10

This question is using ATMs as an example, but it could apply to any number of 'secure' devices such as poker machines, E-voting machines, payphones etc.

Given that ATMs are relatively hardened (in comparison to say, most consumer electronics for example), what would be the process of reverse engineering a device in a black-box AND limited access scenario?

Given that traditionally, an end user of a device such as an ATM will only ever have access to the keypad/screen/card input/cash outlet (at a stretch, access to perhaps the computer housed in the top of the plastic casing(think private ATMs at small stores etc)), it seems like most attack vectors are quite limited. Under these types of circumstances, what could be done to reverse, understand and potentially exploit hardened, limited access systems?

Is the 'ace up the sleeve' kind of situation here physical access to the ATM components? Or is there a way to RE a device from within the environment a user is presented?

Gilles 'SO- stop being evil'
  • 1,358
  • 13
  • 23
NULLZ
  • 343
  • 1
  • 16
  • What information are you trying to obtain? Hardware components? Software code? Transaction logs? Keys? Countermeasures? – Gilles 'SO- stop being evil' May 08 '13 at 14:00
  • 1
    hardened? aren't they just stupid PCs ? – Ange May 08 '13 at 14:22
  • @Ange it depends on the implementation, i've personally seen lightweight WinXP environments deployed, but i've also seen linux distros and other 'unknown' environments. How could you even go about determining -what- the environment is? Only think i could think of is watching the POST screen load if you re-set the power somehow – NULLZ May 08 '13 at 14:46
  • @Gilles Well, to get the device to do something that its not supposed to let you do would be the end goal, in ATM's its a case of getting cash or stealing card information, in the case of voting machines its casting more than one vote etc. Doesn't have to be specific to ATM's per-se. – NULLZ May 08 '13 at 14:48
  • 2
    @D3C4FF “to get the device to do something that its not supposed to let you do” isn't RE, it's an attack. RE may be an attack path. This interpretation makes your question even broader! You're asking us to write the book on ATM security. Please edit your question down to something manageable, as right now it's calling for a collection of ATM security tips. – Gilles 'SO- stop being evil' May 08 '13 at 16:49
  • I really don't get the question. ATMs aren't really that well protected if you have access to the outer container. I can't conceive of a situation where you couldn't get hold of hardware to RE. – Cybergibbons May 08 '13 at 22:24

3 Answers3

11

Some information might be found in Barnaby Jack's BlackHat presentation:

The most prevalent attacks on Automated Teller Machines typically involve the use of card skimmers, or the physical theft of the machines themselves. Rarely do we see any targeted attacks on the underlying software.

Can't find the presentation or the whitepaper atm (no pun intended), but I'm sure you'll get some information/directins from the talk.

Apart from this kind of reversing where you can do whatever you want with the machine, if you just have limited access to it (can't open it or whatever), I guess your best bet would be to play around with what's available. Some of those machines have USB ports for peripherals with which you could play. Something like Teensy might come in handy for automating stuff.

Also, most of those machines can be connected to some sort of a network, so scanning, sniffing and similar tricks could yield more results.

Be careful with what (or who's machines ) you play with, don't be this guy.

0xea
  • 4,904
  • 1
  • 23
  • 30
  • Yeah i've come across these presentations before, but the problem is he had physical access to this machine for an extended duration in which he was able to RE any component he wanted as he had access to everything... – NULLZ May 08 '13 at 14:49
  • 2
    Well, if you don't have an extended physical access to an ATM (you don't own it that is) I'd strongly advise against messing with it. – 0xea May 08 '13 at 15:01
  • Its not something I intend on doing illegally if thats what your implying. Incidentally, I will have legitimate access to several ATMs and i'm curious to see what other potential avenues of attack people can come up with – NULLZ May 08 '13 at 15:15
  • Sorry, didn't mean to imply anything. I'll edit my answer with some other ideas. – 0xea May 08 '13 at 15:22
  • Added a sort of disclamer at the end, for others that might stumble upon this topic. – 0xea May 08 '13 at 15:31
  • What happened to "this guy"? – Cybergibbons May 08 '13 at 22:25
  • I don't think anything happened, just think it wasn't very smart of him to do that in the first place. – 0xea May 09 '13 at 07:27
  • That direct download link (currently) gives me a "file does not exist". – Till May 10 '13 at 10:17
  • You are correct, that's odd, I'm pretty sure it worked just a few days ago... I'll remove it. – 0xea May 10 '13 at 12:27
5

You can't do much without physical access, if not to the specific machine you're attacking then to the same or similar model. That's what Barnaby Jack did - he ordered 3 ATM machines and investigated them at home. I suppose there may be service menus reachable from the normal screen by some key combinations but I wouldn't count on it.

Once you know the specific system you can look for the ways in. E.g. supposedly some POS terminals (possibly ATMs too) can be attacked with a "Trojaned" card, though I'm kinda skeptical about such claims. A probably more plausible attack is to find the dial-up line the ATM is connected to, and log in into it using a default/factory password, or via a vulnerability in the login process or the network protocol.

Igor Skochinsky
  • 36,553
  • 7
  • 65
  • 115
5

All ATMs that I am aware of and have worked on in a past life have a way to get into 'admin' mode either from the front or a rear keypad. Methods vary. Sniffing a network probably won't help as the communication is encrypted. That said, buy one: http://www.atmexperts.com/used_atm_machines.html http://www.bellatm.net/Default.asp Then you'll have all the time and access you could want - and, unless you misuse anything learned, will avoid prison.

Marc
  • 71
  • 2