Iron boxes with money standing on the streets of the city cannot but attract the attention of lovers of quick money. And if in the past purely physical methods were used to empty ATMs, now more and more skillful tricks related to computers are being used. Now the most relevant of them is the "black box" with a single-board microcomputer inside. We will talk about how it works in this article.
Head of the International Association of ATM Manufacturers (ATMIA) "black boxes" as the most dangerous threat to ATMs.
A typical ATM is a set of ready-made electromechanical components placed in one housing. ATM manufacturers build their iron creations from a banknote dispenser, card reader and other components already developed by third-party vendors. A sort of LEGO constructor for adults. Finished components are placed in the ATM case, which usually consists of two compartments: the upper compartment (“cabinet” or “service area”), and the lower compartment (safe). All electromechanical components are connected via USB and COM ports to the system unit, which in this case acts as a host. On older models of ATMs, you can also find connections via the SDC bus.
The evolution of ATM carding
ATMs with huge amounts inside invariably attract carders to them. At first, carders exploited only gross physical flaws in ATM security - they used skimmers and shimmers to steal data from magnetic stripes; fake pin-pads and cameras for viewing pincodes; and even fake ATMs.
Then, when ATMs began to be equipped with unified software that works according to common standards, such as XFS (eXtensions for Financial Services), carders began to attack ATMs with computer viruses.
Among them are Trojan.Skimmer, Backdoor.Win32.Skimer, Ploutus, ATMii, and numerous other named and unnamed malware that carders plant on the ATM host either via a bootable flash drive or via the remote control TCP port.
ATM infection process
Having captured the XFS subsystem, the malware can issue commands to the banknote dispenser without authorization. Or give commands to the card reader: read / write the magnetic stripe of a bank card and even extract the transaction history stored on the EMV card chip. EPP (Encrypting PIN Pad; encrypted pinpad) deserves special attention. It is generally accepted that the PIN code entered on it cannot be intercepted. However, XFS allows you to use the EPP pinpad in two modes: 1) open mode (for entering various numerical parameters, such as the amount to be cashed out); 2) safe mode (EPP switches to it when you need to enter a pincode or encryption key). This feature of XFS allows the carder to carry out a MiTM attack: to intercept the safe mode activation command that is sent from the host to the EPP, and then tell the EPP pinpad that work should continue in open mode. In response to this message, EPP sends keystrokes in plain text.
The principle of operation of the "black box"
In recent years, Europol, ATM malware has evolved significantly. Carders no longer need to have physical access to an ATM to infect it. They can infect ATMs through remote network attacks using the bank's corporate network for this. Group IB, in 2016 in more than 10 countries in Europe, ATMs were subject to remote attack.
ATM attack via remote access
Antiviruses, blocking firmware updates, blocking USB ports and encrypting the hard disk - to some extent protect the ATM from virus attacks by carders. But what if the carder does not attack the host, but connects directly to the periphery (via RS232 or USB) - to a card reader, pin pad or cash dispenser?
The first acquaintance with the "black box"
Today, tech-savvy carders , using for theft of cash from an ATM so-called. "black boxes" are specifically programmed single-board microcomputers, like the Raspberry Pi. "Black boxes" empty ATMs in a completely magical (from the point of view of bankers) way. Carders connect their magic device directly to the banknote dispenser; to extract from it all available money. Such an attack bypasses all protection software deployed on the ATM host (antiviruses, integrity control, full disk encryption, etc.).
"Black box" based on Raspberry Pi
The largest manufacturers of ATMs and government intelligence agencies, faced with several implementations of the "black box", that these ingenious computers induce ATMs to spit out all available cash; 40 banknotes every 20 seconds. Also, special services warn that carders most often target ATMs in pharmacies, shopping centers; and also to ATMs that serve motorists on the go.
At the same time, in order not to shine in front of the cameras, the most cautious carders take to the aid of some not very valuable partner, a mule. And so that he could not appropriate the "black box" to himself, they use . The key functionality is removed from the "black box" and a smartphone is connected to it, which is used as a channel for remote transmission of commands to the truncated "black box" via the IP protocol.
Modification of the "black box", with activation via remote access
How does it look from the point of view of bankers? On the recordings from video cameras-fixators, something like the following happens: a certain person opens the upper compartment (service area), connects the “magic box” to the ATM, closes the upper compartment and leaves. A little later, several people, seemingly ordinary customers, approach the ATM, and withdraw huge amounts of money. The carder then returns and retrieves his little magic device from the ATM. Usually, the fact of an ATM attack with a "black box" is detected only after a few days: when an empty safe and a cash withdrawal log do not match. As a result, bank employees are left with only .
Analysis of ATM communications
As noted above, the interaction between the system unit and peripheral devices is carried out via USB, RS232 or SDC. The carder connects directly to the port of the peripheral device and sends commands to it - bypassing the host. This is quite simple because the standard interfaces do not require any specific drivers. And proprietary protocols, according to which the peripherals and the host interact, do not require authorization (after all, the device is located inside the trusted zone); and therefore, these insecure protocols, over which the peripheral and the host communicate, are easily eavesdropped and easily amenable to a replay attack.
That. carders can use a software or hardware traffic analyzer, connecting it directly to the port of a specific peripheral device (for example, to a card reader) to collect transmitted data. Using the traffic analyzer, the carder learns all the technical details of the ATM operation, including undocumented functions of its periphery (for example, the function of changing the firmware of a peripheral device). As a result, the carder has full control over the ATM. At the same time, it is rather difficult to detect the presence of a traffic analyzer.
Direct control over the banknote dispenser means that the ATM cassettes can be emptied without any fixation in the logs that the software deployed on the host normally makes. For those unfamiliar with ATM hardware and software architecture, this is really how magic can look like.
Where do black boxes come from?
ATM vendors and subcontractors develop debugging tools to diagnose the ATM hardware, including the electromechanics responsible for cash withdrawals. These utilities include: , . The figure below shows a few more of these diagnostic utilities.
ATMDesk control panel
RapidFire ATM XFS control panel
Comparative characteristics of several diagnostic utilities
Access to such utilities is normally limited to personalized tokens; and they only work when the ATM safe door is open. However, simply by replacing a few bytes in the binary code of the utility, carders "test" cash withdrawal - bypassing the checks provided by the utility manufacturer. Carders install these modified utilities on their laptop or single-board microcomputer, which they then plug directly into a banknote dispenser to steal cash.
The Last Mile and the Fake Processing Center
Direct interaction with peripherals, without communicating with the host, is only one of the effective methods of carding. Other tricks rely on the fact that we have a wide variety of network interfaces through which the ATM communicates with the outside world. From X.25 to Ethernet and Cellular. Many ATMs can be identified and located using the Shodan service (the most concise instructions for using it are presented ), followed by an attack that parasitizes on a vulnerable security configuration, laziness of the administrator and vulnerable communications between various departments of the bank.
The "last mile" of communication between the ATM and the processing center is rich in a wide variety of technologies that can serve as an entry point for the carder. Interaction can be carried out via a wired (telephone line or Ethernet) or wireless (Wi-Fi, cellular: CDMA, GSM, UMTS, LTE) communication method. Security mechanisms may include: 1) hardware or software to support VPN (both standard, built into the OS, and third-party); 2) SSL/TLS (both specific to a particular ATM model and from third-party manufacturers); 3) encryption; 4) message authentication.
But that for banks the listed technologies are very complex, and therefore they do not bother themselves with special network protection; or implement it with errors. In the best case, the ATM connects to the VPN server, and already inside the private network, it connects to the processing center. In addition, even if the banks manage to implement the above defense mechanisms, the carder already has effective attacks against them. That. even if the security complies with the PCI DSS standard, ATMs are still vulnerable.
One of the main requirements of the PCI DSS is that all sensitive data, when transmitted over a public network, must be encrypted. And we do have networks that were originally designed in such a way that the data in them is completely encrypted! Therefore, it is tempting to say: "Our data is encrypted because we use Wi-Fi and GSM." However, many of these networks do not provide sufficient protection. Cellular networks of all generations have long been hacked. Final and irrevocable. And there are even vendors that offer devices to intercept the data transmitted over them.
Therefore, either in insecure communication, or in a "private" network, where each ATM broadcasts about itself to other ATMs, a "fake processing center" MiTM attack can be initiated - which will lead to the carder taking control of the data flows transmitted between ATM and processing center.
Thousands of ATMs are potentially affected. On the way to a genuine processing center - the cardrer inserts his own, fake one. This fake processing center instructs the ATM to dispense banknotes. At the same time, the carder sets up its processing center in such a way that cash withdrawal occurs regardless of which card is inserted into the ATM - even if it has expired or has a zero balance. The main thing is that the fake processing center “recognizes” it. A fake processing center can be either a handicraft or a processing center simulator, originally designed to debug network settings (another gift from the “manufacturer” to carders).
The following figure dump of commands to issue 40 banknotes from the fourth cassette - sent from a fake processing center and stored in ATM software logs. They look almost real.
Dump commands of a fake processing center
Source: habr.com