Turning an ATM into a Slot Machine

Security researcher Barnaby Jack, currently at IOActive but a veteran of Foundstone, eEye, and Juniper with almost ten years in the industry, has demonstrated two exploit methods for ATM’s (Automated Teller Machines) in a presentation that is thus far the talk of the Black Hat 2010 conference. In a discussion originally slated for last year before it was muffled by Juniper based on the concerns of “an affected ATM vendor”, Jack demonstrates what he calls jackpotting an ATM.

Here’s the ATM “jackpot” (music playing, money flying out, word ‘Jackpot’ displayed on the console):

The Attack
The attack was employed using two custom tools Jack developed: Scrooge, an ATM firmware rootkit (malicious software that conceals itself at the level of interface between software and hardware) and Dilinger (named for the famous bank robber), a remote ATM attack tool that keeps track of compromised machines and stores the data stolen from people who use the machines. The first exploit involved unlocking a panel on the ATM and inserting a USB key that overwrites the machine’s native firmware with the aforementioned rootkit, taking control of the ATM.

Research
To perform the research, Jack acquired physical ATM machines, attached a debugger to the ATM motherboard, and proceeded to reverse engineer the machine’s firmware. He then developed a replacement version (the aforementioned Scrooge software). Firmware typically refers to the small footprint of code (programs, data structures) that provide internal control of electronic devices. In other words, think the low level operations of any electronic device.

In the models Jack tested he was able to, after accessing the machine’s USB ports with a master key purchased online, perform a replacement of the firmware with his rootkit version. The ATM’s include the ability to do this so that firmware updates can be made by those performing maintenance on the ATM. However, there is no integrity check to ensure that the code update is coming from a trusted source.

The keys themselves for the cabinets are not hard to acquire.

Mitigation
In response ATM vendors have created a new version of the firmware requiring future updates have a digital signature (essentially a shared secret between the machine and the author of code for that machine to ensure the integrity of the code update). Doing this would help to prevent the type of rogue update via USB Jack performed, as long as the signing keys are kept secret.

Breadth
While Jack wouldn’t reveal the names of the ATM vendors whose devices he compromised (they are reported to be Triton and Tranax machines), he has noted that every ATM he has tested he has compromised, intimating attacks on multiple machines are possible because of similarities in the way generic ATM machines are made. He did note the external limitations of his research, citing the fact that there are only so many ATM’s you can put in an apartment before “your girlfriend gets mad”.

Jack actually told the delivery man who brought the ATM’s that he was getting them because he wanted to avoid bank withdrawal fees.

Remote Attack
A remote attack was also demonstrated over Wifi, but many of the details have not yet been released. Jack found a way ,testing on his own machines, to bypass the remote authentication system of the ATM so that the same homemade rootkit, Scrooge, could be installed. This essentially provides access to an ATM via an Internet connection allowing for attack results such as the ability to record card and pin numbers on entry and sending them to a remote attacker). Such vulnerable ATM’s could be located with a war dialing tool, calling thousands of phone numbers until a vulnerable machine responds via modem, a technique already in play by criminals.

“Sometimes you have to demo a threat to spark a solution,”
Barnaby Jack

The image is a resonant and powerful image of insecurity, we have here a demonstrated attack that allows you to spew money out of an ATM in a few seconds, and a second that doesn’t even require physical access to the machine. At this point, the response time frame from ATM vendors as well as the vulnerability demonstrated via USB are bordering on negligence, a master key that is readily available and USB based firmware updates without any signing mechanism to ensure that it is an ‘approved’ update.

We have here, after all, a device whose sole purpose is to dispense cash.

Last year an ATM vendor got the talk pulled from BlackHat by pressuring Jack’s employer, Juniper Networks, despite having seven months of notification from Jack to arrive at some sort of response before the scheduled talk. Given we are now some one and a half years from notification, and given the quantity and dispersal of ATM’s out there, the vulnerabilities demonstrated are likely still viable.