Slashdot Mirror

← Back to Stories (view on slashdot.org)

USB Sticks Used In Robbery of ATMs

Posted by samzenpus on from the crime-on-a-stick dept.

First time accepted submitter JeffOwl writes "BBC is reporting that thieves are infecting ATMs with malware using USB sticks. The malware creates a backdoor that can be accessed at the front panel. The thieves are damaging the ATM to access a USB port then patching it back up to avoid notice. This indicates that the crew is highly familiar with the ATMs in question. Once the ATM is infected, the thieves use a 12 digit code to bring up the alternate interface. The thieves, not wanting their crew to go rogue, have built a challenge-response access control into their software and must call another member who can generate the response for them."

9 of 252 comments (clear)

  1. That's what you get by fisted · · Score: 5, Insightful

    That's what you get from running Windows on ATMs, lol.

    --
    CLI paste? paste.pr0.tips!
    1. Re:That's what you get by Anonymous Coward · · Score: 5, Funny

      Mod parent up! Linux machines are impenetrable, even if an expert has physical access. This is why Torvalds gets so aggressive: he keeps locking himself out of his testing machines and has to buy new ones.

    2. Re:That's what you get by Spy+Handler · · Score: 5, Insightful

      no, this is what you get when you put a USB port on a frigging ATM. Whose bright idea was that anyways?

    3. Re:That's what you get by asmkm22 · · Score: 5, Insightful

      The USB port is pretty well hidden and secure, which is why the article points out the fact that the thieves appear to be familiar with the machines enough to know where and how to best break that part open. Even the best of security measures won't hold up against an inside job.

    4. Re:That's what you get by lgw · · Score: 5, Informative

      That's what you get from running Windows on ATMs, lol.

      No, it really isn't. I've seen this demo'd at a security conference, and the OS has nothing at all to do with the attack. ATMs have a USB port which can be used to replace the firmware. The port is behind a simple lock, not in the vault with the money.

      This attack replaces the OS on the ATM with the image the attacker provides. What the OS was before the attack really isn't all that relevant. The fact that images aren't signed or anything is.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    5. Re:That's what you get by jeffmeden · · Score: 5, Insightful

      Because that part of the atm is heavily protected, whereas the usb port is behind a plastic panel.

      All of the flames about windows vs linux are a red herring. This is the real design flaw. Any design that assumes the USB interface to the software is not just as important to protect as the cash itself completely ignores why they would ever put the USB port on there in the first place (to make material changes to the ATM software).

    6. Re:That's what you get by Anonymous Coward · · Score: 5, Informative

      The USB port is enabled to write the Electronic Journal when Brinks or whoever comes by to refill the ATM. The copy of the journal is then given to the institution responsible for the ATM.

  2. Oh, ffs. by ledow · · Score: 5, Insightful

    Fail #1: A port that can be accessed without triggering an alarm.
    Fail #2: A USB port.
    Fail #3: Software running that looks at, and allows unsigned executable code to be executed from, a USB storage device without explicit authorisation.
    Fail #4: No intrusion detection whatsoever to notice that this USB device has been inserted, has had code taken from it, that that code has been made executable and executed, or that that code is running with privilege enough to dispense cash.

    I stopped caring at #2, if I'm honest.

    You can state for all the world that the ATM's need software updates, etc. but there's just no excuse for a commodity device to be able to run arbitrary code without at least BOTHERING to check the authenticity of the code it runs first and ALERTING someone somewhere that that's what's happening (i.e. alert the branch, alert the central bank, etc.).

    There's nothing stopping you issuing your updates over the local banking network, even, if that's what you want to do. Just make sure they are signed, verified, encrypted and secured. Honestly, you can't download a fecking game or movie nowadays without requiring DRM... and this is where DRM, code-signing and all that other stuff we do is supposed to be being used the most.

    General purpose computers SHOULD NOT BE USED in security-conscious situations.

    If your ATM isn't a SecureBoot machine (at a minimum), with code-signing explicitly required for any and all updates, and ALL WAYS to execute external code disabled, you're just a fecking idiot.

  3. Software security in finance is surprisingly low by quietwalker · · Score: 5, Informative

    I used to write financial software for a living, including ATM driving software.

    I realized, after a while, that I had certain preconceived notions about the sort of software and hardware that is running on these sorts of high profile, high risk systems. Obviously, the software will have been made highly secure; redundant checks on every action, code signing, etc. It'd likely be running a custom operating system that was built from the ground up and booted off a (P)ROM. The case would be just as impenetrable, with a separate compartment for the computer itself, requiring specialty equipment so that could only really be opened at the point of origin or in a manner certain to destroy the innards - and certainly not in the field.

    Right? I mean, any of us can think up a set of reasonably secure basic premises from which we could build a system like this out of.

    Imagine my surprise when I found out that half of the ATMs out there are just running off the shelf windows desktops, with the original demo software still installed. There's no real optimization, no cleanup, no limited boot, nothing; it's just a desktop machine jammed in a vending machine with a custom card & cable for driving the mechanics of the ATM. Sometimes they're even in the original manufacturer's case (though usually they're just the board). I've also done some work on vending machines, and I can tell you that they're often better made!

    As a software developer, one of the things I was shocked to see was that security for ATMs was almost entirely focused on the physical. There's little to stop someone from hooking up an external line and sending approvals or just do basic proxying - most of the data is sent in the clear, just skim it, or to update the system with a cd or usb if you pull the front cover of the ATM off. Many times, you'll find someone left a keyboard and mouse behind in the unit because it's a pain to always carry your own when doing updates or what have you.

    This follows the same basic trend in the rest of the financial systems I've seen; physical security is very high, software security is relatively low. When it comes down to it, most companies place a focus on tracking transactions rather than securing them, and rely on constant manual review by staff to detect problems (that's why banks close so early - the folks who don't run the registers are in the back doing the day's reconciliation.