ATM attack with Raspberry Pi

They just don’t do it with ATMs: they are torn out of the wall, tied with a cable to the car, drilled, blown up and cut ( sometimes in the State Duma building). According to EAST statistics , criminals are less likely to use skimming, preferring trapping and physical sabotage. A lot of trouble for security specialists also brings another new trend - virus attacks on ATMs. Here and Trojan.Skimer, and Backdoor.Ploutus, and very fresh malware Tyupkin, and other "applications", known and not very much. Malware is loaded into an ATM computer, usually from external media, and is used for unauthorized issuance of money or interception of card data. Positive Technologies experts Olga Kochetova and Alexey Osipov described another attack method at the Black Hat Europe 2014 conference on computer security, held in Amsterdam in October.

To test the security of the test ATM, which survived three forums at Positive Hack Days, the popular miniature controller Raspberry Pi was chosen. The device hides easily inside the case and does not attract the attention of technicians, who, for example, change the paper in the built-in printers and therefore have the keys to the service area.
')
Finding documentation describing the interfaces of ATMs is not so difficult, and Alexey Lukatsky wrote about this five years ago in his Myths of Information Security. ATM equipment and payment terminals, regardless of the manufacturer, have a common API for accessing and managing various modules and work on the Windows platform in accordance with the single standard of "extensions for financial services" (XFS).

Knowing the API, you can take control of the ATM host computer and directly control various peripheral devices installed inside the ATM cabinet - a card reader, a PIN keypad, a touchscreen display, a banknote dispenser, etc. Do not forget about operating system vulnerabilities ATM systems, and Windows has them in store for many years to come.

Weakness

Before installing the Raspberry Pi and connecting the device to the Ethernet, USB or RS-232 ports, the ATM must be opened. At the top of the ATM is the service area. This is where the computer that controls the ATM devices, network equipment (including badly protected GSM / GPRS modems) is located. The service area is practically not controlled, as it is used by service personnel for various works. It is much easier to get access to it than to the safe with money located below. It can be opened with keys that are easy to manufacture or with very simple tools at hand .



But just open a little - you need to do it quickly and imperceptibly.

At the Black Hat conference, Positive Technologies researchers demonstrated how long it would take attackers to install a microcomputer into an ATM service area to use it as a sniffer — PIN interceptor and credit card number — or a hardware skimmer that leaves no trace on the appearance of the ATM. It took two minutes to unlock the ATM case, integrate the microcomputer, mask it and connect it to the Internet.

In preparation for the performance, the Raspberry Pi has been programmed to manage ATM peripherals. A Wi-Fi adapter was connected to the microcomputer, to which it was possible to connect from any device, from a smartphone for example. Commands for issuing money to the dispenser were sent through a specially implemented web interface. As an example, the issuance of several banknotes was shown, and after some refinement of the code being sent, the ATM immediately parted with all the notes that were piled . By the way, in each cassette typical ATM fits from two to three thousand bills, and there are usually four such cassettes for several denominations.



Needless to say, during the experiment, the ATM issued bills, leaving no entries in its computer, and the built-in video camera of the ATM did work, but, like other devices inside a captured ATM, was controlled with the help of Raspberry Pi.

Is it possible to protect

ATM security is not easy. Much depends on the attack scenario. For example, the “Protection” Research Center of the Ministry of Internal Affairs recommends that manufacturers use a smoke generator, an ultrasonic barrier and a xenon stroboscope, while British LINK specialists prohibit standard locks to access the service area and more actively use webcams.

However, the main problem, according to our researchers, is the ability to install any device or program (up to Angry Birds ) into an ATM, which is caused by the abundance of critical vulnerabilities in operating systems. The situation could be changed by the joint work of bank equipment manufacturers on a new open specification that would ensure secure communication and effective authentication of ATM components: so that anyone who wants a key from the service area cannot easily connect anything to the system.