Hacking ATMs: No Malware Required

Inexpensive Computer Used to Directly Control Cash Dispenser
Hacking ATMs: No Malware Required

Two researchers have demonstrated how ATMs could be hacked - without installing malware - by connecting a tiny computer to a port inside of the machine, bypassing the ATM's own computer, and instructing the cash dispenser to begin giving out money.

See Also: Moving from Vulnerability Management to Effective Vulnerability Response

At last week's Black Hat Europe conference in Amsterdam, Russian penetration-testing experts Alexey Osipov and Olga Kochetova described how they tested the attack method on several ATMs. They say they successfully programmed a credit-card-sized Raspberry Pi computer, which can be connected to the inside of an ATM, for use as a "hardware sniffer" as well as a malicious controller. The device can, for example, intercept PIN codes, as well as send directions directly to different components inside the ATM enclosure, telling them to dispense cash or open the safes in which the cash is stored.

The recent rise in ATM malware attacks has led to warnings from law enforcement agencies that ATM operators must beef up the physical security of their money machines. The LINK Scheme, for example, which is the U.K.'s interbank network of ATMs operators, maintains physical security recommendations for ATM operators, and recommends a variety of countermeasures that could help thwart malware - or the proof-of-concept Raspberry Pi attacks. Those include replacing the default locks issued by most vendors and monitoring ATMs with cameras.

Direct Control of ATM Components

The researchers' proof-of-concept attack relies, in part, on a set of standard programming interfaces, or APIs, that are built into most ATM host computers and components, including text displays, card readers, PIN pads and the dispenser units. These APIs are known as XFS - which stands for "extensions for financial services" - and are used by many manufacturers' components to communicate with each other.

By using these APIs, however, an attacker could bypass the ATM's own host computer, and communicate directly with the different peripherals installed inside the ATM enclosure, Osipov tells Information Security Media Group, speaking on the condition that his employer not be identified. Likewise, any vulnerabilities present in the ATM's operating system might also be exploited.

Raspberry Pi: Easy to Disguise

The researchers chose the Raspberry Pi computer for the testing of the ATM hacking technique, Ospirov says, because "we wanted something small that we could add to an ATM and it would work within it, and [to] give ... financial IT security guys the knowledge that some device could be inserted into ATMs in such a way that it won't be noticed by the service engineers who exchange cassettes."

The Russian researchers ran their tests on an ATM machine they purchased from a smaller ATM manufacturer, as well as machines for which they'd been hired - by ATM operators - to conduct penetration testing. While the researchers say they have disclosed related vulnerabilities directly to ATM manufacturers, they declined to specify the machines they tested, or the vendors involved. But they noted that one vendor replied that because it was no longer producing the vulnerable piece of hardware, it didn't plan to issue a related fix, despite the hardware still being used in the field.

Physical Security Concerns

Before a computer can be installed inside an ATM, however, an attacker needs to gain physical access to the enclosure itself, and then plug their device into an Ethernet, USB or RS-232 port. But as recent malware attacks in Eastern Europe and Western Europe have shown, criminals are getting better at not just locating unattended ATMs, but also procuring the keys required to access ATM enclosures, plugging in a USB drive that installs malware on the targeted system, and then rapidly dispensing as much money as possible.

If attackers wanted to instead intercept all of the card numbers and PIN codes used at the machine, however, they would want to install a device, disguise it and then get away as quickly as possible. To test that scenario, the researchers timed how long it took them to install their computer inside the device and then lock it up. "We [know] that in several minutes, there will be an alarm in the processor that the ATM is not working, that it's been opened, and [the operator] will issue a security-response team that will go to the ATM and find anything that happened," Osipov says.

From start to stop, however, the researchers say they were able to unlock the ATM enclosure, install their computer and bring it online, then re-lock the ATM enclosure, in just two minutes. "You can be recorded on the [ATM's] video feed, but the video feed could be managed, exactly the same way as other devices [inside] the ATM," Osipov says.

How To Secure ATMs

What's required to address the potential new ATM hacking threat, the researchers say, is for vendors to begin conducting penetration tests of their devices, as well as for ATM operators to improve the physical security of their machines. They also recommend that the ATM industry collaborate on a new, open specification for the components inside an ATM to communicate securely with each other, as well as authenticate each other. Using such a system, any instructions received from an unauthorized computer that was connected to an internal ATM port could be ignored.

"Hacking ATMs with a small computer like Raspberry Pi should be impossible, but it isn't," Osipov says.

Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Around the Network