Remote ATM Vulnerability – JACKPOT!

At the BlackHat 2010 USA conference in Las Vegas this week, Barnaby Jack, Director of Security Testing at IOActive, was able to demonstrate remotely gaining control of not one, but two ATM machines that he purchased – causing both of them to empty their cash contents onto the stage.

During the session, entitled “Jackpotting Automated Teller Machines Redux”, Jack described the attack methods available on an ATM, including card skimmers, physical ram-raids, shoulder surfing, safe cutting via frontal attacks, data breaches, and even explosives. The most prevalent attacks on ATMs, however, typically involve the use of card skimmers, or the physical theft of the machines themselves, as these are both physically and technically less challenging. Jack noted that it is rare to see any targeted attacks on the underlying software. But, Jack was about to show the audience something rare.

By design, there is a limited attack surface to exploit on an ATM machine; the card reader, the keypad, the network or dial-up service, or the internal motherboard via USB or SD/CF card slot. There are basically two ways to conduct the attack, either through physically or remote means.

For the physical, ‘walk-up’ attack, one can simply identify the brand of the ATM, search online for the key that opens the outer shell of the ATM (used to expose the internal computer system and safe), and install their customized software (aka, rootkit) via the available SD/CF or USB slots. Bingo! Access is granted. Of course, as the method describes, this requires physical access to the machine that could easily lead to the thief being caught and exposed as one of those dumb criminals seen on TV.

The alternative, a remote attack, gives the attacker complete control of the ATM from a remote location. In order to gain remote access, the attacker must first exploit a vulnerability in the ATM machine’s authorization process located in the remote control software, which happens to be ‘On’ by default for most ATMs, Jack said.

In Jack’s first demonstration of a remote attack, once access has been established through the remote management exploit, Jack then executed an update command which allowed him to install his customized rootkit. After an ATM reboot, and with the rootkit installed, Jack can now query the machine for its network settings and its physical location. Walking over to the compromised machine, and by inserting a custom credit card (or by entering a special key sequence), Jack is granted access to the custom menu he built. From this menu, Jack is able to select any of the menu options available to him, four of which allow him to empty each of the four cash containers. Jack selected one of the containers, and out came the money. Jackpot!

In Jack’s second demonstration, a similar exploit was performed. But in this case, Jack emptied one of the containers remotely – giving the unsuspecting passersby a Jackpot of their own. In this case, the jackpot included IOActive cash, granting the bearer access to an IOActive event to be held later during the conference.

With all of the cash extracted, one might think that remote control over the ATM is no longer valuable. This is so not the case. Jack demonstrated how his customized ATM control software could trace each and every ATM card that is inserted into the ATM, remotely downloading the log file that contained this recorded information, saving it to his laptop. Of course, this information could be sold on the black market.

While there have been a number of ATM breaches, such as in 2008 when several Citibank-branded ATMs located in 7-Eleven convenience stores were compromised to extract account numbers and PINs, Jack’s demonstration certainly brought a sense of Vegas-worthy drama to the problem the ATM manufacturers, clients, and consumers face.