go with JTAG because it's a fairly straightforward way to accomplish our goals JTAG is a hardware debugging interface which essentially gives you unrestricted debugging access to the processor core Now the hardware to do this used to be pretty pricey But these days with open OCD and some of the open source projects you get needed hardware for less than a hundred bucks Now with JTAG access you can remotely debug with GDB to bug the kernel the boot loader and so on now JTAG has been talked about to deaf and I went to Alana and there's a lot of resources online with a lot more information So here's just our hardware the bugger connected to the motherboard now It's probably obvious but the use of hardware the buggers and things of that nature have absolutely nothing to do with the ATM attacks That I'll be demonstrating. I just simply used to initially gain access so we can then go on to find real vulnerabilities but um Speaking of JTAG. I actually learned a valuable lesson when I was missing with one of the ATMs I had the JTAG hooked up and I was screwing around and I accidentally wiped out a massive chunk of the firmware and Overwrote all the ATM files on it now at the time I couldn't get hold of the software to reflash it because I wasn't an ATM distributor So I actually had to call a licensed ATM technician to come around to my house Now three guys arrive and of course they ask again You know why are these ATMs in your house? And I thought I haven't moved them to my store yet and all this type of thing But anyway, see what happened? How did you remove all this? Oh, I had it on a card I was trying to change a splash screen and all just wiped out. He's like, yeah, no, they'll do that. They'll do that and You know any so he starts going to work on the ATM and I'm like firmware. What is that mate? You know acting completely stupid. I mean he ends up teaching me a hell of a lot about hacking ATMs I got his business card. We kept in touch Unfortunately after this presentation that relationship may be severed. Oh, yeah So the lesson is always back up the firmware first So now that we can debug we need a way to inject with the debugger connected simply set a breakpoint on create process And that the offset was found by simply dumping the memory from the ATM and just doing a bike compared to an offline version of core DLL Now when working with the arm processor the parameters when a passive function are passed and registers before they utilize the stack So our zero will have the first parameter, which is the executable what you want to execute We simply replace that string with with what would normally be the ATM executable An override of explorer.exe now if explorer doesn't exist on the image Then you just put a copy of explore on a removable drive and pass that full path to create process and So then you get a shell on the ATM when I first was playing around with the ATMs I was quite excited just to have a little shell on them. So I hadn't playing movies and whatnot, but Not really surprising the ATMs are pretty crap for playing movies Slow frame rate and the six inch screen. So it will not be replacing the flat screen So now we've explored we can plug in a USB drive and a keyboard and copy off the files for reverse engineering Then we can modify the registry so explorer will always boot Now remote debugging with JTAG over gdb is not the ideal way to debug a windows machine So the next step is to set up a better debugging environment And there's a way to debug windows c applications without having active sync installed And that's to debug with visual studio over ethernet So you simply build an empty project overwrite the local executable with the executable from the device that you want to debug Set it to set the correct tcp settings copy the file over run it under the bugger And you have application debugging with visual studio So now finally we have everything in place to be able to reverse engineer the software to locate vulnerabilities But to also test any software that we create for the ATM So planning an attack, uh, there's a fairly limited attack surface really we have the card reader But assuming we have an overflow or some other string based attack via the card tracks There's a limited amount of characters in a very restricted character set So i'm not going to say it's not possible, but I will say it would be unlikely to be practical or reliable Uh, the keypad another long shot, but maybe there's possible master passwords or backdoors left in by the developers Then the network so any open ports and answering phone line any options for a remote attack And we also have the various inputs on the motherboard itself, but of course this requires access to the motherboard Um, so of course progress has never really made about a few failures along the way And in my attempt to come up with a terminator 2 s-cac I made this little device It's basically an electromagnet wired up to an amp which is connected to a media player And you create a web file which is created to simulate the data on a magnetic stripe Um, the electromagnet plug into the ATM flick the switch play the web file And the ATM will think of magnetic stripes being read technically it works fine, but it was actually bugger all help So the goal of course is to execute code on the ATM So I'll talk about these walk up attacks first Now the cash dispenser is housed at the very least by a safe if you take the cheapest option If you spend a bit more you can get even more heavy-duty protection. The motherboard on the other hand is protected by A one key fits all lock And this is this is actually standard practice across the board And these keys like almost everything else on the internet are easily available to add to cart And uh, funny enough there used to be die ball keys last year when I was looking um, but they've since vanished But I'm sure of a little creativity. They could be found but as you can see most manufacturers Take this approach So the walk up attack so now with your master key you have access to the usb slots and what other inputs So you can pop open the motherboard compartment instead of usb key in a couple of seconds A lot faster than installing a skimmer, right Now even though the attack time here is short There's still the possibility of being detected But you know, I suppose that's a great thing about these retail and standalone type ATMs You know, they're out by the restrooms are out of sight off by the siggy machine or something And I suppose then there's that also select psychological psychological aspect of using an ATM machine It's kind of considered rude to look over someone's shoulder And uh, unless of course you're a criminal and then he would probably learn a trick or two anyway Now all ATMs need a way to upgrade their firmware and this is most often leveraged via their removable drives So the ATM application checks the drive for a valid upgrade But valid firmware is found upgrade and store whatever we decide to add in there Now, of course the firmware is typically a proprietary format. Um, They're checksums encryption And the algorithms are easily figured out by reversing the code on the ATM side So once you can create your own firmware package that adheres to the correct format Well, then you can upgrade but upgrade with a few modifications, of course Now the most important attack is the remote attack Now most if not all ATMs that run on a windows based OS support some form of remote monitoring or remote configuration So this allows you to log into your ATM remotely Review or change the settings get stats change the splash screens and so on Another quite useful feature is the ability to remotely upgrade the software Now this is sometimes a feature but always something you can leverage if you have a vulnerability Now, obviously authentication is required to be able to do anything useful Uh with the particular model I'll be demonstrating both a serial number and a remote password are required And they're both made up of a combination of numbers and letters And a five second delay is forced after each connection attempt. So a brute force is basically other question So we require a vulnerability within the authentication process And just so happens So let me introduce Dillinger Dillinger is my remote ATM attack or administration tool. Whatever way you want to look at it Dillinger named after the bank robber, of course Um, so we've talked we've talked about loading code on a local ATM machine with a master key and a flash drive In the correctly formed firmware, you're basically set But the obvious drawback here is you have to interact with the machine itself So the ultimate win would be able to execute code or load code remotely. And that's where Dillinger comes in Um, so Dillinger takes advantage of a fairly severe vulnerability in the ATM management capability And interestingly although most operators don't use the remote monitoring It's enabled by default on this particular manufacturer. So touching Now typically to log into the machine remotely we require Yeah, the knowledge of the serial number and the password but due to an awesome vulnerability I can bypass all authentication on the device And the remote attack is 100 reliable So Dillinger supports tcpip and it supports dial up as well And I heard through a fairly knowledgeable source that most of these stand-ups uh standalone About approximately 95 of them are still on a dial up connection Now of course back in the day finding an ATM over the phone line would be a long process of nights and nights of war dialing But you know, thanks to tools like hdmore's warvox You can map out modems on exchange in a matter of hours Then write a custom tool to find the ATM responses and you're away So Dillinger features so Dillinger will allow you to manage an unlimited amount of ATMs through its interface Uh, you can add a group say you add a city Under the city you add each individual ATM either its ip address or its phone number Now the heart of the tool of course is the authentication bypass that it exploits And this is the stepping stone to be able to do anything useful So one feature in Dillinger is to be able to test the bypass in a way which confirms the vulnerability But doesn't actually modify the remote ATM in any way or leave any trace So the obvious problem of finding a remote ATM is that you have no idea of the location So Dillinger can pull the ATM settings from the device which includes all the master passwords But it also includes the receipt data and you know when you use an ATM at the bottom of the receipt Always has the location or the name of the business Um, so even if it doesn't have the exact, yeah, it doesn't have the exact location will have the name of the business And of course the best feature is to upload my root kit Again bypasses authentication initializes software uploads Um, the root kit and then basically lets me uh, Overwrite the entire firmware of the device So in general someone is going to need to be at the ATM if you want to get any sort of payout So again, I added a feature so it'd be possible to carry out in the tech without ever visiting the ATM at all So when someone inserts a card the track data is captured and saved and I can then retrieve that track data remotely And find all the remote jackpot which kind of speaks for itself So Scrooge is the ATM root kit Um developed specifically for ATMs running on Windows CE Scrooge implements the typical root root kit technology to expect hides itself and its friends by various CE system hooks Hides itself from the process list hides itself from the file system by hooking syscalls and filtering the results And there's a hidden pop-up menu which can be activated by both a special key sequence on the ATM Or by inserting a card with custom track data Now it'll run on any arm or X scale based ATM until with a few tweaks Originally I was designing for both Intel and ARM, but it turns out that CE on x86 is actually pretty rare and basically non-existent in the ATM world So the code for interfacing the ATMs has to be customized for the different ATMs As they all use different peripherals and kind of non-standard ways of communicating So Scrooge is hidden menu. I just use a standard set windows hook filter to capture the side buttons on the ATM Although set windows hook is actually undocumented in CE it still exists and it works as expected So a combination of keys will trigger the hidden menu and it's varied enough not to be launched by accident But maybe if there's a kid playing around with the ATME may end up scoring big units And the card reader is hooked by an inline detour style patch So this is where you essentially patch a branch instruction into a piece of code You like to intercept the branch jumps to your code your code executes then returns to your original function Now with the hook in place is a check on the read buffer for track data that matches gimme the loot And if it matches the menu is brought up in that way as well So the menu functions are fairly standard for what you'd expect you can dispense from each cassette to print out stats Which include the remaining bill count and you can exit So yeah to add my own functionality. I've added a few inline patches Essentially you can patch a smaller sembler stub into the functions you want to hook The stub then calls a function external DLL Overwrites any overwritten instructions and then continues as normal. This could be done dynamically But the fact that the ATME vulnerabilities allow me to replace the executables entirely We can make these patches permanent which is actually far more reliable And it's also a lot easier on arm as every instruction is 32 bits long as well So I place hooks at the card reader the pin pad and the parser that handles remote configuration plans So with those hooks I can now add my own handy features So I can save the track data capture the pin pad have a few custom remote commands So pull the track data sure remote jackpot might as well All right, so there's going to be quite a lot of demos So I went through that a bit quick because I think it's probably 25 or so minutes of demos So I may as well put my money where my mouth is or the ATMs money where it's mouth is I guess Okay, so this is our Dillinger's interface We can add a group so we'll say black hat add an ATM Barnaby's ATM Location on stage air black it and Dillinger supports both dial up and TCP IP So in this case, I'm using TCP IP of course By the way, just to reiterate this is by default Um Remote functionality is enabled on all of these ATMs as they ship out This one here at least not the other one Okay So now I can right click on my ATM. I can then test the bypass upload the root kit Reset to default get the track settings get ATM settings, etc So, uh, let's see. I'm trying to think if we should switch to the ATM You know not not just yeah, okay, so I can test the bypass connects to the ATM Testing ATM authentication bypass success and it disconnects Now we'll actually blow up the ATMs in a sec, but All that shows on the ATMs is just rms process I have to wait till that it goes away So it's nothing too noticeable, you know, if you're if you see this ATM Actually, if someone close to the thinker, let me know when it's uh, it's gone. Okay So now, um, most important feature of course is to upload the root kit So we'll upload scrooge the final version connects Sends a bypass successful Initiates upload and it's uploading it to the ATM now This is bypassing all authentication in the ATM and by default Now even though it's over the network, it takes a little while because they have their own proprietary protocol Which acknowledges each packet and then it has a small delay and so on Um proprietary protocol of course has its own proprietary encryption And you all know what happens when people implement proprietary encryption It's it's fairly easy to make your own Okay, so when it finishes uploading the ATM should reboot and if we could uh flick to the ATM now on the screen It takes a little while window see, you know, it's not the not the fastest beast out there Yeah, if we could just pan out just a bit too If we could get the screen and the dispenser Yeah, that's cool What's that? Oh, that'll be spitting money, mate. Don't worry about that Okay Let me make sure I have my little card here So as I said, there's two ways To input to get the remote menu to or the hidden menu to pop up One is with a special card with the track data. So if we insert Okay I always say it's 100 reliable and why doesn't it work? There we go. Okay. So that card now has popped up my hidden menu Um, you can dispense 50 bills from abc or d which are the four cassettes in the dispenser You can print statistics which give you the master passwords and so on or you can exit So I'll just uh dispense 50 from The first cassette So these um, these are million dollar bills, but it will Probably not much use at the craps table The other the other one will spit out a bit better currency Okay, so now we can exit and I said there was a a key sequence which you could also enter to pop up their menu These buttons were a bit bugged Let's try that again I've obviously pressed these buttons a fair few times. There we go. So we can exit from that too Okay, so can we cut back to the computer? Okay, and um It'd be nice to know where this atm actually is as well. So we can retrieve the atm settings Connects achieves the settings And saves them to disk Now you can see um, so up here are the passwords to the atm itself Um, I don't actually live on 123 Kiwi street, by the way But I do live in San Jose and then it has the uh phone numbers as well as the ip addresses And the receipt coupons and all that type of thing now, um of course the One of the greatest things about this is The fact that you can retrieve track data from people who insert cards. So would anyone like to volunteer? Is brandon here? There he is brandon. I think has a custom credit card, especially for this So can we flick to the atm again, please? Can we cross to the atm? Okay, so just insert your card as you normally would use an atm All right, thank you sir So back to the computer, please So now let's see if we can get the track data that he just inserted connects Retrieves the stripe card data Saves it to disk Okay, so you can actually see from um, the first one was the gimme the loot where I was actually had My demo card and then the next track data. This doesn't look like a credit card brandon Dr. Raid of the Buster Cardi with the card leak leak leak leak leak leak leak leak leak But of course, uh, it will capture any credit card that's entered into the machine and Finally, um the remote jackpot, which is always handy. So go back to the atm issue the jackpot command We have a winner Now before I um, I'm not going to let the other one get off scot-free So I will quickly demo the walkup style attack. Now. I'm not as fast as this as I should be but I will try it anyway So remember the walkup attack is simply popping open the cabinet inserting a usb and restarting it so Right, so that's the attack done. I wouldn't be spotted if I was out by the restroom um, I think just for Just to make it look a little better on stage. I might just open the cabinet here not opening the safe Of course, it's the cabinet So the other attack was somewhat practical this one. Um, you'd probably end up on world's dumbest criminals As you'll probably see soon Okay, so it boots right now. It should be reading the firmware off that usb drive Uh copies of firmware over As it initializes the little black hat logo floating around the screen Obviously in the real world, it would be a root kit not a black hat logo But so I kind of tailored this for both black and for vegas as you'll see Um nine processes and not the fastest I just want to see how long it actually takes to dump its entire dispenser It will start with million dollar bills and it's going to switch to IO active currency Which also doubles as invites for the party. So I want there to be a big pile at the end It still hasn't got to the IO active currency. I should have put that first, I guess There we go Okay, we cannot probably flick back to the presentation now Okay, so countermeasures Uh the obvious physical I may just disconnect the sounds really quick Uh, so the obvious physical countermeasure to prevent the walk-up attack is to offer upgrade options on the locks themselves Uh, so there's a unique key for each ATM Now, of course, if you want to take this into your own hands, just drill a hole and throw a padlock on it Um, if a trusted environment was set up that only allowed signed executables to be run that would prevent the original attack And although it wouldn't have prevented the actual attack vector of the remote attack It would have added a barrier to executing executing rogue executables Now, unfortunately in windows c5 and implementing the trust environment isn't as straightforward as it should be Code has to be introduced into the build and I think the option to implement secure environment should be a lot easier But what you can do right now to prevent the remote attack is to disable rms on the device There's a high chance that you're not actually using the the features So disable it that can be done from the operator menu And finally it's time to give these devices a rehaul There hasn't been a secure development in methodology in from the get-go Those who need to play catch up have the code ordered have penetration tests and implement best practices from here on out Um, so there's been a noticeable surge in the community of researching proprietary devices like atms And the simple fact is that the companies who manufacture devices aren't microsoft, right? They haven't had 10 years of continual attacks against them So their software that like the software that microsoft got forced into a secure development They've gotten where they are today We're talking about devices that were developed without secure principles in mind I think it's important to dig in research these devices find vulnerabilities find solutions And ultimately ensure a more secure future. So cheers