 So for the very last talk of this evening after learning how to break into intercoms We're gonna learn a huge number of ways in which you can break into ATMs We got here Olga and Alexei. They are part of the penetration testing team at Casper's collab and They will tell us more about this. Thank you So most of you use bank cards to buy something in shops and malls and other places But sometimes you need cash. For example, when you go to the lounge and want to buy some chunk and You need to go to ATM and You look around and search for skimmers for hidden cameras for some fake pinpads or some other stuff from bad guys and If is everything okay, you will insert your bank card into ATM enter your pin enter amount of money and What do you can see? ATM say that there is no money for a long time From Bankside, it is this ATM is full of money That's because some lucky hacker Maybe right now Jacked all money from this ATM And if he was really lucky He obtained quarter quarter million euros and that's because ATM this ATM is not ideal So today we would like to tell you about ideal situation when ATM is secure with several level of protection and Time to say hello I am Olga Kochitova and he is my colleague Alexei Osipov. We are from Kaspersky Lab We get our knowledge from ATM and post security assessment penetration testing forensic investigation and other funny activities But first of all, let me give you several words about ATM in general just for your understanding You might be familiar with various type of ATMs For example cash in or cash out ATMs or even recycling systems It might be a standalone ATMs or through the wall ATMs, but it should be noticed that there are Several ATM vendors around the world They just Take small parts small hardware units produced by various manufacturer and put it together into the box and call it So it's just a Lego for big vendors for big men's So the top box of ATM called service zone or cabinet There are PC that just usual PC card reader pin pad and so on the bottom box of ATM called safe There are some financial devices such as dispenser to eject money or note acceptor to insert money and so on All hardware units connected to PC through serial or USB ports the main main Software is a Microsoft Windows based operating system and the most case when ATM run on Windows XP Despite the fact that Microsoft stopped to support this operating system almost three years ago There are also Main ATM software which provide graphic user interface to interact with customers or with service engineers other part of this software is a Piece of software to communicate with processing center to interact with bank networks and The last one part is device control systems There are also some security Software such as antiviruses integrity control systems or videos reliance, but there are also and often some very creepy software and very needless software and Sometimes this software gives attacker unlimited control to this ATM What about devices devices are unclear there are some strange microcontrollers with real-time operating system and Usually guys who love it the pro very sad about it On the slide you can see a small schema of ATM and it is not complex and very linear It should be easy to implement secure communication Generally, no data from hardware units needed inside ATM And only requested by so-called processing center That make decision to give or not to give money other components should just relay data wrapping it in additional Security layers like onion in tor networks To get to data or money one should uncover all layers or Be very near to money In Wonderland all ATMs are secure and let's see how The lowest level is closest to money and very important to protect Money contained in the cassettes and In Wonderland cassettes are themselves secure. No one can get money from them without any special permissions They are not only physically secure, but also logically secure if someone will try to eject money It will be evident and very hard Nonetheless if someone will steal the cassettes It will be easy to trace them and if someone Will try to open the cassette money will be destroyed for example on the slide you can see money destroyed with hot glue In extreme case even if cassettes is open and the money are not destroyed Bank can trace banknotes by different means for example by using sequential numbers on the banknotes and they can be traced like in the movies and Not only cash is the goal for criminals They also hunt for card data But in ideal world card data can't be stolen There is no static data to be copied and as for dynamic data It uses a challenge response schema that protects against relay attacks and in this case that data cannot be stolen But it was only in Wonderland because since bank card contains Mcstripe It can't be intercepted and the MV is not a panacea Until there are places and even countries That don't use the MV chips there is always possibility to withdraw money knowing only Mcstripe Even then there is possibility for online relay attack you insert card and some ATMs But money is dispensed from another ATMs As for cassettes, they are not so secure Most of cassettes have all mechanics to eject notes outside of cassettes So it is possible for attackers to get cash by using only screwdriver And if money was stolen it is hard to trace them because it is still hard task to Mark them and to know where they are used So let's up to level one. It's a hardware units level And as I already mentioned attacker Can get quarter million euros From each ATM. I think it's enough amount This amount of money is enough for a couple of chunk for everyone and typical dispenser consists of four cash cassettes and one cassettes for ejected notes. There are also Many sensors, leds and mechanisms which withdraw money. Some of them eject money from cassettes Other ones presented to the customer Other ones check size of banknotes and so on So it looks like firmware should be very complex The other interesting device is card reader which used to Read Mcstripe and also used to communicate with chip to conduct financial transactions And to check biometric data contained on the on chip regarding much on card technologies This device also should communicate with other units Such as pin pad for offline notification and biometric devices for biometric authentication Pin code is used together with Card data for client authentication. It is the most secure element Because of different standards PCI, EMV and other standards provide the bottom line That pin patch should comply too But not anyone knows that there are two modes of operation secure and open Secure is secure mode is used for pin code and open mode is used for other inputs. For example, when you enter amount of money Biometric authentication gains popularity because of increased security There are different kind of recognition such as iris, fingerprints, face and so on Such features uniquely identify user. So it is considered if they are presented to ATM such user considered good Such features can be revoked or changed Our only processing center Can send comments to hardware units and hardware units and the decade with processing center But sometimes authentication guarantees integrity of comments, but data should be also protected with encryption In ideal situation this data is only needed in processing center Because firmware controls hardware units. It should not be easy modifiable, but it was another lie Unfortunately only so-called sensitive comments are undeticated. For example dispense, but not present if we speak about dispenser Rumor has it that pin pad encrypts all data that comes from it, but it Encrypts only pin code, but not data and active man in the middle attack can change one comment with another Good thing is that pin codes is encrypted in such a way that data Can be decrypted only in processing center. Why it is not done for other hardware units? It's a question. I don't know It's for firmware modification firmware is often Stored on the ATM hard drive as a hex file and Actually, it's not that hard to add some piece of code to existing firmware to create hidden backdoor It will react on sequence of the money dispense if you are speaking about dispenser PCIe standards create baseline for card data security, but these standards are not enforced and easily bypassed by banks Also, there are no such standards for biometric devices And I think it's strange because you can easily change your pin code or you your bank cards But you cannot change your iris or your finger And additionally, there are many systems which use biometric indication such as Passports visas and so on It means that if you lost the biometric data, you might as well lost your identity and Thank you so much these guys who build this wall Okay, we have spoken about hardware units, but all these hardware units should be somehow connected to the PC computer to the processing center and so Often it's just ordinary comports or USB devices But it's often forgotten that USB. It's also a bus and there are different Researchers that you can easily Google that connect some device to some port of the USB USB hub and obtain all the data that is transmitted over the other lines and Often banks unfortunately say, okay, we have USB connections No one ever can sniff this data transmitted and so on but unfortunately, it's not the case Some older ATMs use so-called SDC bus it's eras 485 with Common line and every device on this bus can send comment to another device and often it is used by malicious guys who understand how it works and unfortunately ATM vendors and banks weren't prepared for this situation Discommunication lines Also should be considered Vulnerable and also should be encrypted and In ideal situation in Wonderland these communications are encrypted the data that is transmitted isn't encrypted It's actually easy to know to create and there are even some startups which protect USB buses from Hardware tags that protect communication between them, but unfortunately Unfortunately, they also don't understand how these devices work and Sometimes it's only a security by obscurity and Doesn't create any new protections a new security to protect the devices that are connected to where USB bus and so on We often heard that tampering with the cables with the wires is very hard and no one can do it and And you you will see in the Future slides that the bad guys are already there and here's small presentation What can do some device that is connected to the USB of the Dispenser, okay, so here is our testbed our ATMs lab and here is our attacker who Maybe bought key from the internet or from it from an insider Attacker bypass the first level of security is a physical level and Disconnect USB cable USB dispensers cable from the ATM computer and Connects it to a specially crafted device in our case It starts very pie with a piece of code and the Wi-Fi don't lend the battery Now we can see that dispenser is in the red box and It's on offline, but it still works attacker send Dispense comments just using their smartphone to Raspberry Pi through Wi-Fi and Wi-Fi send these comments to dispenser directly and it means that By past all security measures which implemented on the ATM computer So only a couple of minutes and our attacker As you can understand this attack might be repeat for many many times Until ATM became empty Okay, we spoke about USB devices and their connections but obviously there are operating system that controls such devices with Different software different software means as Olga already mentioned. There are It's a windows based operating system often it's windows XP and we often heard from the bank that they I think Half of the year ago some bank told us we finally finally managed to move from windows XP to windows 7 Come on guys. It's windows 10 already and so and you're a bit late a bit There are service providers that are generally represent communication with the devices in the ATM machine they are not the drivers the use of pace and Communication is done by leap USB library and Actually, if you connect it much if you install on the ATM Linus operating system all the devices will be presented as Leap USB devices so with their their names so with what they do and Actually, you can send any comment to it as you already seen in the previous video and This service providers are created by manufacturers and As Olga said, it's a Lego that they combine different devices from different vendors So there is a middleware that intercommunicates from application that actually displays information about amount of money this crappy Spam with the different new credit cards and so on on the ATM machine It communicates with Express manager. It provides interpret Interpreter it provides communication between the software and the service providers. So any Any person can create their own software That doesn't know anything about ATM machine, but knows the interface of communication and Windows application is just a graphical user interface. It doesn't do anything. It just Gathers information from the user from the devices and sent to And send the processing center, but unfortunately, it's an ideal situation an ideal station There is they're only proxies. They don't Do anything they don't understand what is going on. They just doing what they told from the processing center They start secure communication. But as you have seen in the video, there is no secure communication with the some devices like dispenser I didn't know why This application has minimal interface. It doesn't provide any features any Additional technical information about the ATM machine about the communications, but unfortunately All ATM vendors all banks are lazy. They don't want to spend money to create different Images of operating system different software to use only in technical means they implement everything in one application and Say, okay, we are not secure on the right slide of them On the right side of the slide you can see to can that is With us for many many years. It was based on XFS and banks already say, okay We know everything about malware if we will shift From the XFS manager from the communication. We will be 100% safe But unfortunately on the left-hand side, you can see Another malware that intercepts communication with from service providers that just give us all information that are already there without any intercommunication with XFS manager and Unfortunately in Wonderland it ends a secure but in real situation it ends are very vulnerable because every Piece of software in the slide of windows application system or XFS manager service providers can issue one comment to Eject money to get the information about your credit card to get pin codes by when the middling access to the pin pad and so on and Unfortunately, we have seen such cases There are different bad guys who already attacked different banks With such target they install sniffing like wire shark or USB pick up They intercept all the data that is transmitted between Host computer and card reader. They get get all information about your credit card the very same information that is used for your transaction in clear text and Send it to every through a server in the internet because ATMs are generally connected to internet Unfortunately, it's a problem and If you even go to the ATM machine Watch for different schemers different cameras and so on it won't help you because your data is transmitted internally in the operating operating system to the processing center and so on and unfortunately We've seen such malware that don't use general utilities. They use access to service providers and Olga will show you example of such a malware So here is our video again This is backdoor Schemer Which we investigated with our colleagues from great department several months ago. This malware activated by using special cards Now we can see the window To enter the special password Also attacker can enter number of Comments for example to dispense money and Also attacker can enter the number of cassette to dispense money from one more it was a real malware which is Widely spread around the world and Every example was targeted for various country and You should understand if you are attentive enough that When hacker Inserted the cards inside of ATM. It was returned immediately No data was saved on the ATM host computer It was intercepted just before the logging system even understand that something happened to the Cartreader then intercept it intercept all the data that is inserted in the pin pad and There is no evidence no no nothing for to investigate and often banks got Won't won't understand how to actually happened and unfortunately in many cases There's no even video surveillance to understand What they did and how it is done Okay, but we were speaking about window spreading system about Cartreader about USB devices But actually how hard to get into the ATM machine to access these interface devices to Send comments and so Sometimes banks Very very protected. There are even some ATMs inside the trucks with the Policemen so nearby We're often here that in Europe It's not the case because all ATMs are through the wall ATMs and they're physically secure We often hear that they are still in concrete sandwich with different protections against a physical attacks There are different alarm systems and no one can do anything in Five minutes and get all the money Operating systems is just a platform. It doesn't do anything. There is always protected by windows XP with MS 08067 That it can be attacked from anywhere in the network It has robust updates. Yeah, you know XP and different integrity controls the last measure to protect the Software on the ATM machine to protect that there's nothing nothing more than already on ATM But ATMs are intercommunicated with at least processing center and ATM management system Often it is very easy to for security special for network specialists Sorry to connect all ATMs in the single network. What why not? They all in the same broadcast domain They see each other, but it's completely safe. Nothing will happen They're just sending communication customization data to the processing center and Nothing will happen. But unfortunately physical access is much much more easier than they suspect this guy with Drill went to the ATM machine made a hole in it and Get access to the interface cables. It's a real footage and all the money in this ATM was lost by the bank and Unfortunately, there is no alarm because no one actually opened ATM machine and they say okay No one opened no alarm That's fine But in many cases, they're even laser. We have Modems near the ATM machines. We have for example on the left bottom side of the screen Open ATM because okay, the duct tape is okay We have seen we see through the wall ATM with all the communications outside of it and easy access to the inside of the Building whereas ATMs situated and so on USB devices and other other stuff because Opening ATM going inside of it with the keyboard and something something else. It's actually very hard to do on the level five we have people because Every system is actually communicating with people and some engineers should do different stuff with it And when we showed you the schema of ATM, it's actually was a lie because schema is much bigger We have different office computers. We have administrators. We have different online banking. We have Processing center. We have different databases From the point of view of a tester. It's a huge system that can be affected on many many levels for example ordinary phishing we have administrator accounts and often these administrators are not trusted for managing office computers and There are different departments for example for ATM machines for office computers and so on and in this case ATM administrators are often not so competent and don't know everything about their systems as Already said that there are different ATMs in different locations sometimes they are connected with 2g network because it's very cheap and very secure because When some security specialist in bank opened the Specification on on the GSM network. They see okay. There is encryption Okay, then all communications are safe But unfortunately as you have seen in your mobile phones on the Congress you see the network the good network that you connect you can connect with your device and Send data send calls and so on actually Your connections with 2g networks can be intercepted and what we've seen much Much more often that ATMs are connected to the small network that there are all ATMs Seeing each other. There are different There is a domain controller for these particular ATMs that can send updates to different to all ATMs in this network and It's not a scary thing that when you speak about a couple of ATMs and so on But unfortunately, there are hundreds of ATMs in some banks that can be Attacked with just one button installing the group policy to install for example malware and disable antivirus and And it's often forgotten that actually ATM It's not a box. It's often an entry point and Attacker can affect only one ATM to Get the data inside of network and for example RPS buffering. I don't know Olga and the last point from our test bed attacker discovered some ATM network with wrong settings and Got physical access to internet cable He disconnects internet cable from ATM and Connects Raspberry Pi again to ATM networks network This Raspberry Pi consists of a piece of code with Rugby processing center which emulates the real one Now all ATMs in this network are under control of attackers and Friends of this attacker can come to ATM to all ATMs and do something look looks like regional transactions and and They can use any pins any cards and they can Change the cassette to withdraw money from and of course they get money And now attacker Returns to ATMs to remove this very important device And leaves no physical evidence of this attack, but please don't use these ways to get money to chunk Or for other reason And actually what you have seen in these videos It's a real problem because so when we hear okay five minutes and the security guys will get to ATM with alarm system, but unfortunately all these videos are less than two minutes to install the Hardware to install software and to get to ATM and with to withdraw money It's often forgotten that unfortunately computers are real fast and People are not well There's no conclusion from our presentation because Consecurity of the ATMs are like this guy They are trying to protect some pieces of the network of ATMs they Shift from ATMs to they give the ATMs to some third party and only List them and so on and they hear from the internet. Okay There is to can then we'll install the Antivirus on the on the ATMs. Okay, there are black box attacks Then we install the hardware inside of our ATMs Okay, there are something else and they will install something else actually it's a cat-and-mouse game and What we shown you it's low hanging fruits that can be easily accessed by criminals and already accessed by criminals and often we don't hear about such cases because Banks are very discreet about their problems and they don't even share these problems with other banks It's often a problem because in many countries some bank is affected for example with black box attacks it will say we have no problems and Another bank in the same country will affect with the very same attacks and they are not prepared for this ATM vendors often are Not so fast to implement security mechanisms to implement their Their hardware to protect their the banks and often they say We don't have a problem. We already sold you your ATM and They don't want to invest any money Into protection and when they stand them but unfortunately in many cases architecture is bad and you should feel bad about it We know that Many vendors I think all of them Already tried to create newer versions of the ATMs win with newer operating system with newer hardware We want to ask them Please do it more open not open source do it more open to security specialists to banks Because many times the vendor create problem But often very often bank also create a problem because they don't want to implement all features that are already there and often there are some problems can be managed with updates with Configurational options with passwords or come on and There is small list very easy to understand if First comment or third comment to return anything about your ATM machine. You are screwed if second comment returns Anything that looks like error the main team viewer and other software that you don't know what what is doing. You are screwed You spy shark ways and use be pick up on the ATM machine just install it Press the button and accept all the traffic and see Do you see the car data in the traffic because it's a real problem? It's not that hard to intercept USB communications not only with software means on the computer But also with hardware means For example bigel The hardware to insert data on the USB bus costs only 500 euros, I think or dollars and Quater million is In one ATM machine what we want to see only on not Tor Obviously, but only on protection for different levels of communication. We have chain of failure with Any part of the ATM Infrastructure that can send one comment to ATM machine and get money from it to get that can get the card data from it and so on Understand that unfortunately security is a process and there is always a lowest bidder who create the security in the ATMs or any other device. We know that you you have different Means to create money, but you always have means to lose money by Allowing lowest bidder to create your security Actually be excellent to each other Vendors should spoke to banks banks should spoke to vendors Unfortunately for the ordinary customers we're all screwed because Software sniffer is completely in deceptible from our point of view and if you go to ATM machine Be aware that your credit card data can be stolen with all the security measures and security mechanisms that you Can do by yourself. So it's actually problem of the bank and if you have a problem with for example with skimming And some transaction Was get with your credit card. It's not always your problem. It's maybe a problem with the bank We want to thank different guys some of them here some of them Unfortunately not here and to help us with our research with reverse engineering with I think dispenser for example It's a real pain in the ass and Have fun. Stay safe. Thank you Questions may raise the signal Yo, go we got a question from the internet. Yeah, there are but it's quite not quite in here Yo, can you just go out quietly? Thanks. So first question from the internet is you quietly Oh The internet wants to know that well, you've said there are some default open ports on the ATMs. Which ones would that be? We don't know yet We can disclose this information because Unfortunately, we have we see the ATMs in Shodom. We see ATMs with Masked and this information can lead to a large amount of fraud against the ATMs So we can disclose them. Sorry Hello So just I want to add one note It's not always the problem of the bank itself It's more sometimes. It's more really the problem of the vendor of the ATM and the part of like like as you said it it's a normal PC what's inside the ATMs and If the bank want to now to upgrade to Windows 7 or Windows 10 or whatever that The hardware does not support it. So You can basically change it to off the shelf PC, but the vendor says we will know We'll don't Support that or we'll give no warranty if you change it yourself And they asked for just normal PC a lot a lot of money and the bank of course would say no It's too much for me and we keep it at XP. Yes, unfortunately. We know about this situation, but We also understand that there is 10 years or 15 years or 12 20 years that ATM was working and this was working fine and banks say okay I want to make it secure without any additional investment. Unfortunately, it won't help. Yes, we know that there are different problems in the operating system, but there are also Different problems in the software that is run on this operating system so it's actually a very fuzzy situation and We can't say that someone is more wrong or more right in this situation. We should all combine our Expertise our money actually and create much better atm's In course of many many years maybe but I think The sooner the better Thank you Have a question here On the red. Why do you think the ATM vendors don't invest more into Linux based atm's? I mean they could they could do that Yes, they can do that, but The answer is legacy code. They Already invested large amount of money into the XFS because it's not XFS. It's Microsoft extension for financial services, so it's actually very Tired windows, but we already know that some vendors already shifting from the windows to Linux based operating system, but and we want to see it in the we will see it in the nearest future So I think the station will change Sometimes maybe Guys your research is amazing And I really appreciate the work you're doing I'd like to know given the prevalence of all the rise in Bitcoin atm's and the fact that most of the software for bit Or some of the software for Bitcoin atm's is open source. Have you done any research on that? Or are you planning on doing any research on that? Unfortunately, we haven't seen this atm's with our hands. So unfortunately, no, we haven't managed to see them and we would like to Get in touch with the Bitcoin atm's, but unfortunately, they're so rare and So it's not worth it, unfortunately for now. Thank you Thank you for the interesting presentation some of the Attacks that you presented require a lot of Internal knowledge for example the one Where the attacker? Includes on the network. Where do the attackers get all this knowledge about the architecture and infrastructure Unfortunately, it's not that hard because there are all Windows based again and general penetration test is Accessing the domain controller with the highest privileges and it's actually not the very very different from taking the atm machines and obviously there are different engineers in the bank who have different technical information who have different software different test software that can be stolen and Sometimes they even share this information to the large amount of people For example by uploading the project on the github and you can download software from the atm Just like open source and some Yes, so in terms of the atm management systems I'd like to ask if you had a look at like if I serve and Software that's like big vendors used to manage like big atm networks If I serve or even like a trend that's some atm networks you see in even in Europe They start having systems to manage the advertisements in the loading screens and so on you do any sort of research on that as well unfortunately know because There are different large systems to manage atm machines, but there are always lazy People lazy administrators who install additional remote control systems devices and even device. Yes, so unfortunately now It's a fun area. Thank you Thanks again for the amazing presentation I was wondering if you had cases where the security was better than what you presented and Especially when the serial buses communication had any any encryption at all Yes, obviously there are different atm's different vendors different banks and we show new extreme cases and We can say that any atm Actually vulnerable to at least one vulnerability that we have shown you from the management system from the network just network without any internal knowledge from the physical access from the Usb access, but there is no atm that has all the vulnerabilities in it. So we have seen Secure atm's but not very secure. Thank you Okay, the internet wants to know How easy would it be to get an atm into a kind of out-of-service mode that is not really really easy to fix So basically how hard is it to dust atm? With Razor or to cut the cable. It's very easy, but Denial of service in atm's if I understood the question correctly It's a bit out of scope of our presentation because we we as the attacker as the Protection tester we want money from atm, but not to disable it Any more questions? Yeah, I have the internet has another question and the internet wants to know how our atm's specifically connected to the network if not by 2g Network like with VPN or what do they do to the like PPTP or like IPsec or something Do you know how they do this? Yes, so we made presentations about atm security for quite a while I think you can see the this presentations in our Twitter's There are different possibilities like just to gmodem 3 gmodem 4 gmodems ordinary as on net cables We have even seen x25 and telephone networks that are communicating with the processing center I don't know for which purpose. Yes, there are different additional security mechanisms like VPN clients hardware hardware and software for example some device installed inside of atm machine and connect From the atm to VPN client and VPN client to the alter network But the big problem is This particular device for example hardware device you have seen in our presentation that is outside of atm and some hacker can disconnect the internet cable and access this atm machine and More important by disconnecting the internet cable and connecting to the VPN client. You can connect to the network of atm machines So and many of you maybe have seen atm machines with ordinary windows Window that showed oh, I can connect to the VPN server. So they use everything and there is no No identical atm in different banks okay, and I have one final question from the internet and That is would it be possible to Make the atm accept your own cassette with like your cash Maybe the question was about cash in device that accept the bank note inside it That is not original. It's not legitimate. There are some there are such attacks and Obviously if answering the question about the cassette the responsibility to Deal with the security guys who exchange cassettes and install for example cassette with just a blank paper, but it's very rare and They are easily gotten by policeman policeman There is a question over there. Yeah, is there any different operating system installed in the atm linux for example? Yes, there is os2 operating system for example in America The red even DOS based as for Linux. I haven't seen any but I think there are there are but the most Often case it's Windows XP still still alive Okay, thank you very much. Thank you