USB Sticks Used In Robbery of ATMs

← Back to Stories (view on slashdot.org)

USB Sticks Used In Robbery of ATMs

Posted by samzenpus on Monday December 30, 2013 @06:20AM from the crime-on-a-stick dept.

First time accepted submitter JeffOwl writes "BBC is reporting that thieves are infecting ATMs with malware using USB sticks. The malware creates a backdoor that can be accessed at the front panel. The thieves are damaging the ATM to access a USB port then patching it back up to avoid notice. This indicates that the crew is highly familiar with the ATMs in question. Once the ATM is infected, the thieves use a 12 digit code to bring up the alternate interface. The thieves, not wanting their crew to go rogue, have built a challenge-response access control into their software and must call another member who can generate the response for them."

50 of 252 comments (clear)

Min score:

Reason:

Sort:

That's what you get by fisted · 2013-12-30 06:23 · Score: 5, Insightful

That's what you get from running Windows on ATMs, lol.

--
CLI paste? paste.pr0.tips!
1. Re:That's what you get by Anonymous Coward · 2013-12-30 06:28 · Score: 5, Funny
  
  Mod parent up! Linux machines are impenetrable, even if an expert has physical access. This is why Torvalds gets so aggressive: he keeps locking himself out of his testing machines and has to buy new ones.
2. Re:That's what you get by fisted · 2013-12-30 06:30 · Score: 4, Insightful
  
  I don't know any Linux or unix machine which would be compromised merely by plugging a memory stick. Hint, hint: autorun.
  Furthermore, you presumably wouldn't get administrative access.
  
  --
  CLI paste? paste.pr0.tips!
3. Re:That's what you get by Spy+Handler · 2013-12-30 06:32 · Score: 5, Insightful
  
  no, this is what you get when you put a USB port on a frigging ATM. Whose bright idea was that anyways?
4. Re:That's what you get by dugancent · 2013-12-30 06:33 · Score: 3, Interesting
  
  My bank still uses os/2 on their ATMs.
  
  --
  SJWs are the new boogeyman. -Me
5. Re:That's what you get by wvmarle · 2013-12-30 06:39 · Score: 4, Insightful
  
  Making it easy to install upgrades? Or to connect say, a proper keyboard, to do maintenance?
  USB stick is better than over network as physical access is needed. And in this case, they indeed had to physically break the ATM to gain access to this USB port.
6. Re:That's what you get by asmkm22 · 2013-12-30 06:45 · Score: 5, Insightful
  
  The USB port is pretty well hidden and secure, which is why the article points out the fact that the thieves appear to be familiar with the machines enough to know where and how to best break that part open. Even the best of security measures won't hold up against an inside job.
7. Re:That's what you get by lgw · 2013-12-30 06:48 · Score: 5, Informative
  
  That's what you get from running Windows on ATMs, lol.
  No, it really isn't. I've seen this demo'd at a security conference, and the OS has nothing at all to do with the attack. ATMs have a USB port which can be used to replace the firmware. The port is behind a simple lock, not in the vault with the money.
  This attack replaces the OS on the ATM with the image the attacker provides. What the OS was before the attack really isn't all that relevant. The fact that images aren't signed or anything is.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
8. Re:That's what you get by ericloewe · 2013-12-30 06:53 · Score: 3, Interesting
  
  ATMs generally run on commodity hardware and a commodity OS (most I've seen are Windows NT 4.0 and newer).
9. Re:That's what you get by cusco · 2013-12-30 06:53 · Score: 4, Informative
  
  I'd be very surprised if the "alternative interface" isn't installed by rebooting the machine off the USB stick. The Diebold voting machines were configured to preferably boot off a USB, and Diebold is still the largest manufacturer of ATMs in the US.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
10. Re:That's what you get by Nkwe · 2013-12-30 06:54 · Score: 3, Interesting
  
  I don't know any Linux or unix machine which would be compromised merely by plugging a memory stick. Hint, hint: autorun. Furthermore, you presumably wouldn't get administrative access.
  It doesn't require autorun. A usb device that emulates a keyboard or other input device would do the trick. Send the keystrokes necessary to break in. Think Linux is immune? How about the keystrokes necessary to reboot the machine and start up in single user mode? Even if single user mode has been protected, the usb device could provide both keyboard emulation and cdrom emulation -- during reboot the hack could boot to alternate media. The real fail is a design that allows access to the hardware (physical access is full access) and not the choice of operating system.
11. Re:That's what you get by BosstonesOwn · 2013-12-30 06:55 · Score: 4, Informative
  
  Because that part of the atm is heavily protected, whereas the usb port is behind a plastic panel.
  
  --
  This package Does Not Contain a Winner
12. Re:That's what you get by jeffmeden · 2013-12-30 07:01 · Score: 2
  
  I suppose that's a "feature", but Linux sure seemed primitive to me a few years ago when I discovered what an ordeal it was to read a floppy disk: with Windows, you just put it into the drive and it worked. I assume the same ordeal holds true today for USB sticks on Linux. (Ever wonder why "The Year of the Linux Desktop" always seems to be in the future, Linus?...)
  (posting as AC due to non-orthodox opinion favoring Windows over Linux.)
  Go ahead and take your head out of your ass, and re-read his comment: "Yes, because it's impossible to configure Linux to auto-mount all new devices, check for the presence of a specifically named file and execute commands within.
  Emphasis mine. Linux can easily auto-mount thumb drives. Many distros have it enabled out of the box. What you wont find is any that scans the drive for things to run and then does so, with elevated privileges (something present in many recent versions of windows). Having an easy way for an attacker to steal/destroy all the data on a machine might seem like a "Feature" but it sure seems primitive... (if you need examples, confirmed attacks via unwitting use of an infected USB key on windows systems are plentiful.)
13. Re:That's what you get by TWX · 2013-12-30 07:02 · Score: 4, Insightful
  
  I think that it's stupid to allow the USB port to do anything more than provide a Human Interface Device level of access to the OS unless credentials are entered in to the machine to enable those features.
  
  Or, in layman's terms, AT BEST the USB port should only work for a keyboard interface as a prompt for a password until the operator is authenticated.
  
  It's CRIMINALLY STUPID for the USB port to provide any other kind of access by default. It should not give the OS kernel access to media plugged into it. It should CERTAINLY not automatically engage media plugged into it to read it. Arguably, it shouldn't do ANYTHING even with a keyboard plugged in until the technician servicing the machine has otherwise entered passwords, like on an internal keypad.
  
  --
  Do not look into laser with remaining eye.
14. Re:That's what you get by jeffmeden · 2013-12-30 07:05 · Score: 5, Insightful
  
  Because that part of the atm is heavily protected, whereas the usb port is behind a plastic panel.
  All of the flames about windows vs linux are a red herring. This is the real design flaw. Any design that assumes the USB interface to the software is not just as important to protect as the cash itself completely ignores why they would ever put the USB port on there in the first place (to make material changes to the ATM software).
15. Re:That's what you get by TWX · 2013-12-30 07:06 · Score: 3, Informative
  
  You mean, the trick I use on the computers I support, by password-protecting the BIOSes and restricting boot to the fixed disk only, a trick that I've used for about twenty years, was ignored on commercial-grade equipment that's responsible for the basic security of our form of government and of our financial system?
  
  Say it ain't so...
  
  --
  Do not look into laser with remaining eye.
16. Re:That's what you get by TangoMargarine · 2013-12-30 07:07 · Score: 2
  
  I'm pretty sure Ubuntu (and derivatives) have add the "auto detect plugged USB, put icon on desktop, double-click to mount" practically since I started futzing with it back in 2007...and if you're going to say "Year of the Linux Desktop," you pretty much mean Ubuntu.
  QED.
  And even Windows machines don't generally have floppy drives anymore, right?
  
  --
  Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
17. Re:That's what you get by bickerdyke · 2013-12-30 07:12 · Score: 2
  
  Which really begs the question which idiot designed the machine with a USB port for updates and NOT protecting it properly!
  
  --
  bickerdyke
18. Re:That's what you get by durrr · 2013-12-30 07:19 · Score: 4, Funny
  
  I guess this was a...
  STICK-up.
19. Re:That's what you get by cusco · 2013-12-30 07:20 · Score: 3, Interesting
  
  You should read up on what a security nightmare the voting machines are, it's appalling. Doesn't help that there are a dozen or more manufacturers, all of them being sold on the basis of friendly back slaps with local politicians rather than actual analysis of the hardware and software (which is always closed source). Testing procedures are a joke, by design, and even systems that fail testing get sold on the promise of an update in future firmware versions. Don't overlook punch card counters either, they put out by far the largest deviations from exit polls of any of the machines.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
20. Re:That's what you get by mlts · 2013-12-30 07:22 · Score: 2
  
  CentOS will automount removable flash drives under the /media directory. Similar with optical media. One can disable this so media will need manually mounted to be used. It won't run or execute anything on the drives though... just mount it and have it usable for the user.
21. Re:That's what you get by Archangel+Michael · 2013-12-30 07:23 · Score: 2
  
  With properly managed devices, USB is disabled. This is an option, even in windows. And it is even an option at the BIOS/UEFI level on some systems. However, I wonder why they aren't using some soft of VDI for protecting the ATMS. This would prevent any direct access to the hardware running windows.
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
22. Re:That's what you get by Penguinisto · 2013-12-30 07:28 · Score: 3, Interesting
  
  Err, not really. If we're building a *nix ATM, then you can fix it in one go: If the USB port requires elevated privs just to mount/use anything plugged into it (say, a long numbered sequence entered from the ATM keypad, unique to that machine, that would translate to a variation of "sudo /bin/mount"), the whole USB stick trick falls flat.
  Not sure if there would even be a feasible analog for that in embedded XP/CE/WE
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
23. Re:That's what you get by i+kan+reed · 2013-12-30 07:33 · Score: 3, Informative
  
  Windows doesn't do that anymore either. It gives the user an option to invoke autoruns, but doesn't trigger them.
  Attacks on USB tend to target the drivers these days, not the OS.
24. Re:That's what you get by Jah-Wren+Ryel · 2013-12-30 07:48 · Score: 2
  
  It's CRIMINALLY STUPID for the USB port to provide any other kind of access by default. It should not give the OS kernel access to media plugged into it. It should CERTAINLY not automatically engage media plugged into it to read it.
  There is at least one exploit out there that relies on fragility in the USB firmware - the code that auto-negotiates with a USB device when it gets plugged in, sets up the bus, etc. The exploit works by sending unexpected data (buffer overflow, out-of-range values, etc).
  That kind of exploit works even if the OS does not autoplay or even automount.
  
  --
  When information is power, privacy is freedom.
25. Re:That's what you get by Joce640k · 2013-12-30 07:57 · Score: 3, Informative
  
  It's CRIMINALLY STUPID for the USB port to provide any other kind of access by default.
  
  Remember: This feature was brought to you by the same company who thought it was a good idea to execute .exe files attached to emails without even asking you.
  
  --
  No sig today...
26. Re:That's what you get by Joce640k · 2013-12-30 07:58 · Score: 2
  
  They're federally insured so they don't care...
  
  --
  No sig today...
27. Re:That's what you get by Anonymous Coward · 2013-12-30 08:03 · Score: 5, Informative
  
  The USB port is enabled to write the Electronic Journal when Brinks or whoever comes by to refill the ATM. The copy of the journal is then given to the institution responsible for the ATM.
28. Re:That's what you get by Jah-Wren+Ryel · 2013-12-30 12:50 · Score: 2
  
  Sounds apocryphal.
  But it sounds like a way to hack a usb device, rather than the computer that hosts it.
  It is that precise mechanism by which the PS3 was fully jailbreaked
  http://thexploit.com/secnews/ps3-heap-overflow-exploit-explained/
  
  After all, USB sticks don't have much in the way computing power.
  Lol, who can take you seriously after such a statement? People are putting entire PC's on usb stick form factors. Dell's got their "thumb PC" google has their chromecast, and there are plenty no-name chinese units too.
  
  Buffer overruns from an input device are trivial to prevent. And even windows does that these days.
  That's what we in the security biz call "famous last words."
  
  --
  When information is power, privacy is freedom.
29. Re:That's what you get by icebike · 2013-12-30 17:33 · Score: 2
  
  At this point I am now convinced you don't have a fuckin clue how security exploits work. Enjoy your ignorance. It's all you've got.
  Apparent I have a better Idea of it than you do. You seem to think walking by a USB socket with a thumb drive and it roots what ever operating system happens to be installed on said computer.
  That is bullshit of the highest order. You've been watching too much TV.
  
  --
  Sig Battery depleted. Reverting to safe mode.
30. Re:That's what you get by Patch86 · 2013-12-30 20:39 · Score: 2
  
  Pro-tip- most ATMs (I work for a financial, so have seen a few) have only a single locked front panel that is opened up to gain access to the internals (with only the cash in a more secure safe box inside that). ATMs in busy areas will be serviced pretty much every day. If you want a good look at where the various internals are (including any USB ports), all you'd need to do is hang around the ATM until someone comes to service it- everything you need to see will be right there on display. Take a snap with your smartphone and study it at leisure.
  Not that I'd disregard an "inside job"- servicing ATMs is hardly highly skilled work, and most normal branch cashiers at most banks will be trained in it. Certainly possible that the thieves are former (or current) bank employees.
31. Re:That's what you get by Patch86 · 2013-12-30 20:54 · Score: 2
  
  Why is the USB "auto-running", rather than waiting for the user to log in with secure verification (maybe a hard-token) and prompting the USB to load? Why is the OS willing to run a firmware update which isn't signed with some sort of trusted protocol?
  You're right that it isn't the OS's fault per se, but it is the fault of the software/OS as it was set up. There should be no reason why Windows can't be set up sensibly to prevent these issues, and there's definitely no reason why Linux couldn't be. Someone who wrote or set up that software cocked it up, pure and simple.
Barnaby jack jackpotting ATMS by bleh-of-the-huns · 2013-12-30 06:26 · Score: 4, Informative

Google the subject, he performed this attack live at both Blackhat and Defcon 18. It was definately an eye opener, and one of the reasons I tend to avoid those rental ATM's you see in mom and pop stores, and restaurants/bars...
yes I realize that even the major Bank ATM's are susceptible, but at least with a major bank you have some recourse if you have issues.

--
I came, I conquered, I coredumped
1. Re:Barnaby jack jackpotting ATMS by retroworks · 2013-12-30 06:41 · Score: 3, Informative
  
  http://www.wired.com/threatlevel/2010/07/atms-jackpotted/ Thanks for the tip
  
  --
  Gently reply
Re:Moral of the story by Anonymous Coward · 2013-12-30 06:27 · Score: 2, Insightful

How exactly would a video camera prevent a masked marauder from drilling?
Re:Moral of the story by alexander_686 · 2013-12-30 06:28 · Score: 2

Well, there is nothing to indicate anything is wrong. The ATM machines still look like they are functioning normally from the operations center and the tapes are (normally) only reviewed if they suspect something has gone wrong. It’s not like they have a bank of rent a cops monitoring these things 24/7.
Re:Moral of the story by Crudely_Indecent · 2013-12-30 06:32 · Score: 4, Insightful

When has a video camera ever stopped someone from doing exactly what they intend to do? Youtube is full of examples of people behaving badly in front of a video camera (sometimes - because of the video camera)
Sure, video cameras may cause people to reconsider their behavior - but a criminal intent on committing a crime will just wear a mask or disable the camera with some high-tech sticky tape. If the group is repairing the machines so their modification can't be detected - nobody would be the wiser. They might consider the tape to be the work of a prankster and peel it off.
Maybe if the video camera was attached to a flame-thrower - that might do the trick.

--

"Lame" - Galaxar
Why did we get rid of OS2 on the ATM's? by Joe_Dragon · 2013-12-30 06:32 · Score: 2

that one was hard to hack
Re:Moral of the story by Richard_at_work · 2013-12-30 06:32 · Score: 4, Informative

In the UK you cannot access the internals of the ATM unit without either accessing the rear of the machine, which is locked away in the safe that they mention, or by cutting into the fascia of the external face, which is what they did here.
You cannot gain access to the ATM simply by using a key bought off of the internet.
And yes, most ATMs in the UK have a video camera on them to help identify fraudsters, but that does NOT help prevent the fraud from occurring because someone would have to watch it in real time and intervene. Infact they identified just how this hack was occurring by watching the CCTV footage to see just how the money was going missing, because it wasn't triggering any other alarms.
Re:Moral of the story by Rob+the+Bold · 2013-12-30 06:33 · Score: 2

Video cameras to prevent drilling of the outer shell was never considered?
Right. Every bank I've ever been in in the last . . . many . . . years has cameras all around, including pointed at the 24-hour ATMs. So I guess you'd do it as surreptitiously as possible so it wouldn't necessarily get noticed on the footage without carefully watching it. Then don't do anything for a while, preferably long enough that the footage with the tampering has been overwritten -- or at least long enough that it's tedious and time-consuming to look through everything and you've got the money and made your getaway. Also, having someone else do the dirty work is always a good idea, like the POS tamperers/vandals/thieves/skimmers that hit Michaels stores using Armenian LA street gang members or something like that as contractors to collect the cash with forged debit cards. I'm probably mixing up several stories there, but the concept is the important thing, not the specific details of any one specific crime.

--
I am not a crackpot.
How do we prevent this? by EMG+at+MU · 2013-12-30 06:47 · Score: 4, Informative

I feel like I might know how something like this happened.

Dev: "Hey we need to spend some time on security, for example the USB ports are not disabled, if we wan't to use them for service we should put authentication on them."
Project Manager: "Well, you have a point but none of our competitors focus on security either and were also behind on the project. It will be fine and we can fix it next time"

As a embedded dev I have had that conversation.
Oh, ffs. by ledow · 2013-12-30 06:50 · Score: 5, Insightful

Fail #1: A port that can be accessed without triggering an alarm.
Fail #2: A USB port.
Fail #3: Software running that looks at, and allows unsigned executable code to be executed from, a USB storage device without explicit authorisation.
Fail #4: No intrusion detection whatsoever to notice that this USB device has been inserted, has had code taken from it, that that code has been made executable and executed, or that that code is running with privilege enough to dispense cash.
I stopped caring at #2, if I'm honest.
You can state for all the world that the ATM's need software updates, etc. but there's just no excuse for a commodity device to be able to run arbitrary code without at least BOTHERING to check the authenticity of the code it runs first and ALERTING someone somewhere that that's what's happening (i.e. alert the branch, alert the central bank, etc.).
There's nothing stopping you issuing your updates over the local banking network, even, if that's what you want to do. Just make sure they are signed, verified, encrypted and secured. Honestly, you can't download a fecking game or movie nowadays without requiring DRM... and this is where DRM, code-signing and all that other stuff we do is supposed to be being used the most.
General purpose computers SHOULD NOT BE USED in security-conscious situations.
If your ATM isn't a SecureBoot machine (at a minimum), with code-signing explicitly required for any and all updates, and ALL WAYS to execute external code disabled, you're just a fecking idiot.
Re:Moral of the story by lgw · 2013-12-30 06:55 · Score: 2

In most countries it depends on the ATM - there are many different kinds of ATMs installed in many different ways. Is there really some standard in the UK? Are there not cheap ATMs in convenience stores that are very different from the big ATMs next to banks?
Pretty much all ATMs these days have a camera, sure, but it typically records images on storage in the ATM. After the attack, it's going to have whatever comical pictures the attackers want it to have.

--
Socialism: a lie told by totalitarians and believed by fools.
Inside Job by Princeofcups · 2013-12-30 07:00 · Score: 2

When I worked at ABN/AMRO, I would pass the locked ATM machine engineering room, and wonder what could happen if one of these people was fired. Now we know.

--
The only thing worse than a Democrat is a Republican.
Software security in finance is surprisingly low by quietwalker · 2013-12-30 07:07 · Score: 5, Informative

I used to write financial software for a living, including ATM driving software.
I realized, after a while, that I had certain preconceived notions about the sort of software and hardware that is running on these sorts of high profile, high risk systems. Obviously, the software will have been made highly secure; redundant checks on every action, code signing, etc. It'd likely be running a custom operating system that was built from the ground up and booted off a (P)ROM. The case would be just as impenetrable, with a separate compartment for the computer itself, requiring specialty equipment so that could only really be opened at the point of origin or in a manner certain to destroy the innards - and certainly not in the field.
Right? I mean, any of us can think up a set of reasonably secure basic premises from which we could build a system like this out of.
Imagine my surprise when I found out that half of the ATMs out there are just running off the shelf windows desktops, with the original demo software still installed. There's no real optimization, no cleanup, no limited boot, nothing; it's just a desktop machine jammed in a vending machine with a custom card & cable for driving the mechanics of the ATM. Sometimes they're even in the original manufacturer's case (though usually they're just the board). I've also done some work on vending machines, and I can tell you that they're often better made!
As a software developer, one of the things I was shocked to see was that security for ATMs was almost entirely focused on the physical. There's little to stop someone from hooking up an external line and sending approvals or just do basic proxying - most of the data is sent in the clear, just skim it, or to update the system with a cd or usb if you pull the front cover of the ATM off. Many times, you'll find someone left a keyboard and mouse behind in the unit because it's a pain to always carry your own when doing updates or what have you.
This follows the same basic trend in the rest of the financial systems I've seen; physical security is very high, software security is relatively low. When it comes down to it, most companies place a focus on tracking transactions rather than securing them, and rely on constant manual review by staff to detect problems (that's why banks close so early - the folks who don't run the registers are in the back doing the day's reconciliation.
Crooks are better at security than the banks!! by cs668 · 2013-12-30 07:24 · Score: 4, Interesting

At least they built a challenge response system into their hack, that's just f*'ing funny to me!!
Who left autorun turned on? by Animats · 2013-12-30 07:34 · Score: 2

Plugging something into a USB port is only effective as an attack if autorun is turned on in Windows. You can turn it off for all pluggable devices. A file system device is still recognized as having a file system, but something has to go to the device and get a file before anything happens.
Running Windows on an ATM is lame, but common. Running a desktop version of windows, instead of Windows Embedded (which allows removing all the stuff that shouldn't be there) is just stupid.
From the 30c3 Electronic Bank Robberies talk by ampmouse · 2013-12-30 08:28 · Score: 2

Details of the exploit were presented Friday durning the "Electronic Bank Robberies" talk at Chaos Communication Congress, yet some how the slashdot article completely misses that. You can watch the talk on Youtube or download the MP4 Video(172M) if you want to watch the original talk.
Re:Moral of the story by roc97007 · 2013-12-30 11:28 · Score: 2

How exactly would a video camera prevent a masked marauder from drilling?
I dunno, another panel opens and a white gloved hand on one of those scissors-like extensions comes out and slaps the thief silly? I'm pretty sure I saw that on a Bugs Bunny cartoon. Or maybe it was one of the Star Wars prequels, I forget.

--
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Joanna Rutkowska covered USB exploits by Burz · 2013-12-30 13:31 · Score: 2

Here in this blog post: http://theinvisiblethings.blogspot.com/2011/06/usb-security-challenges.html
Is definitely a concern to her Qubes OS project.