Scribd
Upload
231 views57 pages

OWASPLondon 20180125leigh Anne Galloway TYunusov Buy Hack ATM

This document provides instructions on how to purchase and hack an ATM machine in 3 sentences or less: It discusses various legal and illegal options for purchasing an ATM, including from manufacturers, private sellers, or on the black market with the risk of imprisonment. It then outlines common methods for hacking ATMs, such as exploiting vulnerabilities in the operating system, bypassing application controls, or attacking the network interfaces and protocols. The goal is to enable unauthorized access to the cash dispenser for stealing money.

Uploaded by

Boby Joseph
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
231 views57 pages

OWASPLondon 20180125leigh Anne Galloway TYunusov Buy Hack ATM

This document provides instructions on how to purchase and hack an ATM machine in 3 sentences or less: It discusses various legal and illegal options for purchasing an ATM, including from manufacturers, private sellers, or on the black market with the risk of imprisonment. It then outlines common methods for hacking ATMs, such as exploiting vulnerabilities in the operating system, bypassing application controls, or attacking the network interfaces and protocols. The goal is to enable unauthorized access to the cash dispenser for stealing money.

Uploaded by

Boby Joseph
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 57

How To Buy And Hack an ATM

Leigh-Anne Galloway & Timur Yunusov


About us

Appsec/websec/banksec/infosec
Incident response (payment investigation)
No experience with ATM acquisition

L_AGalloway a66at
THE BIRTH OF
AN IDEA
HISTORY OF ATM’S

John 1967 1969 1972 2017

Shepherd-Barron Barclays USA Lloyds 3.8 million


MANUFACTURERS
Identify market options

W h e r e t o b u y a n AT M
4 WAYS TO BUY AN ATM

LEGAL GREY MARKET


ATM maintainers in Resellers, aftermarket
your region, banks and listings, eBay, private
manufacturers sellers etc.

?
BLACK MARKET THE WILDCARD
Underground market Guaranteed ATM but
place with a possibility of
imprisonment
Legal and Grey market options
The wildcard option

Our CEO endorses the craziest ideas


THE WILDCARD

RO AD TRI P O F A LI FETI ME
A journey of over 1800 miles, a 50k euro deposit and
the possibility of jail time in Russia
Legal procurement

The easiest option


16

HUSTLE
VERIFY AKA SOCIAL ENGINEERING
You need to convince a company that you are a legitimate company
or have a story that is believable. You might need to establish an
account just for one item.
NCR 5877

FACTOR IN LEAD TIME NCR 6676 Cash in


Most of these suppliers know when stock is due to come in. They
might not have what you are looking for straight away
NCR 6622 self service

KNOW THY ATM Wincor 1500XE USB


You need to know the exact model and specification, cassette
configuration. Free-standing is your best option.
Wincor 2100 XE Cash in

LOGISTICS Wincor 2000XE USB Cash out


Do you have a suitable place to store this? More on that later.
Logistics

A nightmare
DELIVERY DAY
E X P E C T AT I O N S REALITY
POWER AND WEATHER
How does it work, how can I break it?
HOW IT WORKS

Card Reader/PIN pad (EPP)


Card reader and PIN pad verifies account holder

PC
Windows XP/7 80% variants of windows

DISPENSER
PC sends instructions to dispenser which selects correct denomination from
cassettes.

BANK NETWORK
ATM connects to core banking network directly or through inter bank network or
via antennae.
ATM NETWORK
ATTACK VECTORS

BRUTE FORCE OS LEVEL HARDWARE NETWORK


Requires somehow getting Operating level attacks take Access via service area or Making use of network:
physical access to the vault. advantage of OS level config, drilling, bypassing OS and unauthorised VPN
The most popular methods Software vulnerabilities and connecting blackbox directly connection, malware,
being explosives bypassing kiosk mode to the dispenser etc vulnerabilities in protocols
HISTORY OF ATTACKS

2010 2012 2013


2014
Barnaby Jack Blackbox Logical Attacks PT published research
Very Popular

+30% 2016

High risk of being caught


OS LEVEL
OS LEVEL
XFS API
HARDWARE
HARDWARE
NETWORK
NETWORK
NETWORK
AT M s e v e r y w h e r e

> 2 0 AT M s o v e r
a last year
Application control for Application security

https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html
https://cansecwest.com/slides/2016/CSW2016_Freingruber_Bypassi
ng_Application_Whitelisting.pdf
https://www.ptsecurity.com/ww-en/about/news/131496/
https://www.ptsecurity.com/ww-en/about/news/240117/
https://www.ptsecurity.com/ww-en/about/news/283971/
https://embedi.com/blog/hack-atm-anti-hacking-feature-and-walk-
away-1m-2-minutes/
Controls flow

vs

Whitelist of dirs (c:\windows\system32, etc)


Whitelist of files (c:\windows\system32\calc.exe,
ipconfig.exe, etc)
Hash comparing (usually SHA-256)
Digital signatures (MS, Adobe, etc)
Extensions blacklist
Bypassing techniques
Code execution in trusted apps ( cmd, powershell)
Hash collisions
Bypassing extensions blacklist
A n o t h e r t r u s t e d a p p l i c a t i o n s ( . N E T, J a v a , P H P, e t c )
Misconfigurations
DLL injections
P o o r r e s t r i c t i o n s ( CL_Invocation.ps1, CL_LoadingAssembly.ps1)
Exploits
Attacking AppControls
Product 1
1. From admin to GOD

2. Hello from 90’th

3. %SYSTEMROOT%\System32\msiexec.exe “signed.msi”

4 . U p d a t e s o v e r H T T P, n o a p p l i c a t i o n l e v e l s i g n a t u r e s

5. Updates with signatures. Round 2, Fight! …


Product 2
1. Ve r y S a f e M o d e
2. Open HANDLE before product
3. Remote control over HTTPS
4. No application level signatures
5. Tu r n i n g p r o t e c t i o n o ff | | R C E
6. Round 2. Fight! MD5(command)
1. MD5(RCE || turnoff)
2 . D e l P r o t e c t o r. s y s
3. No self-control
Very secure Product 3
Signatures, drivers and two smoking barrels
Checking algo:
If checked(file)==false
while(!timeout){Hashcalc(file);}

- Hashcalc(loo***0000***oong-exploit.exe) will be run once


- Hashcalc(pyTh0n.exe) will be run multiple times
Products 4-5-6
1. Local unauthorised privileges escalation (you need to
launch exploit.exe to bypass restrictions for launching
exploit.exe)
2. Network-based BOF => RCE
Review
Review
Industrial 3G modems
D i ff e r e n t b o x e s , s a m e v u l n e r a b i l i t i e s
( http://blog.ptsecurity.com/2015/12/critical-vulnerabilities-in-
3g4g-modems.html )
3g/4g downgrading attack + FakeBTS
Access to web interface outside of VPN channel
Authentication/Authorisation bypasses
Proprietary VPN
Industrial 3G modems
Industrial 3G modems
End-To-End
tunnel’s
binaries RCE
Kudos to PT Research Center
@groke
@ivachyou
@yarbabin
Maxim Kozhevnikov
Leonid Krolle
https://uk.linkedin.com/in/tyunusov
https://uk.linkedin.com/in/leighannegalloway

[email protected]
[email protected]

@a66at
@L_AGalloway

You might also like