Slashdot Mirror
USB Sticks Used In Robbery of ATMs
First time accepted submitter JeffOwl writes "BBC is reporting that thieves are infecting ATMs with malware using USB sticks. The malware creates a backdoor that can be accessed at the front panel. The thieves are damaging the ATM to access a USB port then patching it back up to avoid notice. This indicates that the crew is highly familiar with the ATMs in question. Once the ATM is infected, the thieves use a 12 digit code to bring up the alternate interface. The thieves, not wanting their crew to go rogue, have built a challenge-response access control into their software and must call another member who can generate the response for them."
That's what you get from running Windows on ATMs, lol.
CLI paste? paste.pr0.tips!
Video cameras to prevent drilling of the outer shell was never considered?
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
Sounds like the NSA. FBI. CIA. US Government.
Trust, but verify... and we're gonna take all that you value.
Google the subject, he performed this attack live at both Blackhat and Defcon 18. It was definately an eye opener, and one of the reasons I tend to avoid those rental ATM's you see in mom and pop stores, and restaurants/bars...
yes I realize that even the major Bank ATM's are susceptible, but at least with a major bank you have some recourse if you have issues.
I came, I conquered, I coredumped
I am selling USB sticks on EBay if anyone wants them.
that one was hard to hack
Well, it's nice to see that someone in the, uh.. banking industry.. has managed to figure out two-factor authentication to stop people from taking off with money.
Remember to contract private companies to build machines and systems to count votes as well. Nothing could possibly go wrong, and those companies will be as assiduous in detecting flaws in voting systems and their front ends as they are in counting vast quantities of cash. Because, you know, they will. 'Cause. Perfect.
USB ports will take literally any instruction at face value and execute it. In the eyes of a USB port, there is no such thing as malware.
Well the touch screen, printer and maybe even the link to the cash system may be USB.
Even new SLOT MACHINES use USB and the Incredible Technologies games are ALL USB and load code from USB drives.
I feel like I might know how something like this happened.
Dev: "Hey we need to spend some time on security, for example the USB ports are not disabled, if we wan't to use them for service we should put authentication on them."
Project Manager: "Well, you have a point but none of our competitors focus on security either and were also behind on the project. It will be fine and we can fix it next time"
As a embedded dev I have had that conversation.
Fail #1: A port that can be accessed without triggering an alarm.
Fail #2: A USB port.
Fail #3: Software running that looks at, and allows unsigned executable code to be executed from, a USB storage device without explicit authorisation.
Fail #4: No intrusion detection whatsoever to notice that this USB device has been inserted, has had code taken from it, that that code has been made executable and executed, or that that code is running with privilege enough to dispense cash.
I stopped caring at #2, if I'm honest.
You can state for all the world that the ATM's need software updates, etc. but there's just no excuse for a commodity device to be able to run arbitrary code without at least BOTHERING to check the authenticity of the code it runs first and ALERTING someone somewhere that that's what's happening (i.e. alert the branch, alert the central bank, etc.).
There's nothing stopping you issuing your updates over the local banking network, even, if that's what you want to do. Just make sure they are signed, verified, encrypted and secured. Honestly, you can't download a fecking game or movie nowadays without requiring DRM... and this is where DRM, code-signing and all that other stuff we do is supposed to be being used the most.
General purpose computers SHOULD NOT BE USED in security-conscious situations.
If your ATM isn't a SecureBoot machine (at a minimum), with code-signing explicitly required for any and all updates, and ALL WAYS to execute external code disabled, you're just a fecking idiot.
When I worked at ABN/AMRO, I would pass the locked ATM machine engineering room, and wonder what could happen if one of these people was fired. Now we know.
The only thing worse than a Democrat is a Republican.
You're taking a decade-ago experience with a floppy disk and guessing that the same problem applies today to a USB stick?
Here's a tip: Linux has thousands of new features since the time you last glanced at it. Including detection of whenever a USB stick is inserted, and it's easy as anything to click on the little USB icon and look at the file manager and do whatever you want.
If we used that word any less than 4 times in the 6-sentence summary, people might forget who we're talking about!
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
I used to write financial software for a living, including ATM driving software.
I realized, after a while, that I had certain preconceived notions about the sort of software and hardware that is running on these sorts of high profile, high risk systems. Obviously, the software will have been made highly secure; redundant checks on every action, code signing, etc. It'd likely be running a custom operating system that was built from the ground up and booted off a (P)ROM. The case would be just as impenetrable, with a separate compartment for the computer itself, requiring specialty equipment so that could only really be opened at the point of origin or in a manner certain to destroy the innards - and certainly not in the field.
Right? I mean, any of us can think up a set of reasonably secure basic premises from which we could build a system like this out of.
Imagine my surprise when I found out that half of the ATMs out there are just running off the shelf windows desktops, with the original demo software still installed. There's no real optimization, no cleanup, no limited boot, nothing; it's just a desktop machine jammed in a vending machine with a custom card & cable for driving the mechanics of the ATM. Sometimes they're even in the original manufacturer's case (though usually they're just the board). I've also done some work on vending machines, and I can tell you that they're often better made!
As a software developer, one of the things I was shocked to see was that security for ATMs was almost entirely focused on the physical. There's little to stop someone from hooking up an external line and sending approvals or just do basic proxying - most of the data is sent in the clear, just skim it, or to update the system with a cd or usb if you pull the front cover of the ATM off. Many times, you'll find someone left a keyboard and mouse behind in the unit because it's a pain to always carry your own when doing updates or what have you.
This follows the same basic trend in the rest of the financial systems I've seen; physical security is very high, software security is relatively low. When it comes down to it, most companies place a focus on tracking transactions rather than securing them, and rely on constant manual review by staff to detect problems (that's why banks close so early - the folks who don't run the registers are in the back doing the day's reconciliation.
Robbery as defined as taking something from a person through threat of force or violence. You cannot rob an inanimate object. Theft is the correct term, or perhaps burglary (which also includes illegally entering a place to commit theft). I'm rather surprised to see the BBC misusing the term as well, but I notice they refer to it as "theft" in the story, and only use "rob" in the title. Sounds like an overzealous editor tried to make headline more catchy when posting the article.
Better known as 318230.
Hmm why rob the bank when you can empty ATM with much less risk of cops catching you. Somehow i would have expected ATM to use something else then Windows or Dos system.
At least they built a challenge response system into their hack, that's just f*'ing funny to me!!
Even HID-Only access isn't going to save you. See the USB rubber ducky.
http://hakshop.myshopify.com/products/usb-rubber-ducky
USB Sticks Used in Robbery of a Convenience Store
Plugging something into a USB port is only effective as an attack if autorun is turned on in Windows. You can turn it off for all pluggable devices. A file system device is still recognized as having a file system, but something has to go to the device and get a file before anything happens.
Running Windows on an ATM is lame, but common. Running a desktop version of windows, instead of Windows Embedded (which allows removing all the stuff that shouldn't be there) is just stupid.
This indicates that the crew is highly familiar with the ATMs in question.
Or is it just that the submitter and editor have watched way too many bad movies and TV shows?
Take your fad words and shove them up your ass.
Details of the exploit were presented Friday durning the "Electronic Bank Robberies" talk at Chaos Communication Congress, yet some how the slashdot article completely misses that. You can watch the talk on Youtube or download the MP4 Video(172M) if you want to watch the original talk.
If Barnaby Jack was still with us, he'd be proud. :)
It seems too convenient to leave a file called hack.bat on the system. Probably just a cover because the actually back door was created by the developer of the ATM system/software. The USB sticks simply unlocked the machine and the codes were used to prevent the individual perp from hitting too many ATMs, too frequently. The code doesn't stop the individual perp from walking away with the cash at that time but it does let someone know exactly when he's doing it.
I know of a gambling device that was similarly hacked by the developer... He was too greedy and used his hack twice in one weekend. He was also on the security video and he rented a car in his own name which makes him not only greedy but stupid as well.
As a side note the gambling device used proprietary hardware/OS and the system software is examined and certified by a third party. The back door was well hidden and because it was an inside job, the technical security of the device was irrelevant. I am guessing the same is true for the ATMs.
"...must call another member who can generate the response for them."
Brilliant.
Here in this blog post: http://theinvisiblethings.blogspot.com/2011/06/usb-security-challenges.html
Is definitely a concern to her Qubes OS project.
While most of the ATMs I lord over are now Windows 2000/XP based, there are still a few running OS/2!
Any time you have physical access you can gain root access simple as starting a VM from the thumb drive and chrooting to the system (assuming you have drivers and the drives arn't encrypted) and wango, you can change the root password or install a root kit.
Ah yes, the "keystrokes" that you can just disable (or actually not enable) when you build the kernel? Of course, you could also not enable usb and service the device using ssh.
I thought these things were under the watchful eye of cameras. If they were able to break the machine to get to the USB and then patch it, then those camera's arn't worth shit.
Vending machines are, historically, installed in more hostile locations and are more portable and accessible. These assumptions have changed a bit but generally hold true. Banks see theft like this as a financial loss to insure against, vending machine owners see it as a loss of business and reputation. The base mindset is different although the results show that the banks are wrong.
So; what was the go-code for the US's atomic arsenal for nearly the entire Cold War?