 Hi everyone, my name is Roy Davis and welcome to my talk, No Key, No Pin, No Combo, No Problem. Ponying ATMs for fun and profit. Shout out to all my homies at DC612 in Minnesota and for anybody who wants to get a hold of me about the content of this presentation, my contact information is all on the screen there. Before we get too far into this, I've got to say this content is provided for educational and entertainment purposes only. Unauthorized access of other people's ATMs is illegal. Don't do it. Don't do it. You're gonna go to jail. Secondly, this presentation is not associated with my employer in any way, except to say they've been very supportive of this opportunity and of me and I really appreciate that. So why ATMs? There's several answers to this question. The first being when I was a kid, I used to go to the grocery store with my mom and she'd walk up to this machine once a while and set instant cash on the front. And I thought, man, this is great. How do I get a piece of this action? I want instant cash. And, you know, a long time went by. I graduated college. I got into security and I got into pen testing. I never forgot about that childhood dream. I always wanted to learn how those things work inside. How can they be configured or misconfigured? What does their network traffic look like? And how secure is that vault? In my opinion, cash is not going away anytime soon. Cash still provides a level of anonymity to people who use it that, you know, cards just don't give you. They leave a paper trail. ATMs are everywhere, all over the world and increasing in numbers as you can see in this chart between 2008 and 2019, about a doubling of the number of ATMs. You know, a lot of people think that on these machines in bars and restaurants and wherever that, you know, as long as this thing keeps working, it's good, right? The low levels of security maintenance adoption for these machines is incredible. If you think it's hard to get PC users or, you know, like an infra ops team to apply patches in production, imagine trying to get bar owners to update their ATM software. It's really, really difficult. Also, a lot of ATM security seems to me based on obscurity and lack of design transparency. There's, you know, missing huge amounts of documentation. Try searching the internet sometime for communications protocols or encryption implementations or mainboard pin layouts. It's really difficult to find anything about that. This is a document I found from 2002 discussing the Triton-COM protocol. It's a preliminary release and it's missing a lot of current info. I also believe that if honest researchers continue to expose vulnerabilities in these devices, the increased awareness can only serve to encourage the manufacturers of these devices to make them more secure, which makes all of us safer in the long run. The last reason I'm interested in this kind of research is really all of these folks. A huge shout out and thank you to these pioneers in the ATM and electronic lock research field. They paved the way to establishing Safe Harbor for ATM vulnerability research and I greatly appreciate and have enjoyed all of their work. I highly recommend watching these previous presentations. If you want to learn more about things like ATM history, network attacks, firmware attacks, power analysis and spike attacks and malware attacks. All of these previous researchers are brilliant and in my estimation, most of it is probably beyond the capabilities of your average criminal. Today we're going to look at something a bit more on the physical side of attacks on ATM. Our agenda here is all about how I acquired my ATM. We'll look at some damage, some waves. People damaged these things trying to get the money, some general ATM info. How I became a licensed operator and how that went and why I did that. We're also going to be picking the ATM case lock, resetting the ATM password and bypassing the electronic vault lock. And then at the end we'll have some time for Q&A. What was my goal? It was a fully functioning ATM in my home which I had complete access to. It'll process ATM transactions just like in the wild. I want to research and understand the entire tax surface including the network traffic, the internal serial comms, the data stored on the device, the vault and the cash dispensing unit. What I have here behind me is that device. It came true and I'm going to tell you how that happened. These things are expensive, right? How did I get this thing? If you look on the internet, this thing is probably $4,000 new, couple grand, two, three thousand used. That's too much for me if I'm going to do some research. So things like Craigslist and eBay are your friends. I'd been looking for an ATM for a long time when I found this one in 2018. This set a hundred bucks for both. It seemed like a deal. I quickly started researching how they worked and what was inside them and how to duplicate the attacks Barnaby Jack had done in 2010. One of the things I found right away, default locks on these machines are garbage, commonly available locks and easy to pick with a rake. Also, among other issues, I found that the audit logs in these ATMs contain a wealth of information including full debit card numbers and names of previous users in clear text and dates and amounts of transactions. That was sort of surprising to me. So I got bored with these things as time went by. I really was interested in getting my hands on an ATM that ran some flavor of windows because windows, fun to hack and lots of known forms. This save search had an alert that was turned on. Any auction or ATMs for sale in Minnesota. And lo and behold, I got a hit. So here's this auction in Cambridge, Minnesota, about an hour and a half north of me. And they were selling everything in this restaurant and gas station. This ATM was up for bid. And this is all the details I got. If you've ever been on auctions like this, you know that there's a very limited amount of information. I called the place and inquired about the condition of the ATM asking what does unknown working condition mean. They had no idea. Everything is being sold as is. Closure auctions, all they said. I did ask if there was any money in it, just kind of joking. The reply surprised me. They're very well maybe. This place got shut down with food on the shelves, drinks in the coolers and gas in the tanks. So at this point, I have no idea. I think they're just trying to get me to bid, right? Tell me whatever I want to hear. I bid a dollar. Now I am quite competitive when it comes to auctions and I don't like to lose. So of course I won with a bid of $220 at the last second. This is the first time I learned this email, learned that I won. And I also learned there's no code for the cash box. I assume they mean the vault. Well, what's going on here? I have no idea. What's this thing actually worth? Is it worth anything? Am I going to be able to get into it? Does it even work? Who knows? So I did a little digging and found out that first of all, these machines are like 10 times worth 10 times what I paid for them. So score. But maybe not if I can't get into the vault and I can't get this thing working. Well, where did this thing come from? The gas station barbecue sounded sort of interesting. Here's the place that was auctioning off everything. I hit opened in 2018, February 1st, less than two years before I won this auction. Very strange. They're going to have Dickies Barbecue. If you've ever had it, it's fantastic. I highly recommend it. March 18, kind of a review of the place. But uh-oh, just a little while later, assets 43k liabilities, 1.5 million. That's probably not going to work out long term for any business owner. Things are starting to make sense here. So hop in the car, hour and a half north to Cambridge. And this is what the place looked like when I got there to pick up my ATM. A lot different than opening day. I walk in and I'm at check-in and I'm talking to the lady there and I say, you know, what happened here? How did this place go out of business so fast that, you know, you couldn't get the ATM pin for the vault or the top? And she says, as I understand it, there were some legal issues and the lender foreclosed and shut the place down. Okay, I don't know anything about all that, but you know, that's what you say. So I go back over to the ATM, let's get this thing going. Let's just get this thing in the Jeep and get out of here. I was not anticipating that it was going to be literally bolted to the floor and completely immovable. Okay, so I can't get into the vault to remove the nuts that are obviously holding this thing down to the floor. It's in cement. So I call the locksmith and I said, hey, you know, I'm at this gas station. I won this auction. Could you please come over and help me break into this ATM to help me move it? The answer was a resounding no. No. So I asked the lady, you know, how am I going to get this thing out of here? What's going to happen to this place? She said, I don't care. You got to have that thing out of here today. I don't care what you do to get it out. I said, what if I have to damage the floor? No problem. They're going to bulldoze this place at some point later. I don't care. I'm just here to auction stuff off. Okay. All right. Well, I want this thing undamaged because I want to do research on it. And afterwards, I might want to use this thing and like start a business, make some money with an ATM. Who knows? So the only thing I can think of is go down to Home Depot and rent this guy, the Bosch Brute Turbo. Up to this point, I'd never used a jackhammer in my life, but how hard could it be? I've seen it done in cartoons. Well, so I start jackhammering and hitting the ATM a couple of times there and jackhammering some more. And I'm getting a little further and jackhammering more. And it finally starts to come out and lean a little bit. It finally did fall over and I removed the concrete slab from the bottom again with the jackhammer. For anyone wondering, it takes an novice jackhammer user roughly 40 minutes or so to get an ATM fully extracted from a cement floor. All right. Here it is out on the curb, in the Jeep it goes, and magically now it's back that afternoon in my office. Mission accomplished. I plugged it in and booted it up and said, you know, I'm staring at this thing like, okay, so now what? What do I have to do to make this thing fully operational? I want to stick my card in this thing and have it give me money. I have no idea. I have no idea what to do. Time to research. First thing I notice when I boot this thing up is it's running Windows CE. That's pretty interesting to me. What could possibly go wrong? I was looking for a Windows box. So the next thing I do is hook it up to my local LAN and run an NMAP scan. Now, you'll see on the left here that I posted the NMAP scan that Trey and Brenda saw. Brenda did last year, Trey Goudin, Coudin, Keon, sorry, and Brenda So, at last year's DEF CON. So they had a lot of open ports on this exact same model. I only had 555.5 open, which I learned from their talk is the remote management agent. I did install the remote management software and connect to it, but I did not do any sort of penetration testing against that endpoint. It was very intriguing and very attractive to do that, but it was not the focus of my research at the time. Trey and Brenda also demonstrated an overflow attack against this port that allowed modification of settings within the ATM. I would love to learn more about that and try that attack here. Okay, so here is the screen when I boot up the machine, when I first boot it up. Apologies for the terrible photo. After booting, I get this thing. It says the encrypted pin pad has gone bad. I have no idea what that means. It needs to be replaced, I learned. Error codes, 97999, EPP error. All right, what's this going to cost me? So 320 bucks later, I've got a refurbished one and things are getting a little bit expensive. And so at this point, I've got to install an EPP in a machine that I've never really taken apart or worked on, but at least I know how to get into the top, which we'll see here shortly. First thing I needed to do was a little research on the inside of this machine, and along the way I kind of put together this a few slides about how ATMs work. So before we get too far, let's just take a couple of minutes here. So there's two main categories of ATMs with this distinguishing factors being the level of security the housing provides for the electronics and the money, the banking features available to users, and the amount of money within the machine itself. Drive-up ATMs are typically associated directly with banks and are mounted in an external wall of a bank, especially built-in closure like this one, or as a standalone unit, like out in a parking lot. There's really no easy access to the money or the electronics in the front of this machine. You really have to get into the building or get into the back somehow. Stealthy, undetectable access takes time, knowledge, and skill, or granted access as an employee. The second type of ATM is the one you're probably most familiar with, and it's the type I bought from my research. These are much less expensive and there's far less security built into them because they're designed to be installed where people are present and are working, like gas stations and such. They usually are not directly associated with any sort of bank, but they're owner-operated, so the gas station owner probably owns that machine as well. It changes the threat model a bit here because there's much less oversight to detect modifications to the ATM software housing or network connection if this thing is installed in a hotel lobby or a big long hallway at a hotel conference center or somewhere, you know, a bowling alley maybe where there's not a lot of supervision. As we've seen, these things can be bolted directly to the floor, but many times they're not because it's a temporary use location or, you know, it's going to be a limited time there or they move it around a lot, or, you know, for whatever reason maybe they just can't do that. They can't bolt it to the floor. People trying to get access to the money in these machines do a lot of damage, typically with various devices like blow torches, crowbars. This is actually the same machine I bought. And in this one, this Triton 9100 looks like, you know, somebody used some sort of a cutting tool. I'm not sure why they chose that spot. You can't actually get to the money going through the side there, so they were probably very disappointed or caused more damage to the CDU unit in there. So during my research, I see all this damage and I'm thinking, is this really what it takes to get into one of these things? Can you do it any other way? Can you do it in a way that doesn't leave obvious evidence? Maybe the answer is no. I don't know. So this one's my personal favorite because, you know, I like 4th of July, so anytime you go with explosives I'm going to watch. Not attracting any attention here for sure. So here we stick the incendiary device in the output of where the cash comes out, which is an interesting choice. And it just basically destroys the entire top, but the cash box remains intact. So that is not a good way to try and get into an ATM. I would be really surprised if anyone here had never used an ATM, so I'm sure you're all familiar with these external parts that I've highlighted here. We're going to go past this. All of the ATMs that you'll see essentially have the same internal parts and external parts. One thing you can see here is the false door, the safe door cover. That is protected by a cylinder lock, which is typically keyed the same as the lock that protects the electronics. Behind that false door is the electronic lock keypad and the lock bolt handle. You can see a wire coming out of the door here. That's a power cable for the light over the cash dispensing portal on the false door. All right, so let's take a look inside the vault. Here we can see the door where the money comes out and dust below that. We can see the bolt action lever that lifts these huge teeth that interlock with the frame to keep the safe door shut. The safe door, by the way, is about 70 pounds. It weighs more than anything else on the machine. There's a look at the electric lock inside and there is what's called the cash dispensing unit. Mounted on the cash dispensing unit is also a reject bin. Then there is the cash cassette, which plugs basically into a slot underneath the reject bin. We're going to take a closer look at all of these different things. Inside here you can see the belt-driven device that brings the money up and out of the cash dispensing unit. All right, so the next thing we're going to look at here is the reject bin. Not very exciting, but I thought you guys might just like the look in there. This is where crumpled money goes, things that can't go through the CDU. This is the back of the CDU. You can see the serial interface that goes up to the main board and also the power supply, which also goes up to the power supply in the main compartment. This here is the cash cassette. It also is locked with a tubular lock. Inside we can see the pressure-driven dispenser. It's spring-loaded. You can see a few bills in there. This is where a thousand bills can fit if you so desire. This same machine that I have, even though it right now is configured with one cassette, it can be configured with three cassettes. The module just plugs right in. It's really not a big deal, giving this machine a cash capacity of $300,000 because each cassette can be configured to hold hundreds. As we're going to see, you make the call at the end of this presentation, do you think that the locks and everything that are protecting $300,000, potentially $300,000, do you think they're adequate or not? Moving on to the top of the device. This lock is, like I said, usually keyed the same as the front, and as mentioned, can be picked. I'm showing you there that the lock is indeed locked, and I'm showing you there a cylinder lock pick. These cylinder locks have seven or eight pins. This one particularly has eight pins. I insert the pick, and I start jiggling it back and forth, which moves the picks up into the right position, which moves the pins into the right position and unlocks the lock. It didn't take very long at all. You could also just buy this key on eBay. If you are lucky enough to get your hands on an ATM like I did for cheap, and you don't have the key, here you go. Go buy a key. Let's have a look inside here, inside the top. Not many people get to look in here. We're going to give you a look here as well. Here are all the wires that go down to the CDU, and these come up, and there's the printer module, there's the power supply, a straight five-volt power supply, I believe, to the board, and 12 volts everywhere else. Here is the receipt printer. It has its own board and a serial connection and power cables there. All these cables come up through a junction right at the base of the main unit, and there we see the main board. The main board here has an SD card, a lot of dip switches that change modes and do various things, and we see an HDMI cable connector and a couple of USB ports, and then over here on the other side, we will see all of the different serial ports that drive the different pieces and parts of the ATM itself. There's the Ethernet cable, there's the modem, and the printer port, and down here we have the card reader. That's where all the money comes out, and right below there is the electronic, the encrypting pin pad, the EPP that I replaced. All right, wonderful. So we see the inside, and I mentioned the Ethernet port, so this thing is obviously talking to the internet, and it's obviously somehow doing transactions, so how does that work? Whether it's through a modem or it's through a NIC or something, we get an internet connection to the PPH, the payment processing host, using something called the Triton protocol, and then from there we're going to go to what's called the Interbank network, so what is that? First of all, the processing host provides the connection information and encryption keys, which are configured in the ATM computer. They take a small percentage, the processor does, of the transaction fee, which is determined by the owner and charged to the user for each transaction. There's hundreds of processing companies to pick from. I just threw up a few brands here. An Interbank network, the next step, is also known as the ATM consortium or the ATM network, and it's a computer network that enables ATM cards that are issued by a financial institution that is a member of the network to be used in ATMs that belong to another member of that same ATM consortium. The way that the banking industry came up in America was very fragmented, so there was a lot of little mom-and-pop shops and a lot of little networks everywhere. In the 2000s or 2003, by then we had a consolidation resulting in three major Interbank networks and now about 70% of the volume in the United States goes over those three networks. Past talks on ATM hacking have discussed building a dummy backend for the ATM network, for the ATM to connect to, and that would pretend to be the payment processing host. But I really wanted to see what the real thing was like, so to do this, I had to become a licensed ATM operator. So why did I do that? Well, I really want the full real experience. I want to understand exactly what does it take to take any ATM to full functioning and operate it after the fact. After my research is done, I want to put this thing in use. Minnesota is about to legalize weed, so maybe I'll put it out of dispensary, I don't know. So why do I have to be licensed? Well, the primary reason these laws exist and these licenses exist is to prevent money laundering and funding of nefarious activities. This is really tied to the Patriot Act of 2001, so you can imagine what I mean by nefarious activities. The licensing is done through NMLS or the National Multi-State Licensing System. I provide, you know, processor information. There's a background check. I have to fill out a bunch of paperwork. I have to show them my bank statements and let my bank know what I'm doing. I have to pay a couple hundred bucks in license fees, and it takes about four weeks or so, and you're gonna do something wrong because, you know, no matter what you do, you're gonna do it wrong and fill out the paperwork wrong, and you're gonna have to do it back and forth a few times and sit on hold with the state and whatever. But sooner or later, you will become a licensed financial terminal owner. All right, so I've got this thing on the network. I have my license. I can connect to the ATM network, the real thing. How am I gonna do that? I'm gonna use a land tap because I want to do this very transparently and, you know, not in any way that somebody can know what I'm doing. There's no opportunity for traffic manipulation here. It's really just sniffing, and I'm sniffing my own traffic. So as I run my own transactions with my own card, I can see what's happening. Now, the way a land tap works is there's a pass-through that goes directly through and is transparent to the server and the client. These other two ports that you can see are outbound from the ATM. So outbound traffic, which goes to my laptop. And then inbound traffic coming inbound to the ATM also goes to my laptop. And so if I spin up Wireshark and attach to both of those Ethernet devices, I can see both way traffic. The problem is it's encrypted with TLS12. But the ATM provides you a way to upload your own signing certificate, which I found very interesting. If you put a self-signed cert on a USB and stick it in to the back where we saw before and you go to this screen, it says download cert from USB. So I'm not really sure how that all makes sense, but it's there. All right. So we've taken a little look at the inside. We've taken a little look at the network. With the EPP replaced, I can now successfully boot the ATM and enter some data. One side note here. Anytime I see a big red thing that says warning and then do not do something, I always pay special attention to that. I like to do things that I'm not supposed to do. So this one says don't remove the cover. Bad things will happen. At some point, I'm going to go look exactly into what that bad stuff is and see how this is implemented. It sounds like a really interesting research project. So anyway, booting this time, I get this great error message. It says FFF, FFF. That means that I need to provide some more setup information into the machine. All right. So to access the admin screen, I'll do enter clear cancel 123. All right. And so this gives me this nice enter password UI, right? But I don't know the password. This is the pin I need to get to the admin interface. I tried multiple times to reach anyone associated with the previous owner. Still no luck. So I have no idea. The pin is stored in memory somewhere on that board. I have no idea how to get to it. I don't know if it's encrypted. It's good to note that this password is different than the safe combination. The safe vault lock does not have any idea that this interface or this computer even exists. They're completely separate. This is just to get access to the admin operator interface. The default password here is 5555555. I know that because it's in their documentation. But unfortunately for me, that didn't work. I tried and I tried and I tried and I was up very late. The UI does give you three chances to enter the correct password, but then it'll send you back to the start screen again and then you have to do enter clear cancel 123. After a few days of guessing and falling asleep in my chair after guessing, I gave up and looked for other ways. So it turns out after a lot of Googling and reading, I found that in recent versions of the software house has implemented a security feature where the operator function passwords cannot be reset to factory defaults unless performed during a machine's first boot after reloading the software. If there's any way around this, I have no idea. I couldn't find it. The search continues. All right, so how does the software reinstall work? Well, various versions of the ATM software are available if you search around. I found this one and downloaded it. I would love to find some older versions of this. If anybody knows where I can get my hands on some older versions of this, the software for the Triton 2700 CE, I would really appreciate it. This set that I found was, I think, the most recent version. So I put it on an SD card. There's various files here. If you want to know what they do, I think Brenda So talked about that in last year's talk. I did delve into the update folder where I found a master.zip file, and opening that is super fun. There's lots of fun stuff to play with here. I'm not sure if the bat files or some of these other files, the icons in the backgrounds, have any sort of CRC associated with them. If there's anything run on those, if you can modify those and put them back on this disk and stick it in the machine and have it do some fun stuff. That's another research topic altogether that I wish I had time for and will probably do in the future. So my SD card goes in this slot. I have to push down dip switch number four to make it boot into diagnostic mode. And this is where the computer will do all kinds of fun stuff and read things off the SD card. So, pick SD card. And now we're doing a software update. This takes about 10 minutes or so. That's what this install looks like. And after you do that, it will reboot and now you'll get the same screen. And we can reset the master password. All right, so here's how we do that. We reboot again. And during the initializing screen, we get out our old Nintendo fingers and do clear, left, right, clear, clear, cancel. Clear, left, right, clear, clear, cancel. If successfully recognized, the machine will ask you if you want to reset the master password. And then it will be set back to 555555. There's one caveat to this. It's not going to happen unless the safe door is open. If the safe door is not open, you're just going to get back to this screen. And so, you know, at this point, the safe door is not open. But I need to open it. I need to open it and to complete the password reset for the computer. And I need to get into it to see if there's any cache in there, right? I really don't want to destroy the door in the process. I've already explained why. So the first question I have is, you know, how does this computer know the door is closed? There must be a sensor somewhere in there connected to the door and connected to the main board. I have access to the main board. I should be able to do this. So I reached for my favorite tool, the Boroscope. This here is a Depstec unit. 5 megapixels, HD resolution, rechargeable battery, wireless connectivity. It's great. Wire is rigid. You can bend it around corners, you know, and it's 50 bucks on Amazon. How could you go wrong? As we'll see later in this talk, I did use this other tool, this other smaller scope called the Autoscope. It's made to stick in your ear. This has a diameter of 5.5 millimeters, much smaller than the previous one. It's about 50 bucks for this camera as well. So I got the scope inside the ATM using the corners of the cache dispensing tray and also that hole where the wire came up for the lighting of the door. This is what I see inside. It's the reject bin. I can see the lock, the electronic safe lock down there. I can also see some wires over far down there. If I turn the Boroscope a little bit, I can see the wire or I can see the safe switch, the momentary switch is the word I was looking for. This momentary switch is connected to the door and the door is pushing it in. It's basically telling the computer the door is open or closed. Following this wire up away from the momentary switch and across through some portion of the ATM, it finally does surface through this hole up to where the main board is. It comes over to this junction where it's conveniently labeled front and then it goes on over to the board where it's labeled C and 16. If I unplug this, the question is, does it fail open or closed? Well, let's do an experiment to find out. I recorded this demo after I had the vault door open and the ATM was all set up and operational, but the results are the same because the door is closed now and the ATM is operational because the door is closed. If I pull a door sensor plug, then the computer should think that the door is open and it should become not operational. What happens is I pull out the plug and it says the door is open. The ATM is temporarily out of service, but it's not, right? We just saw the door is closed, but this is exactly what we needed in this case. I pull out the plug, I reboot, and while initializing, we do clear left-right, clear, clear, cancel, and we get to this screen. Reset master password. Reset master password. Click yes. All right, it reboots one more time. I get here, I do 555555 and here I am as an administrator inside the computer. All right, so at least one of you was wondering what was that QR code back there? Well, it's nothing. I'm not sure why that's there. It does not seem to be something that is alterable through the configuration and it just leads to nothing. A Google search, I guess. I have no idea. All right. So now the passwords reset. I can get to the ATM inside. I can configure it as I wish, but we really need to get into the safe to make this thing fully operational and, well, we'll see what's in there, right? So how? Well, first things first. What lock is this thing? Back to the boroscope for some recon. I can see the lock. I can see some writing on it. It turns out with a little Googling of this particular type of ATM uses this Lagarde LG basic electronic lock and this is what it looks like. Now, in 2016 at Defcon 24, Plur did a great talk about side-channel attacks on this type of lock. He used the side-channel attack to deduce the correct combination of this Sargent and Greenleaf Titan pivot wool. Very similar to the lock that I have, the Lagarde basic, but not exactly the same one. This, however, this YouTube video by EEV blog attempting this same attack on the Lagarde lock, but without success. So I decided to come up with another way to figure out how these things work. I ordered one. And I also found out that there's another option which I assume works the same sort of way along the same lines as Plur's attack. This is called a little black box and this device as well as this Phoenix device, they basically can reset the safe combo. You take the cord that goes into the safe from the keypad and you hook it up to this device. It determines what lock you have hooked up to and then you click reset. What it's going to do now is some sort of an attack against the lock itself. I believe it basically guesses every combination in less than 15 minutes. And once it guesses the combination, I guess somehow it resets it. I really don't know how this thing works. You can only buy this if you're law enforcement or if you own a bank or are a licensed locksmith. So it costs about $3,000 and I don't have that much money so I need another way. So I take off the cover. We see the circuit board. Then you can see the lock mechanism with the bolt and the rotation axis of the bolt. The main bolt handle forces down and rotates it in a clockwise direction. There is an anti-force mechanism here. There's a spring and a notch on the lock and the bolt. If you push down too hard, that notch basically engages and you can't push anymore. If we are able to rotate fully clockwise, then we will push that secondary bolt over into the notch, into that linchpin. Now that linchpin will stop the secondary bolt from going over there unless we type in the correct code which then provides a 9-volt DC charge to the little motor attached to the linchpin. The motor runs. The linchpin is moved and we can open the lock. So now we know how this thing works. Here is a close-up of the DC motor and the linchpin. Again, if we apply a charge to the motor, then it will open. So basically all the money in this vault, $300,000 potentially is protected by the lack of voltage to this DC motor. Is there a way from the outside of the vault to get voltage to this DC motor without anyone knowing or without destroying the lock or destroying the vault or destroying the case? Let's have a look. This is a short video of the lock in action. Look in the middle of the lock at that linchpin and you'll see after I type in the code the motor turns. The linchpin goes up which would allow the bolt to turn and the lock to open. Here is a look at the keypad and another interesting thought that I had was there is a lot of space inside this keypad thing that mounts on the front and it doesn't appear to me just doing some cursory research that there is any encryption of the numbers that are pressed on the keypad as it's being sent into the lock. What you see here is a small experiment with an Arduino Nano in which I'm hitting keypad presses on pressing on the keypad and recording the key presses into an Arduino Nano and then passing that back on out to the lock. Very interesting research can be done here. I believe this is a successful man in the middle attack against this particular lock. So, yeah. Moving on from that we can see that I wasn't going to be able to use that attack to get into my safe I had to continue on. Here are the power wires directly under the circuit board on the door side of the lock so the metal you see in this picture would be actually against the door and the lock sits directly behind this keypad and the keypad is removable. And if we do remove the keypad we can see through the hole where the wire goes to the lock that it is indeed the back of the lock and it gives us this little nice landmark to know exactly where on the lock we are because of this little solid silver dowel I have no idea what it does but it is there and it gives us a landmark. That little red X you see is exactly where those wires are that we need to get access to. So I need the right tool for the job to get access to this something I've always wanted an electromagnetic drill press. So you're probably saying wait a second this is cheating I wonder if I can just get a visual on those wires from the outside I can come up with a way to supply current to them and there just happens to be an existing hole in the door from the factory that allows for a different orientation of the keypad if you want the hole is a quarter inch in diameter and it is exactly where I need it to be and it is there from the factory I need this to be a little bit bigger but not too much. I went with a half inch carbide bit so I made the hole diameter well I put this bit in and I get my my drill hooked up now this drill has a binding capacity of about 3,000 pounds per square inch it's not going anywhere once you turn it on and the the RPMs of this drill is about 1200 carbide bit carbide tipped drill bit really no match for this safe door it really only takes a couple of minutes to get in there it takes me a little bit longer because I'm not exactly sure what the depth is but suffice to say I get into the lock without damaging it in any way and now we can see the wires of interest and now keep in mind if I put the keypad back on our mischief is fully concealed and nobody is the wiser alright so the last piece of the puzzle how do I get power to these wires through this half inch hole without breaking the lock thinking and digging around I figured out that there's this tool called a puncture probe it's exactly what I needed this is how it works the idea you know you retract the probe the puncture pin you get the wire in there and you release the pin into the wire and you have connectivity and you can connect a wire down at the base of the probe so this is kind of what that looks like I built my own probes because those plastic ones were far too big so what I'm doing here is I've punctured these wires on my workbench and I'm applying a 9 volt charge to them and you can see that it is opening again the problem was that these were way too big for the access port that I had drilled and I certainly didn't want to cheat anymore by making the hole bigger so I designed something smaller at that time I used this little piece of wire with a hook on the end and here you can see that this is what it looks like when it's all set up I hooked up the 9 volt battery and nothing happened I was a little worried that my 9 volt battery was bad so I hooked it up to a DC power supply and I gave it 17 volts just in case it needed a little more extra juice here's the full scene when the fault was opened for the first time back in I believe the end of March early April and yeah so you can see the scope there and you can see my tool the tool that I used the puncture probe you can see the wire tool that I created the inside through the borescope and then here we go the door is open for the first time and we can see inside so here's a demo of what just happened as you can see the lock is locked as I pushed down on it attaching the probes and applying voltage and the lock opens I'm going to skip forward because I'm running out of time here so we're just going to go past this one to again, if I put the keypad in place there's no evidence of intrusion and as an added bonus if you want to go the extra mile you can cover the access hole with this half inch plastic cover like barely noticeable right right again, not as satisfied with the smaller probe there must have been a way to do it with a smaller hole so I started taking these probes apart I pulled off the plastic sheathing and saw the probe inside I went and grabbed a stainless steel 3 mil tube I put a little notch in it in the end and heated up the tube to melt into the plastic of the probe and this is what it looks like when it's all together and it's a lot smaller it's 6.2 mil versus 29 so a lot smaller which means I can now do this attack with a much smaller hole alright, some loose ends quickly I sent Dorcomba this letter to let them know some pre-disclosure, pre-talk disclosure I never got any response from this I used my email to secure.housungamerica I never got a response to this one either so I got a delivery failure notice instead as far as the money there was money in the ATM I'm a trusted source advice I am not going to tell you exactly how much it was I will not disclose that but there was enough to pay for the research project and the ATM and a little bit left over follow up research ATM Wi-Fi, really cool I think the vault lock man in the middle I showed ATM software modifications we talked about maybe the USD and SD card could be fun to mess with internal serial comms between the top and the bottom between the CDU and the computer can we capture and replay how about EPP deconstruction analysis that warning message we saw those topics I think are fascinating and I will continue research if anybody else wants to join me please reach out to me so in conclusion no key, no pin, no combo no problem thanks for watching have a great day and I hope you have a fabulous DEF CON bye bye