[cb16] atms how to break them to stop the fraud. by olga kochetova & alexey osipov
TRANSCRIPT
ATMs how to break them to stop the
fraudOlga Kochetova, Alexey Osipov
Kaspersky Lab
root@root:~# whoamiPenetration Testing Department, Kaspersky Lab• @_Endless_Quest_, @GiftsUngiven• ATM and POS security assessment• Penetration Testing• Forensic InvestigationSpeakers at many IT eventsAuthors of multiple articles, researches and advisories
What is ATM
Lego
About hardware
About software• Host (computer)• MS Windows (Windows XP!!1)• GUI and device control• Antivirus/Integrity control software• Video surveillance• Radmin/TeamViewer and other crap
• Devices• Some microcontrollers with RTOS
About logic
Level 0
Cassettes• Secure casing• Tamper proof• Tamper evident
Cassettes• Tracking system• Cash spoiling devices• Alarms
Cash• Easily traceable• Can’t be extracted from
cassettes with force
Cards• No static data• Dynamic data can’t be
relayed• Secrets, that dynamic
data is based upon can’t be extracted
Level 0
Level 1
Dispenser• Contains cassettes• Cash cassettes• Reject cassette
• Manages mechanics• Sends statuses• Receives commands
Card reader • Identifies user and his
account• Can provide
authentication capabilities • EMV• Match-on-card for
biometric data
PIN pad• Commonly used to
enter authentication data• Also used to insert
amount of money• Sometimes can be
combined with keyboard
Biometric authentication devices
• Grabs physical properties of user for authentication• Multiple flavors• Iris• Fingerprint• Voice• Face• Vein• etc.
Dispenser/Card reader/PIN pad
• Commands are authenticated• Communications are
encrypted • Firmware is
modification proof• Sensitive data is
separately protected
Level 1 - Dispenser/Card reader/PIN pad
• Minimal amount of command are authenticated• Communications are
NOT encrypted • Firmware can be
modified • Sensitive data is
separately protected
Level 2\
Communication lines• Buses• USB• SDC (RS485)• CAN
• Lines• COM (RS232)• GPIO
Communication lines• Data in transit is
encrypted separately from data• Tampering with cables
will disable device with need of physical manipulation
Level 2 - Communication lines
• Data in transit is NOT additionally encrypted• Tampering with cables
will disable device with need of physical manipulation. Only additional modules or firmware update on some models
VideoBlack box
Level 3
Service providers• User-space software
communicating with hardware units• Created by device
manufacturers• No single standard for
communication
XFS• eXtension for Financial
Services• Provide interoperability
between different vendors of hardware and different producers of software
“Windows application”• Graphical user interface• Network client• Service mode• Technical• Money exchange• Configuration of
security features
XFS/Service providers• Can be considered as proxies• Has no knowledge of data, that he
transmits• Starts secure communication with
device
“Windows application”• Minimal interface• Password protection for
all service options• Secure network
communications
Level 3 – Malware
Level 3 – Malware
VideoWin32.Skimmer
Level 4
Physical• Steel-concrete cover• Tamper proof• Tamper evident• Alarm systems
Operating system• Platform to launch GUI• Role based access to
system• Password protection• Integrity control• Robust updates
Network• Communication with
processing center• Remote system
management• Customization
information
Level 4 - Physical
Level 5 - Network
Level 5
Processing
Processing
Processing
VideoRogue Processing
Not a conclusion
Current state of ATM security
Screwed?• netstat -an | findstr
LISTEN• tasklist• nmap -sU -sS -p-
ATM_IP• wireshark• usbpcap
Choose wisely
Security is a process
Have funStay safe
Olga Kochetova, [email protected], @_Endless_Quest_
Alexey Osipov, [email protected], @GiftsUngiven