ATMs how to break them to stop the

fraudOlga Kochetova, Alexey Osipov

Kaspersky Lab

root@root:~# whoamiPenetration Testing Department, Kaspersky Lab• @_Endless_Quest_, @GiftsUngiven• ATM and POS security assessment• Penetration Testing• Forensic InvestigationSpeakers at many IT eventsAuthors of multiple articles, researches and advisories

What is ATM

Lego

About hardware

About software• Host (computer)• MS Windows (Windows XP!!1)• GUI and device control• Antivirus/Integrity control software• Video surveillance• Radmin/TeamViewer and other crap

• Devices• Some microcontrollers with RTOS

About logic

Level 0

Cassettes• Secure casing• Tamper proof• Tamper evident

Cassettes• Tracking system• Cash spoiling devices• Alarms

Cash• Easily traceable• Can’t be extracted from

cassettes with force

Cards• No static data• Dynamic data can’t be

relayed• Secrets, that dynamic

data is based upon can’t be extracted

Level 0

Level 1

Dispenser• Contains cassettes• Cash cassettes• Reject cassette

• Manages mechanics• Sends statuses• Receives commands

Card reader • Identifies user and his

account• Can provide

authentication capabilities • EMV• Match-on-card for

biometric data

PIN pad• Commonly used to

enter authentication data• Also used to insert

amount of money• Sometimes can be

combined with keyboard

Biometric authentication devices

• Grabs physical properties of user for authentication• Multiple flavors• Iris• Fingerprint• Voice• Face• Vein• etc.

Dispenser/Card reader/PIN pad

• Commands are authenticated• Communications are

encrypted • Firmware is

modification proof• Sensitive data is

separately protected

Level 1 - Dispenser/Card reader/PIN pad

• Minimal amount of command are authenticated• Communications are

NOT encrypted • Firmware can be

modified • Sensitive data is

separately protected

Level 2\

Communication lines• Buses• USB• SDC (RS485)• CAN

• Lines• COM (RS232)• GPIO

Communication lines• Data in transit is

encrypted separately from data• Tampering with cables

will disable device with need of physical manipulation

Level 2 - Communication lines

• Data in transit is NOT additionally encrypted• Tampering with cables

will disable device with need of physical manipulation. Only additional modules or firmware update on some models

VideoBlack box

Level 3

Service providers• User-space software

communicating with hardware units• Created by device

manufacturers• No single standard for

communication

XFS• eXtension for Financial

Services• Provide interoperability

between different vendors of hardware and different producers of software

“Windows application”• Graphical user interface• Network client• Service mode• Technical• Money exchange• Configuration of

security features

XFS/Service providers• Can be considered as proxies• Has no knowledge of data, that he

transmits• Starts secure communication with

device

“Windows application”• Minimal interface• Password protection for

all service options• Secure network

communications

Level 3 – Malware

Level 3 – Malware

VideoWin32.Skimmer

Level 4

Physical• Steel-concrete cover• Tamper proof• Tamper evident• Alarm systems

Operating system• Platform to launch GUI• Role based access to

system• Password protection• Integrity control• Robust updates

Network• Communication with

processing center• Remote system

management• Customization

information

Level 4 - Physical

Level 5 - Network

Level 5

Processing

Processing

Processing

VideoRogue Processing

Not a conclusion

Current state of ATM security

Screwed?• netstat -an | findstr

LISTEN• tasklist• nmap -sU -sS -p-

ATM_IP• wireshark• usbpcap

Choose wisely

Security is a process

Have funStay safe

Olga Kochetova, Olga.Kochetova@kaspersky.com, @_Endless_Quest_

Alexey Osipov, Alexey.Osipov@kaspersky.com, @GiftsUngiven