 The talk is entitled Truly Cartless, Jackpotting an ATM using auxiliary devices by Olga Koshetova and Alexei Ozipov. Good evening, my name is Damran Herin. Hello everyone. Thanks for waiting the tune right here in the biggest place in my life, not in some other places. Today we are going to describe some new ways that allows you, not you, bad guys, to eject money from the ATM without touching them, for example, let's say just through the air. I am previously Olga Koshetova, but now I changed my family name and he is Alexei Ozipov. We are the part of security assessment team of Casper's Club and all of the things that we provide today and that we usually put in our presentations, we collect through our everyday work, using our ATM security assessment, penetration testing, forensic investigation and of course, if we have enough time, we do some researches and we try to improve ATM security around the world, but sometimes we are not successful, unfortunately. So let's refresh your memories about ATM. You should remember from previous talks that ATM is just ordinary computer, looks like your home computer, but this particular box consists of various devices that interact with consumers such as keyboard, sorry, pin pad, touch screen, some buttons, card reader and devices to interact with cash, such as dispenser, cash recycler, cash in module and so on, etc., etc. And let's concentrate on interfaces that are using inside the ATM. There are plenty of various connectors and ports. Sometimes we are pretty surprising when we discovered some unusual interfaces inside the ATM, but the most common is RS-232 or RS-485 and of course, USB and the problem with USB is that these connectors, this bus is pretty common around the world and devices connected to the PC through the USB and of course, technicians also use free USB to put flash drive to install some new malware or some new software, it doesn't matter. Some antennas, GSM models can also connect it to ATM PC through USB ports and sometimes these USB cables might be discovered outside the USB. You might know that USB classes are pretty familiar with every guys who are developers or reverse engineers and there are plenty of various classes described in libraries and the most common for ATM is human interface device and vendor specific. Human interface device, it's usually pin pad, card reader, let's say input-output devices and speaking about vendor specific communication, description, vendor might develop some strange things and use the description to communicate, for example, with dispenser or with other devices inside the ATM. But let's continue with human interface device. You might understand that human interface device, it's just a keyboard or mouse and it's typically plug and place device. You just put something with USB and driver will automatically install and this device will ready for use. When we discovered that pretty small devices like Tinsia might be used as a keyboard, it was five or six years ago. We created proof of concept video and came to some big companies that are related to ATM in Russia and they were pretty upset about what we discovered and asked us to not disclose this information for the public until this year. But we can discuss this in some, let's say, private conversation or private meetings. But now we are going to show you finally what we can do with Tinsia using it in the ATM. Here is our demo that we reproduced in our testbed but it's real cases in some banks in the wild. Some devices that are interconnected to USB might be installed for the maintenance or something and their USB cables are available to other connection, other communication. We obtain the, not we, attacker. Attacker obtain access to USB, connect Tinsia especially with special code and this code helped to bypass QSC mode on the ATM and run malware, just executable file from QR. There will be no logs on the ATM journal because it's just something that looks like putting some letters through a keyboard. These cases are very hard to investigation. And about 20 seconds is enough to eject portion of money up to 40 bank notes from the ATM just using Tinsia. There are other kinds of devices that has more memory, different features, for example, remote control or some other kinds of malicious activity like USB cables that are not actually cables but also kind of Tinsia device, you can buy them for 40 bucks or 100 bucks, it doesn't matter and they pretty much do the same thing. You up full scale something as a legitimate device and the technician use it to install it into the ATM machine. And in this case, you just connect it to the devices. But there are also another kinds of devices that are already connected and already used. And for example, for example, technician need to maintenance this kind of ATM machine. It's through the whole ATM with no external cables, no nothing. Or maybe there is cute kitten on the ATM machine that technician don't want to disturb and because he loves kittens. Sometimes to actually access these cables, you need to go into ATM machine and do some stuff inside of it and it's kind of messy, it's kind of giving me problems. And technicians give a solution. We will use the wireless keyboards. Unfortunately, it's the general idea in some banks and in some companies that they can use single dongle that is connected to the ATM machine and conduct different activities on the ATM machines. And it's kind of scary because there are different kinds of research that affected these kind of devices, wireless devices. For example, mouse jacking attack that affects NRF 2.1 chip. This chip is excellent. It's very cheap. It's used everywhere and it doesn't provide any security. The customer or the vendor should implement their own crypto inside these devices and protect the customers against malicious modification. And there's also devices from the great scot gadgets that use Bluetooth communication and affect this kind of communication in the malicious way. What are needed to affect ATM machine? We just need to go to these couple of sites, download the GitHub versions of the exploits, use dongle that is used, for example, for quadracopters or the original dongle that are used by company Logitech, and do some malicious stuff. Here's typical setup. We just use ordinary Android phone and connect our dongle to this cable and leave it nearby the ATM machine. Next time the genuin technician goes to this ATM machine, he will use his little keyboard to do some stuff and leave it away. But near the ATM machine will be something that obtains the address of this keyboard or even mouse. Here's one more proof-of-concept video that we produced. As Alexei mentioned, we used mouse jack tool to identify the address of this dongle. And when we obtain this address, we connect it to this dongle and send specially prepared comments to the ATM. And it might be malware from remote share, or we can put some comments to eject money from the ATM just using this communication with dongle like ordinary keyboard. And after some times, we will get the money. This unauthorized cash-out typically takes about 40 seconds to eject a portion up to 40 banknotes from the ATM, and we can repeat it again and again until all ATM with such kind of dongles will be empty. And the sponsor of this video is Logitech, who uses excellent devices that can be used by anyone, for technician uses or for the customer uses, and they are excellent in both ways because we can create this video, but they also kind of consider the problems that they are facing and the newer versions of this dongle or the newer firmware that can be installed on these kind of devices are actually protected from the malicious behavior. And it's pretty much excellent because the community that found problem identified the solution and the solution was implemented on the devices. Everyone wins. There are also other flavors of devices that are already mentioned. There is Bluetooth keyboards or some radio keyboards that can be used. And a couple of days ago there was someone in the Twitter who made a video with intercepting the communication of his keyboard that is completely in the plain text, and the general idea about the wireless keyboards in ATM machines is that ATMs are actually unattended devices. They stay there and most of the time they are not used by customers and malicious guy can actually do everything with it through the keyboard and through the mouse remotely and see if someone gots to the ATM machine he just press alt-tab and return to the original behavior of ATM machine. It's excellent for research, but I don't advise you to do it because, yes, you can obtain different fancy devices that intercept wireless communications. They can sniff nearby devices. And actually, if you speak about the wireless keyboards there is also another kind of devices that is pretty much scary because some years ago there was an investigation in Mexico by Brian Krabs about the Bluetooth sniffers that were used in the gas pumps. And these kind of devices can also be detected with the Bluetooth devices. And if you see something in the air near the ATM machine please do send some kind of message to the bank because sometimes it's actually malicious activity and it's not only about fancy videos and fancy devices. And if ATM technicians somewhere here please stop using wireless keyboard. But let's continue with the other part. It is pretty upset when you should pay for taxes or buy tickets and pay some money again. And that feeling that you should input some tons of numbers and letters to pay something in ATM. But this problem when some people, consumers should spend a lot of time to enter in the numbers and make an error and do it again and again. Now some ATMs consist of barcode readers to collect all the information about your payments or about your tickets, taxes, and doesn't matter from the barcodes or from the QR codes, 1D codes or 2D codes. And in some banks already implemented the feature when consumer might create some special barcode inside the mobile application and withdraw money without cards. This presentation without mention of Bitcoins it's not good presentation so this ATM for Bitcoins also use barcodes. Barcodes are everywhere. For example here in the Kauz Communication Congress plenty of barcodes and even on toilet walls don't ask how I found these barcodes. And if you want to buy some stuff, for example Club Mate in convenience store, typically cashier use the barcode installed on the cash desk and put some stuff to this barcode reader to enter the information about this stuff to the program. Thanks for Chinese guys from Tencent Xlub when they discovered this funny story about how to bypass cashier and put some specially create QR codes and download and execute application. There are plenty of codes and plenty of possibilities to eject control cable inputs to the barcode or put some information. There are plenty of ways but we prepare one more video when we create special barcodes and put it on the Kindle to bypass Kiosk mode on the ATM and make some piece of magic from remote share again. There will be no logs again inside the ATM journals because it looks like some letters, some numbers of your input from the keyboard and if banks will try to understand what happened, they just should understand that in logs there will be some strange situation when a barcode reader looks like keyboard. Typically barcode reader in ATM connected to the PC through COM or USB ports and on the other end of the cable is port looks like VGA but we had some strange and maybe let's say protected ATM when the USB cable was cut it up and couple of hours to soldering the new cable and we had the right way and proper way to eject money from the ATM when I mentioned the previous video. The original research involves some reconfiguring of the barcode reader or using the codes that are inside of the barcode reader already and we came up with the simple phasing idea to use it against any barcode that is out there just enable it somehow, for example, pay for something or do something, use the code 128 barcode with special symbol FNC3 at the start and actually barcode readers are beeping and if it beeps the wrong way it seems that this code is accepted. Sometimes in the original research it's also mentioned that most of barcode readers are using the USB cables but this particular one wasn't using it and we should rewire it but during our assessments we have seen barcode readers that are already in keyboard mode with the USB connection and send some symbols that are not printed ones and they actually do some interesting stuff with the reader itself for example it uses different function buttons it's using different special combinations of buttons like control-delete and so on and of course do it responsibly and don't do it at the congress because we are all using barcodes and sometimes they also can be affected that was about the barcodes and we were speaking also about the migration from Windows XP to Windows 7 that were during the previous years and we prepared some small comparison like the problems that were facing by Windows XP and Windows 7 that were not used for a long time for example Windows 7 were implemented only two years ago or one year ago on ATM machines we have some nice vulnerabilities in Windows XP like MS 08067 and we actually haven't seen the fully patched system or fully patched ATM system with Windows XP the same problem goes with Windows 7 we have nice vulnerability MS 1710 that can actually be exploited by the remote user and we also haven't seen the fully patched ATM system but yay they immigrated to Windows 7 and for example these are the data from the ATM assessment and the screenshots are the forensic investigation of one ATM machines that were affected by WannaCry virus that were affecting different kinds of devices and it doesn't matter if it was Swift or if it was ordinary home system or if it was ATM machine we have also seen the shift from the IPv4 to IPv6 unfortunately who uses IPv6 and in the internet there are some sites that are already implemented in it but in the networks everyone uses IPv6 because the new operating systems don't enable it and no one uses it but malicious guys can actually abuse the firewalling rules that allow anyone to use this communication in the wrong way PowerShell is excellent because for a couple of years it was not detected by anyone it was like a silver key to any system if we have faced the Windows 7 we can do some great stuff like Mimicads or DL injection, get strokes, anything unfortunately the honeymoon was over and here's the current detection of the problems of the malware that is using PowerShell with ATM machines it's much more easier because you can use code from the MSDN or different sites that provide default code to interact with comports or interact with libraries and often this type of communication is legitimate and often it is used by the original software but the malicious guy can issue the common dispense all the money from the ATM machine with PowerShell it's only a few key strokes and it's actually very easy to use it with QR codes or with different external keyboards but for not a conclusion there are different kinds of devices that are already there and we have investigated some of them and most of them we haven't spoken about touch screens because they are obviously another point of entry to the ATM machines there are different NFC readers that also can be affected and so on and so forth we are metric devices that we have spoken to years ago this very same conference and I think there is a solution against the problems with the iris you can just close your eyes and don't use them we are thankful for community because of the gadgets that were created and they are very helpful for us and very helpful for you to analyzing what communications are there and it's also another point that we haven't spoken to today that you can actually abuse the drivers that are used by the ATM machine because vendor-specific it's defender-specific it's like the SCID systems or different ICS systems the data that is transmitted can be brought through errors or some problems and you can exchange all these two devices with single radio that was provided by the congress or at the camp it's awesome device that actually implements both the phase sensor capabilities radio capabilities and you can do everything with it and abuse different activities we are very thankful for the older researchers that are there who have given us the inspiration to use something against ATM machines we are thankful for the congress for the excellent devices, excellent communication because some of our ideas are brought from the people and we are thankful for everyone who is attending and there are different kinds of devices that can be accessed remotely but there is also a possibility to just cut a hole in the ATM machine and we are thankful vendors who provide us with the work that we are doing security is the process and I hope that we are making ATMs better and we are trying to do our best to help the community and there is something that could do it cheaper thank you everyone if you have any questions please ask thank you Olga, thank you Alex for sharing your impressive work I hope we have some questions I see over there microphone 3 please hi so you looked at wireless keyboards and mice and stuff like that but did you look at wireless cards like NFC? yes we have analyzed some of the devices that NFC readers but unfortunately we can't speak about them right now because we are in the process of communicating with vendor to fix these vulnerabilities because the problems that we have shown on the slides are actually already known and we try to drive attention to these problems because they do exist right now they are here for 2, 3, 4 years and the motto of this congress is remembering refreshing memories and we try to refresh memories not only for vendors but also for the people who are using ATMs we have also questions from the internet, my signal angel the internet wants to know how you did at hardware to test the stuff on can we get the hardware? yes actually you can buy it from ebay it's cheaper than sand in matter of the ATM machine because for example you can buy the old servers that were very pricey at the time and now they are sold for 1,000 euros and for the ATM machines it's actually the same the most expensive part of ATM machine it's actually the safe and you don't need the safe to conduct research microphone 1 please yes, will you be releasing any of the code that was done for your testing? I'm asking for a friend good job your friend can speak to my friend ok, another question from the internet yes, the internet wants to know regarding the remote attacks so did you have access to the bank network or something and how do you figure out what you actually need to do? we actually bought the ATM machines for our test bed and we are analyzing it in our spare time and we also communicating with banks and providing services from them for them to understand what problems they are facing so yes, we are communicating with real banks and real ATM machines and another one from the internet yes, the internet wants to know for one of the remote radio things if it's 27 megahertz technique like karaoke yes, there are keyboards that are using 27 megahertz to communicate with the dongle and this communication is generally affected ok, over there, microphone 5 I guess have you tested this in the wild? we are testing assessments so I don't advise you to test it in the wild and as for the market readers we are trying to test them for example in the different shops or different vending machines to analyze if it's possible to send them the control codes so sometimes, maybe another one from the internet ok, do you know why most ATMs run Windows instead of Linux with maybe it's not as vulnerable to malware and other vulnerabilities? yes, it's an excellent question that is asked every time that we are giving presentations unfortunately, there is a legacy code that is used only on the Windows machines and unfortunately, the vendors of the devices inside the ATM machines they don't disclose the specifications of their devices and there is no easy possibility for the Linux to use these kind of devices but when we get to the ATM machines we actually reboot them into the Linux and use Python to interact with them it's generally possible, but it's not done because of the legacy ok, I don't see any more questions so let's thank the speakers again