Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Break Currency Validator To Pass Any Paper As Valid Euro

Posted by Unknown on from the teeny-tiny-security-hole dept.

Trailrunner7 writes "If espionage is the world's second-oldest profession, counterfeiting may be in the running to be third on that list. People have been trying to forge currency for just about as long as currency has been circulating, and anti-counterfeiting methods have tried to keep pace with the state of the art. The anti-counterfeiting technology in use today of course relies on computers and software, and like all software, it has bugs, as researchers at IOActive discovered when they reverse-engineered the firmware in a popular Euro currency verifier and found that they could insert their own firmware and force the machine to verify any piece of paper as a valid Euro note. 'The impact is obvious. An attacker with temporary physical access to the device could install customized firmware and cause the device to accept counterfeit money. Taking into account the types of places where these devices are usually deployed (shops, mall, offices, etc.) this scenario is more than feasible.'"

27 of 162 comments (clear)

  1. Firmware update? Unlikely. by mveloso · · Score: 4, Funny

    I doubt that you'd be able to hang around a cash register with a serial cable and update some device's firmware without someone noticing. At that point why not just update the cash register's firmware and have it give you money directly?

    1. Re:Firmware update? Unlikely. by Alsn · · Score: 2

      Who says you need to do it in secret? All you would need to do is convince someone to let you do it, either through being in on it, or some other covert means.

    2. Re:Firmware update? Unlikely. by Moryath · · Score: 2

      Sneakier to modify the reader, because then the register doesn't give you any clues if it's on stock firmware (and someone running a register diagnostic, checking firmware checksum, maybe even checking the firmware flash increment counter will come up blank too).

      The attack here is going to be passing plausible-looking counterfeits to an unknowing person who trusts the reader/register in a "Garbage in, Gospel out" manner that most people approach computers with. Buy something or trick the cashier into making change and voila, "free money" for the counterfeiters.

    3. Re:Firmware update? Unlikely. by Qzukk · · Score: 5, Insightful

      "Hello, I'm from the maintenance department and I'm here to update your firmware to protect you from the exploit that was recently published on 2013-10-13."

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    4. Re:Firmware update? Unlikely. by jandrese · · Score: 5, Insightful

      Unless this attack is a buffer overflow or something when you put in a particularly formatted note, I don't see the issue. "Oh, you can bypass the bill checker if you break the machine open, pull the ROM chips, and put in new ROM chips!"

      According to TFA, the guy went and analyzed the firmware to discover how it worked, and then noted that you could bypass the check routines in it to always set the "good" pins high. About the only thing even mildly worrying is that there is apparently no crypto lock on the firmware, but a crypto lock on the firmware would be useless if you have physical access to the machine anyway, only slightly complicating the job of redesigning the internals, so that's not saying much. There's a reason these machines are secured with a lock and a sturdy metal case.

      --

      I read the internet for the articles.
    5. Re:Firmware update? Unlikely. by mcrbids · · Score: 3, Funny

      All you have to do is get a technician costume. You know, a big, black bag with lots of tools in it, perhaps a utility belt, a button-up, short-sleeve shirt with a generic company logo on it. Walk up to the unit with a slightly bored expression, casually pull out your cable, and get to work. Pay no attention to anybody around you.

      Chances are, you just might get away with it.

      SOURCE: I watched Burn Notice a few times.

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
    6. Re:Firmware update? Unlikely. by TheCarp · · Score: 2

      Have you been in a department store in the past 20 years? They have cameras like would give the DHS a year long stiffy, and a large portion of them are trained right on the registers. Hell, when I was last in a security room, and this was the mid 90s, the Security folks could watch the video and pull up the real time transaction log to watch while watching the video.

      They tend to get upity about people they don't know about touching cash registers too. Though, maybe you could go unnoticed, they also seldom tell you up front "we keep our security footage for 10 days" so its not like you can be sure that you were not recorded doing it.

      --
      "I opened my eyes, and everything went dark again"
    7. Re:Firmware update? Unlikely. by Ant2 · · Score: 2

      Once the machine is open, just take the piles of cash sitting there.

    8. Re:Firmware update? Unlikely. by Rob+the+Bold · · Score: 2

      They tend to get upity about people they don't know about touching cash registers too. Though, maybe you could go unnoticed, they also seldom tell you up front "we keep our security footage for 10 days" so its not like you can be sure that you were not recorded doing it.

      Despite these measures, somebody managed to tamper with POS terminals in dozens of Michaels stores across the US in 2011 (and ALDI markets the year before) and get away with it. In this case they were skimming PINs. The Secret Service investigated, and two guys were caught a year later. But the guys convicted were ATM cash withdrawers hired for the job, not the masterminds or the POS tamperers.

      --
      I am not a crackpot.
    9. Re:Firmware update? Unlikely. by SuperCharlie · · Score: 4, Interesting

      When I was around 12 or so, my dad was in the army and worked on anti-aircraft systems. One Saturday he needed to get or do something at the shop so he drug me along for the ride. Both of us in our plain clothes. We walked up to the shop, 2 guards patrolling, he said hi, pulled out his keys and opened the door. I was in awe of what I saw inside.. 15 M163 Vulcan self-propelled anti-aircraft guns all in a line. We piddled with some things, he started one up and made sure to tell me repeatedly dont stand in front of this.. (the radar).. and after an hour or so we left.

      Almost to the car, he said.. "you remember those two guards?" "Yes.." I said "I didnt know them from Adam. You can get away with anything if you look like you know what you are doing."

      A lesson I have remembered all my life and used on more than one occasion.

    10. Re:Firmware update? Unlikely. by sootman · · Score: 4, Insightful

      > Which is a vulnerability of your employees
      > allowing access to some stranger...

      I work in an office with over 500 employees. Do you think I know everyone who works in security, telecom, and I.T.?

      --
      Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
    11. Re:Firmware update? Unlikely. by Baloo+Uriza · · Score: 3, Informative

      And yet, it still surprises me how many places that have called my company for service see me arrive on site holding a clipboard, a cardboard carton, and a toolpouch full of screwdrivers, and automatically assume that I'm there to fix critical equipment touching customer data without so much as checking my paperwork, much less checking ID. People are stupid. This trick could very easily work in plain sight.

      --
      Furries make the internet go.
    12. Re:Firmware update? Unlikely. by mlts · · Score: 3, Interesting

      There are some fairly sane security measures a maker of a security device can do for fairly cheap to ensure that a tampered device isn't going to work without a lot of money and time put in:

      1: If it is something static like a bill checker, take the time to heavily QA the device, including throw prototypes in the field for a while. Then, just have the firmware burned into a ROM (a true ROM, not an EEPROM, EPROM, PROM, flash, or an OS on a HDD... it goes into silicon and is not modifiable, period.) Of course, a bill checker might need updates when the currency gets a facelift, so a bill checker likely would need some type of upgrade mechanism.

      2: If an update mechanism is needed, TPM chips are not expensive. In fact, some ARM CPUs have them built in. That solves 95% of the problem right there, because if the OS isn't signed, the OS won't be able to decrypt the last stage and boot.

      3: As a subset of #2, the code that allows flashing of ROM images should be in a non-alterable, signed image. This way, if the main OS image has to change, it has to go through the "gatekeeper" image to be written to the boot medium, or it doesn't get on there.

      4: Multiple images. This way, if a flash image is verified and copied to a temporary space and is being copied to the main storage, a power failure doesn't brick the device. The TPM boots, finds the signature of the first image fails, tries the backup, boots from that. The flash process updates both images, so only one would be inoperable during an update at a time.

      5: To prevent flashing to a less secure previous version, the OS image that does the image update work can be set to look at version IDs, or optionally, if the ID is signed with a certain flag, can allow earlier versions to overwrite newer ones, or have beta images be able to be downgraded if needed.

      6: The image flashing would have to be via a physical process, such as a USB connection. This way, devices can't be upgraded over the network, which shuts out a lot of potential exploits.

      I'm sure I've missed a few items, but it doesn't take a lot of engineering to have an update mechanism in place that is tamper resistant.

    13. Re:Firmware update? Unlikely. by Wycliffe · · Score: 3, Insightful

      And how did that work out for him?

      Don't be so smug. Crimes like these have a reverse survivorship bias. You usually
      only hear about the ones that get caught or at least leave evidence behind.

  2. Well duh by PhilHibbs · · Score: 4, Insightful

    If you can physically access and modify a machine, you can change the way it behaves. Is this really news? Can they do it wirelessly? Over the internet?

    1. Re:Well duh by CastrTroy · · Score: 2

      Of course, now that the vulnerability is known, owners of the machines should be regularly verifying that they work correction. They should verify that real notes are not flagged as counterfeits, and they should be able to verify that counterfeits do not get verified as legitimate. However, it might be hard to verify, depending on how the machines work. If you reprogrammed the firmware so that all valid notes are verified, but that only counterfeits with your unique ultraviolet ink pattern are legitimate, then most tests with other counterfeit bills would fail, and the machine would look as though it was working properly. If you had physical access to the machine, and there's enough free space in there, you could probably get it to respond to a bluetooth signal to give the desired response, in which case black box testing with different notes could not verify that the machine was working correctly.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    2. Re:Well duh by gstoddart · · Score: 5, Insightful

      f you can physically access and modify a machine, you can change the way it behaves. Is this really news?

      This part of the article is what struck me:

      After watching some videos from the vendor Inves on the machine's operations and reading through the machine's documentation, Santamarta came to the conclusions that some of the security claims the vendor makes were somewhat specious.

      "Unfortunately, some of these claims are not completely true and others are simply false. It is possible to understand how Secureuro works; we can access the firmware and EEPROM without even needing hardware hacking. Also, there is no encryption system protecting the firmware"

      So it sounds more like the company said "our stuff is secure, awesome, and hax0r proof", and someone essentially said "challenge accepted".

      That he could do the initial reverse engineering without ever even having had the device (he downloaded just the free firmware) tells me that this device was pretty ripe for the picking.

      --
      Lost at C:>. Found at C.
  3. This is a hack? by Joce640k · · Score: 2

    Sure... if I'm allowed to take the machine away and modify it I can just replace the electronics with a 555 timer or something. All it has to do is light up a green LED when a piece of paper goes through it.

    --
    No sig today...
  4. Second-oldest profession FTFY by Anonymous Coward · · Score: 4, Funny

    Politics is the worlds second oldest profession, noted for it's uncanny likeness to the first.

    1. Re:Second-oldest profession FTFY by Chemisor · · Score: 3, Insightful

      You are absolutely right. Here are the top ten similarities between politics and programming:

      • Design is always better than the implementation.
      • Our number generators are random. Really.
      • Polling is a lousy way to gather information.
      • Codes always have bugs and loopholes. When they are found, lawyers are often involved.
      • Old codes never die and never fade away.
      • After failure, always blame the third party.
      • Paying for support is expensive.
      • DRM and vendor lock-in are the best means of increasing sales.
      • Never listen to your your customers when they say they want fewer features. They must be lying.
      • Power corrupts. That's why we have checksums and balancing.
  5. Scraping the bottom of the barrel much? by ugen · · Score: 2

    I've got a better "hack" for them. Buy one of these devices (I am sure they are not hard to obtain). When it arrives, update firmware - or better yet, remove internal IC board, and replace with a battery hard-wired to "green light" (or whatever method they use to flag "good currency"). Then come to the store of your choice, and with a sleight of hand replace the device they already have. Presto! Will take a lot less time than "hacking" one at the store.

    Of course, if that's a "hack" - how about just taking a cash register and carrying it off?

  6. Easier to just steal by wiredlogic · · Score: 2

    If you have physical access to the validator it would be easier to skim some bills from the machine and remain undetected rather than modify it to accept fake bills that will be noticed as soon as the owner brings them to a bank.

    --
    I am becoming gerund, destroyer of verbs.
  7. Currency Validators? by Necron69 · · Score: 2

    Ok, dumb American here. Are 'currency validators' that common in Europe? The only thing that comes to mind here in the US is the 'dollar bill accepters' on vending or change machines. Other than those, I don't think I've ever seen a currency validator on a cash register anywhere. Occasionally, you get a sales clerk who will hold a $20 or $100 up to the light to look for the security strip (in American bills), but that's pretty much it over here.

    - Necron69

    1. Re:Currency Validators? by freeze128 · · Score: 2

      ...And if you read the summary thinking of a bill validator, you come away with a "DUH! No kidding dummy!" feeliing. In order to hack a bill validator, you would need to open the vending machine, remove the bill validator, disassemble the validator, update or replace the rom, then put everything back together again. If you're going to do that, you could just grab the money and a coke after the first step.

  8. Counterfeiting ? by mbone · · Score: 3, Insightful

    If it accepts _any_ piece of paper, I don't see how that is counterfeiting - theft and fraud, sure, but if I make no effort to copy something, how is that still counterfeiting?

  9. Astronomy / astrology by mbone · · Score: 2

    If you go by buildings, you could make a good case for astronomy / astrology being the oldest profession. Stonehenge, the pyramids, etc., they all either were observatories, or needed a fair amount of astronomical knowledge to build.

  10. No, it's likely by dutchwhizzman · · Score: 2

    In Euro land, you either pay with your debit card, or you pay cash. If you pay cash, the cashier usually either just puts the bills in the register, or they do a check in a standalone machine to see if the machine approves of the currency. Registers that count money and have a built in validator are rare and only now are starting to appear in bigger supermarkets.

    Crooks here in Europe are very good at firmware updates or hardware modification on POS type equipment. Until very recently our omnipresent debit cards used a magnet strip and a pin code for payments. It got to be a weekly news item that such and such store or popular gas station had their PIN terminals skimmed and thousands of customers had their bank accounts cleaned out with copied cards and "recorded" PIN numbers. Cards still occasionally get skimmed, but debit cards are usually blocked by default outside the EU and inside the EU you need a smart card to make PIN payments. Skimmers can't copy the smart chip of the debit card, so they can't use the card unless they steal the physical item. This leaves the success rate of skimming a magnet strip+pin to the rare cards that are unblocked for outside of the EU and it requires accomplices in for instance India or so to clean out the accounts of the cards you swiped. Until someone finds a nice attack on the smart cards (I don't think it will take long, cell phone SIM cards have been hacked too), we won't be seeing them attack electronic payments in brick and mortar stores on a large scale soon. They will most likely move their game towards getting their own fake currency accepted by the validators and start buying small items with large bills, or resell the items to replace the "loss of income" since skimming debit cards wasn't profitable any more.

    TL;DR In Europe firmware mods are the most successful mods for this sort of hack/fraud.

    --
    I was promised a flying car. Where is my flying car?