Cash machines have been part of our lives since 1967 when a London branch of Barclays Bank unveiled the first ATM. Millions of people around the world now use ATMs every day to withdraw cash, pay in to their account or make a variety of payments. When using ATMs people give little or no thought to the hardware, software or security of the machines. Unfortunately, ATM manufacturers and their primary customers – banks – don’t pay much attention to the security of cash machines either. This is confirmed by the increasing number of thefts from ATMs using non-destructive methods, i.e. without the use of metal cutting tools or explosives.

To understand why this is happening, let’s first look at what exactly a cash machine is.

Hardware

An ATM is basically a construction kit. The manufacturer builds them from a dispenser, a card reader and other units produced by different companies. The units are placed in a housing which usually consists of two parts: the top box called the cabinet, or the servicezone, and the lower section called thesafe.

The cabinet includes units such as the system unit (yes, a standard system unit, which sometimes even has the same housing as a typical home computer), the EPP (Encrypting PIN Pad) the card reader, and so on. The service zone, according to ATM manufacturers, contains everything that makes it impossible to access the money. Probably for this reason the cabinet cover is made of plastic and the service zone is protected from unauthorized access by just a simple lock. By the way, a set of locks and separate keys can both easily be purchased online as the manufacturers install the same locks on their devices, and most banks usually don’t bother to replace them.

The safe has much better protection: it is a ‘sandwich’ of steel and concrete with two types of locks – one coded (electronic or limb, sometimes electro-mechanical) and the other a key lock (usually a lever tumbler lock). The safe contains the devices directly related to the money – a dispenser from which cash is withdrawn, and a cash-in module.

All devices are connected to the system unit, which in this case performs the function of the host (as we shall refer to it) via the USB or RS232 ports (often referred to as a COM port). Sometimes these ports are located directly on the system unit; if there aren’t enough ports, a USB/COM hub is used. Older ATM models can still be found that are connected via the SDC bus.

Software

The software used on almost every ATM is straightforward:

operating system

ATM units management software

software used to interact with the user (ATM consumer or operator)

software used to communicate with the processing center (which provides the information and technological sides of the transaction)

anti-virus software, or integrity control software.

This is sufficient for the ATM to carry out its immediate functions, but for some reason certain banks also install Acrobat Reader 6.0, Radmin, TeamViewer and other unnecessary and in some cases even dangerous software.

When it comes to the operating system, the vast majority of ATMs still use … Windows XP! Despite the fact that Microsoft stopped issuing security updates for it in April 2014. Of course, 0-day vulnerabilities for this system will remain unpatched. The engineers servicing ATMs often think that if the ATM is working, it is better “not to touch” (read: “not to update”) it. As a consequence, some cash machines still have the unpatched critical vulnerability MS08-067 which allows remote code execution.

ATM units are implemented on microcontrollers based on real-time operating systems (RTOS), which is particularly irksome for the guys with IDA Pro because static analysis is almost unheard for such systems.

That’s basically all the information cybercriminals need to start hacking.

Malware

In 2009, the appearance of Trojan Backdoor.Win32.Skimer caught the world’s attention: it was the first malicious program targeting ATMs. Skimer attacked ATMs from a particular manufacturer – one of the market leaders. Using this malicious program the criminals emptied the cash dispensers and also skimmed the data from bank cards processed in infected ATMs. Since then, ATMs of different manufacturers have been repeatedly exposed to malware infection.

The process of stealing money from ATMs using malware consists of four stages:

The attacker gains local/remote access to the machine.

Malicious code is injected into the ATM system.

As a rule, infection is followed by rebooting of the ATM. The system seems to reboot in standard mode but at the same time comes under the control of a malicious program, i.e. cybercriminals.

The final stage, i.e. the main aim of the process, is the theft of money.

Getting access to the inside of an ATM is not a particularly difficult task, as the experts at the Positive Hack Days, the international forum on practical information security, demonstrated. The process of infecting is also fairly clear – arbitrary code can be executed on an insecure (or insufficiently secure) system. There seems to be no problem with withdrawing money either – the malware interface is usually opened by using a specific key combination on the PIN pad or by inserting a “special card”, and then all you need to do is stuff your pockets full of cash.

Here we will focus on how a malicious program can gain control of an ATM.

The XFS standard

So the attackers have infected the ATM system unit. What next?

Here again, a short explanation is required. As already mentioned, the ATM is managed by a Windows-based application. Its task is to organize interaction between the user (client or services), the processing center which sends commands to the ATM and the equipment that executes these commands. The message exchange with the processing center occurs via direct connect protocols (NDC or DDC): users communicate with the GUI while service providers are responsible for the operation of each ATM unit (gateways to these units). To send commands to the service providers and on to the equipment as well as to receive status messages, a level called XFS Manager is used in accordance with WOSA.

ATM operations in the context of the XFS standard

XFS (CEN/XFS, and earlier WOSA/XFS), or the eXtensions for Financial Services, is a standard that provides a client-server architecture for financial applications on the Microsoft Windows platform, especially peripheral devices such as ATMs. XFS is intended to standardize software so that it can work on any equipment regardless of the manufacturer, and provides a common API for this purpose.

Thus, any application that is developed with the XFS standard in mind can control low-level objects by using only the logic described in this standard. And that application could well be the Tyupkin backdoor or any other malicious program.

What opportunities does XFS offer?

For example, the dispenser, which is the most interesting part for the attackers, can give out money without authorization. Or use of XFS on some ATM models means cybercriminals can manipulate the code to open the safe and unlock the ATM cassettes.

Exploitation of the MS08_067 vulnerability allowing execution of arbitrary code. The video was shot by experts at BlackHat Europe 2014

With regard to the card reader, XFS allows the reading and recording of data from the bank card magnetic stripe and even retrieval of the transaction history stored on the EMV card chip.

Of special note is the Encrypting PIN Pad (EPP). It is believed that the PIN cannot be intercepted because it is entered on the ATM PIN pad and is converted directly inside the encryption module into a PIN block (EPP contains keys to do this, two of which are in the bank’s Hardware Security Module). However, XFS allows the PIN pad to be used in two modes:

Open Mode – for entering different numeric values, such as the sum to be withdrawn; Secure Mode, which EPP switches to in order to enter a PIN and encryption keys.

This allows cybercriminals to implement a “man-in-the-middle” (MiTM) attack. They only have to intercept the command sent from the host to the EPP to switch to Secure Mode and then to inform the device that work is continuing in Open Mode. In the reply message, the EPP will send the keystrokes as plain text – exactly what the attacker needs.

But what about authentication and exclusive access? And surely the standard’s specifications are inaccessible?

Unfortunately, this is not the case with XFS. The standard does not provide any authentication, and exclusive access to service providers is implemented, but not for security reasons. This is just a single-threaded command sending function to avoid accidentally breaking delicate hardware by simultaneously sending two identical commands.

Surprisingly, although it is a standard for financial applications, it doesn’t even mention security. Where can you find the specifications to check if this is true? Just try entering “ATM XFS” in any search engine and you’ll find the answer among the first few results.

Integrity control software

Banks sometimes use integrity control software on their ATMs that supposedly prevents the execution of unauthorized code based on a whitelist, controls connected devices and drives, as well as providing other useful methods which should, in theory, counter attacks.

But we shouldn’t forget that first of all it is software, and just like any other software, it’s not perfect. It may be vulnerable to attacks as such kiosk mode bypassing, whitelist bypassing, buffer overflow, privileges escalation to SYSTEM user, etc. As you know, existing vulnerabilities often allow cybercriminals to gain access to the operating system and to do their dirty work.

Undocumented features

The bad guys may use modified utilities that were originally provided by ATM developers or manufacturers to test a machine’s operability. One of the functions of these utilities is to test the dispenser function, including the dispensing of cash. In order to carry out a test, the engineer has to confirm his legitimacy by opening the safe door or performing actions with the dispenser cassettes. The logic is simple: if you can open the safe, you have the key, i.e. you are a licensed engineer or a cash-in-transit guard. But by simply replacing a couple of bytes in the utility, the “right” people can “test” cash withdrawals without any checks.

Yet another way criminals have of lining their pockets is to change the denomination of banknotes dispensed by the ATM using a diagnostic utility. As a result, the attacker receives banknotes with the largest nominal value (e.g., a 100 dollar/euro banknote) while the ATM “thinks” it is dispensing the smallest of the available denominations (five or ten). It means several hundred thousand can be withdrawn from a card with a balance of just a few hundred.

Black box

So-called black box attacks are another type of attack that is getting increased coverage in the news. On surveillance camera videos the following occurs: someone opens the service zone, connects a magic box to the ATM, closes the cabinet and leaves. A little later several people who appear to be customers approach the ATM and withdraw huge sums of money. Of course, the criminals retrieve their little device from the ATM once they have achieved their goal. Usually, these black box attacks are only discovered a few days later when the empty cassettes and the withdrawal logs don’t tally, leaving the bank employees scratching their heads.

However, there is no magic involved – the attackers connect a specially programmed microcomputer to the dispenser in such a way that it bypasses the security measures implemented on the host (antivirus, integrity control, full disk encryption, etc.).

Communications insecurity

As mentioned above, USB, RS232, or SDC can be used as a data transmission channel between the system unit and the devices. It’s likely that nothing will prevent the attackers from sending the necessary commands directly to the device port bypassing its service provider. The standard interfaces often do not require any specific drivers. Authorization is not required either, which basically makes these insecure proprietary protocols an easy target – just sniff and replay. The result is direct control over ATM units, the use of undocumented functions (e.g., changing the unit firmware). The criminals may also use a software or hardware traffic analyzer, installing it directly on the port of a particular device such as a card reader in order to obtain the transmitted data. And this analyzer will be difficult to detect.

Direct control over the dispenser means the ATM cassettes can be emptied without any entries being made in the ATM software logs.

A typical packet – the command to dispense a banknote from the first cassette of the dispenser

For those who are unaware, it may look like magic. Every great magic trick consists of three parts or acts. There are dispensing money from the cassette, opening the shutter, and presenting money to the client.

A black box attack on an ATM. Video was prepared by experts for demonstration purposes at BlackHat Europe 2014

Hardware skimmers are ‘so yesterday’. Direct connection makes it possible to read and record the magnetic strip of a credit card. Traffic analyzers, which are freely available on the Internet, can also be used as a direct connection. Rumor has it that in one fairly large bank all the ATMs were used as skimmers: the attackers had found vulnerabilities in the bank’s network and installed a USB sniffer on the ATMs, allowing them to collect bank card data in plain text for five years! Who knows, maybe your card was among those affected.

The intercepted data of a Track2 card

The network

The connection between ATMs and the processing center can be protected in various ways. For example, using a hardware or software VPN, SSL/TLS encryption, a firewall or MAC-authentication, implemented in xDC protocols. However, all these measures often appear to be so complex for banks that they don’t bother using any network protection at all.

In such cases, a MiTM attack can be launched that will result in the attacker getting both bank card data and all the money in the ATM. This requires remote access to the device, which is usually obtained by using vulnerable services that can be accessed from the Internet, as well as social engineering techniques. Physical access to the network hardware, including the ATM Ethernet-cable will also suffice.

On the way to the real processing center a fake one pops up; it sends commands to the ATM software to dispense banknotes. Withdrawing money is possible with any card, even one that has expired or has a zero balance, as long as the fake processing center “recognizes” it. A fake processing center can be either “homemade” software that supports communication with the ATM via the xDC-protocol, or a processing center simulator originally designed to check network settings (yet another “gift” from the vendors to the cybercriminals).

The commands for giving out 40 banknotes from the fourth cassette sent from a fake processing center and stored in the ATM software logs. They look almost like the real thing.

Where do the criminals find ATMs that can be attacked via the network? Do they scan all the nearby networks or buy the information on underground forums?

It turns out that you just need to enter the correct request in a search engine – https://www.shodan.io/ (this Internet of Things scanner is well-known by the experts). The data collected by this scanner is usually enough to launch such attacks.

Or you could just take a closer look at the ATMs in retail and business centers.

Sometimes the ATM system can be accessed without even opening it – all the communications are located on the outside

Who’s to blame and what can be done

This part is usually the most depressing, and here’s why.

When we detect a vulnerability while analyzing ATM security, we send a notification to the vendor with a description of the problem and ways to solve it. And often the answers are bewildering:

“The vulnerabilities are essentially normal specifications of the card readers and not unexpected. As long as the ATM is running within normal parameters, these problems cannot possibly occur.”

“However this vulnerability is inherent in the USB technology and is expected be mitigated by the use of appropriate physical controls on access to the ATM top box.”

“We regret informing you that we had decided to stop producing this model more than 3 years ago and warranties for our distributors been expired.”

Indeed, why should vendors bother about ATMs with expired warranties that are still used by banks around the world, and whose physical security often leaves much to be desired? Unfortunately, reality shows that manufacturers are only interested in selling new products and not in eliminating the shortcomings of existing systems, while banks lack the necessary skills to cope with the problems on their own.

Fortunately, some manufacturers understand the dangers of unauthorized ATM use, and release security updates. To prevent attacks on dispensers, two-way authentication and cryptography are used. It should be noted, however, that not all cryptography is correctly implemented cryptography.

While the existing countermeasures can protect ATMs from malware, they are powerless against black box or network attacks. A huge number of security flaws and vulnerabilities that can be exploited with minimum expertise make cash machines a prime target for those desperate to get rich illegally.

So. Is everything lost?

ATM manufacturers can reduce the risk of attack on cash machines.

Firstly, it is necessary to revise the XFS standard with an emphasis on safety, and introduce two-way authentication between devices and legitimate software. This will help reduce the likelihood of unauthorized money withdrawals using Trojans and attackers gaining direct control over ATM units.

Secondly, it is necessary to implement “authenticated dispensing” to exclude the possibility of attacks via fake processing centers.

Thirdly, it is necessary to implement cryptographic protection and integrity control over the data transmitted between all hardware units and PC inside ATM.

And what should banks do? They need to take action!

Encourage those who sell ATMs and software to make them secure. The manufacturer must eliminate vulnerabilities as soon as possible; it is necessary to tell them about it as often as possible. To prevent hacking of ATMs it is necessary to make use of all the available protection tools. A completed PCI DSS Self-Assessment Questionnaire is not a silver bullet and won’t protect ATMs from attacks, or banks from financial and reputational losses. Proactive protection, including regular ATM security assessment and penetration testing, is better (and often much cheaper) than security incident and the subsequent investigation.

Bad guys are watching.

Stay safe!

PS: No cash machines were harmed in the preparation of this material.

PPS: This overview of the security issues in cash machines is not intended as a hacking guide.