è¡ã®éãã«äœããéã®å ¥ã£ãéã®ç®±ã¯ãäžæ«åéæ奜家ã®æ³šç®ãéããã«ã¯ããããŸããã ãŸããATM ã空ã«ããããã«ä»¥åã¯çŽç²ã«ç©ççãªæ¹æ³ã䜿çšãããŠããŸããããçŸåšã§ã¯ã³ã³ãã¥ãŒã¿ãŒé¢é£ã®å·§åŠãªããªãã¯ããŸããŸã䜿çšãããŠããŸãã çŸåšããããã®äžã§æãé¢é£æ§ãããã®ã¯ãã·ã³ã°ã«ããŒã ãã€ã¯ãã³ã³ãã¥ãŒã¿ãŒãå éšã«åããããã©ã㯠ããã¯ã¹ãã§ãã ãã®èšäºã§ã¯ãã®ä»çµã¿ã«ã€ããŠèª¬æããŸãã
åœé ATM 補é è
åäŒ (ATMIA) äŒé·
å žåç㪠ATM ã¯ãXNUMX ã€ã®ããŠãžã³ã°ã«å容ãããæ¢è£œã®é»æ°æ©æ¢°ã³ã³ããŒãã³ãã®ã»ããã§ãã ATM ã¡ãŒã«ãŒã¯ããµãŒãããŒã㣠ãµãã©ã€ã€ãŒããã§ã«éçºããçŽå¹£ãã£ã¹ãã³ãµãŒãã«ãŒã ãªãŒããŒããã®ä»ã®ã³ã³ããŒãã³ãããããŒããŠã§ã¢ãæ§ç¯ããŸãã 倧人åãã®ã¬ãŽã³ã³ã¹ãã©ã¯ã¿ãŒã®ãããªãã®ã å®æããã³ã³ããŒãã³ã㯠ATM æ¬äœã«é 眮ãããŸããATM æ¬äœã¯éåžžãäžéšã³ã³ããŒãã¡ã³ã (ããã£ããããããŸãã¯ããµãŒãã¹ãšãªã¢ã) ãšäžéšã³ã³ããŒãã¡ã³ã (é庫) ã® XNUMX ã€ã®ã³ã³ããŒãã¡ã³ãã§æ§æãããŸãã ãã¹ãŠã®é»æ°æ©æ¢°ã³ã³ããŒãã³ãã¯ãUSB ããã³ COM ããŒããä»ããŠã·ã¹ãã ãŠãããã«æ¥ç¶ãããŠããããã®å Žåãã·ã¹ãã ãŠãããã¯ãã¹ããšããŠæ©èœããŸãã å€ã ATM ã¢ãã«ã§ã¯ãSDC ãã¹çµç±ã®æ¥ç¶ãèŠã€ãããŸãã
ATM ã«ãŒãã®é²å
å·šé¡ã®çŸéãå ¥ã£ã ATM ã«ã¯ãã«ãŒãå©çšè ãåžžã«éãŸããŸãã åœåãã«ãŒããŒã¯ ATM ä¿è·ã®é倧ãªç©ççæ¬ é¥ã®ã¿ãæªçšããŠããŸãããã¹ãããŒãšã·ããŒã䜿çšããŠç£æ°ã¹ãã©ã€ãããããŒã¿ãçãã§ããŸããã PINã³ãŒãã衚瀺ããããã®åœã®PINããããšã«ã¡ã©ã ãããŠåœã®ATMãããã
ãã®åŸãATM ã« XFS (eXtensions for Financial Services) ãªã©ã®å ±éæšæºã«åŸã£ãŠåäœããçµ±äžãœãããŠã§ã¢ãæèŒããå§ãããšãã«ãŒãäŒç€Ÿã¯ã³ã³ãã¥ãŒã¿ãŒ ãŠã€ã«ã¹ã§ ATM ãæ»æãå§ããŸããã
ãã®äžã«ã¯ãTrojan.SkimmerãBackdoor.Win32.SkimerãPloutusãATMiiããã®ä»å€æ°ã®ååä»ãããã³ååã®ãªããã«ãŠã§ã¢ãå«ãŸããŠãããã«ãŒããŒã¯èµ·åå¯èœãª USB ãã©ãã·ã¥ ãã©ã€ããŸã㯠TCP ãªã¢ãŒã ã³ã³ãããŒã« ããŒããéã㊠ATM ãã¹ãã«ä»æããŸãã
ATMææããã»ã¹
XFS ãµãã·ã¹ãã ããã£ããã£ãããã«ãŠã§ã¢ã¯ãèš±å¯ãªãçŽå¹£èªåæ¯ææ©ã«ã³ãã³ããçºè¡ã§ããŸãã ãŸãã¯ãã«ãŒã ãªãŒããŒã«ã³ãã³ããå ¥åããŠãéè¡ã«ãŒãã®ç£æ°ã¹ãã©ã€ããèªã¿åã/æžã蟌ã¿ããEMV ã«ãŒã ãããã«ä¿åãããŠããååŒå±¥æŽãååŸããããšãã§ããŸãã EPP (æå·å PIN ããã) ã¯ç¹ã«æ³šæãå¿ èŠã§ãã äžè¬ã«ãããã«å ¥åããã PIN ã³ãŒãã¯ååã§ããªããšèããããŠããŸãã ãã ããXFS ã§ã¯ãEPP ãã³ãããã次㮠1 ã€ã®ã¢ãŒãã§äœ¿çšã§ããŸãã2) ãªãŒãã³ ã¢ãŒã (ãã£ãã·ã¥ã¢ãŠããããéé¡ãªã©ãããŸããŸãªæ°å€ãã©ã¡ãŒã¿ãŒãå ¥åãããã)ã XNUMX) ã»ãŒã ã¢ãŒã (PIN ã³ãŒããŸãã¯æå·åããŒãå ¥åããå¿ èŠãããå ŽåãEPP ã¯ã»ãŒã ã¢ãŒãã«åãæ¿ãããŸã)ã XFS ã®ãã®æ©èœã«ãããã«ãŒã管çè 㯠MiTM æ»æãå®è¡ã§ããŸããã€ãŸãããã¹ããã EPP ã«éä¿¡ãããã»ãŒã ã¢ãŒã ã¢ã¯ãã£ããŒã·ã§ã³ ã³ãã³ããååããEPP ãã³ãããã«ãªãŒãã³ ã¢ãŒãã§åäœãç¶ç¶ããå¿ èŠãããããšãéç¥ããŸãã ãã®ã¡ãã»ãŒãžã«å¿çããŠãEPP ã¯ããŒã¹ãããŒã¯ãã¯ãªã¢ ããã¹ãã§éä¿¡ããŸãã
ããã©ãã¯ããã¯ã¹ãã®åäœåç
è¿å¹Žã§ã¯ã
ãªã¢ãŒãã¢ã¯ã»ã¹ã«ããATMãžã®æ»æ
ãŠã€ã«ã¹å¯Ÿçããã¡ãŒã ãŠã§ã¢æŽæ°ã®ãããã¯ãUSB ããŒãã®ãããã¯ãããŒããã©ã€ãã®æå·åãªã©ã«ãããã«ãŒãäŒç€Ÿã«ãããŠã€ã«ã¹æ»æãã ATM ãããçšåºŠä¿è·ããŸãã ããããã«ãŒããŒããã¹ããæ»æãããåšèŸºæ©åš (RS232 ãŸã㯠USB çµç±)ãã€ãŸãã«ãŒã ãªãŒããŒããã³ ãããããŸãã¯ãã£ãã·ã¥ ãã£ã¹ãã³ãµãŒã«çŽæ¥æ¥ç¶ããå Žåã¯ã©ããªãã§ãããã?
ããã©ãã¯ããã¯ã¹ããšã®åããŠã®åºäŒã
ä»æ¥ã®ãã¯ãããžãŒã«ç²Ÿéããã«ãŒããŒ
Raspberry PiãããŒã¹ã«ããããã©ãã¯ããã¯ã¹ã
æ倧æã®ATMã¡ãŒã«ãŒãšæ¿åºè«å ±æ©é¢ã¯ãããã©ãã¯ããã¯ã¹ãã®ããã€ãã®å®è£
ã«çŽé¢ããŠããã
åæã«ãã«ã¡ã©ã®åã«å§¿ãçŸããªãããã«ããããã«ãæãæ
éãªã«ãŒããŒã¯ãããã»ã©äŸ¡å€ã®ãªãããŒãããŒã§ããã©ãã®å©ããåããŸãã ãããŠã圌ãããã©ãã¯ããã¯ã¹ããèªåèªèº«ã«æµçšã§ããªãããã«ã圌ãã¯
ãªã¢ãŒãã¢ã¯ã»ã¹ã«ããã¢ã¯ãã£ããŒã·ã§ã³ã«ããããã©ãã¯ããã¯ã¹ãã®å€æŽ
éè¡å®¶ã®èŠç¹ããããã¯ã©ãèŠããã§ãããã? ãããªã«ã¡ã©ã®èšé²ã§ã¯ããã人ç©ãäžéšã®åºç»ïŒãµãŒãã¹ãšãªã¢ïŒãéãããéæ³ã®ç®±ããATMã«æ¥ç¶ããäžéšã®åºç»ãéããŠç«ã¡å»ããšãããããªããšãèµ·ãããŸãã å°ãåŸãäžèŠäžè¬å®¢ãšæãããæ°äººãATMã«è¿ã¥ããå·šé¡ã®ãéãåŒãåºããŸããã ãã®åŸã«ãŒãä¿ã¯æ»ã£ãŠããŠãATM ããå°ããªéæ³ã®è£
眮ãåãåºããŸãã éåžžãããã©ã㯠ããã¯ã¹ãã«ãã ATM æ»æã®äºå®ã¯ã空ã®é庫ãšçŸéåŒãåºãã®ãã°ãäžèŽããªãæ°æ¥åŸã«åããŠçºèŠãããŸãã ãã®çµæãéè¡å¡ãã§ããããšã¯ã
ATMéä¿¡ã®è§£æ
äžã§è¿°ã¹ãããã«ãã·ã¹ãã ãŠããããšåšèŸºæ©åšéã®å¯Ÿè©±ã¯ãUSBãRS232ããŸã㯠SDC çµç±ã§å®è¡ãããŸãã ã«ãŒããŒã¯åšèŸºæ©åšã®ããŒãã«çŽæ¥æ¥ç¶ãããã¹ãããã€ãã¹ããŠããã«ã³ãã³ããéä¿¡ããŸãã æšæºã€ã³ã¿ãŒãã§ã€ã¹ã«ã¯ç¹å®ã®ãã©ã€ããŒãå¿ èŠãªããããããã¯éåžžã«ç°¡åã§ãã ãŸããããªãã§ã©ã«ãšãã¹ãã察話ããç¬èªã®ãããã³ã«ã«ã¯èªèšŒãå¿ èŠãããŸãã (çµå±ã®ãšãããããã€ã¹ã¯ä¿¡é Œã§ãããŸãŒã³å ã«ãããŸã)ã ãããã£ãŠãåšèŸºæ©åšãšãã¹ããéä¿¡ãããããã®å®å šã§ãªããããã³ã«ã¯ãç°¡åã«çèŽããããªãã¬ã€æ»æã®åœ±é¿ãåãããããªããŸãã
ããã ã«ãŒã管çè ã¯ããœãããŠã§ã¢ãŸãã¯ããŒããŠã§ã¢ã®ãã©ãã£ã㯠ã¢ãã©ã€ã¶ãŒã䜿çšããŠãç¹å®ã®åšèŸºæ©åš (ã«ãŒã ãªãŒããŒãªã©) ã®ããŒãã«çŽæ¥æ¥ç¶ããŠãéä¿¡ãããããŒã¿ãåéã§ããŸãã ã«ãŒã管çè ã¯ããã©ãã£ã㯠ã¢ãã©ã€ã¶ã䜿çšããŠãææžåãããŠããªãåšèŸºæ©åšã®æ©èœ (ããšãã°ãåšèŸºæ©åšã®ãã¡ãŒã ãŠã§ã¢ãå€æŽããæ©èœ) ãå«ããATM åäœã®æè¡çãªè©³çŽ°ããã¹ãŠåŠç¿ããŸãã ãã®çµæãã«ãŒãäŒç€Ÿã¯ ATM ãå®å šã«å¶åŸ¡ã§ããããã«ãªããŸãã åæã«ããã©ãã£ã㯠ã¢ãã©ã€ã¶ãŒã®ååšãæ€åºããããšã¯éåžžã«å°é£ã§ãã
çŽå¹£ãã£ã¹ãã³ãµãŒãçŽæ¥å¶åŸ¡ãããšããããšã¯ãéåžžããã¹ãäžã«å±éããããœãããŠã§ã¢ã«ãã£ãŠå ¥åããããã°ã«èšé²ããããšãªããATM ã«ã»ããã空ã«ããããšãã§ããããšãæå³ããŸãã ATM ã®ããŒããŠã§ã¢ãšãœãããŠã§ã¢ã®ã¢ãŒããã¯ãã£ã«è©³ãããªã人ã«ãšã£ãŠã¯ãããã¯æ¬åœã«éæ³ã®ããã«èŠãããããããŸããã
ãã©ãã¯ããã¯ã¹ã¯ã©ãããæ¥ãã®ã§ãããã?
ATM ãµãã©ã€ã€ãŒãšäžè«ãæ¥è
ã¯ãçŸéåŒãåºããæ
åœããé»æ°æŽå士ãå«ã ATM ããŒããŠã§ã¢ã蚺æããããã®ãããã° ãŠãŒãã£ãªãã£ãéçºããŠããŸãã ãããã®ãŠãŒãã£ãªãã£ã«ã¯æ¬¡ã®ãããªãã®ããããŸãã
ATMDesk ã³ã³ãããŒã« ããã«
RapidFire ATM XFS ã³ã³ãããŒã« ããã«
ããã€ãã®èšºæãŠãŒãã£ãªãã£ã®ç¹æ§ã®æ¯èŒ
ãã®ãããªãŠãŒãã£ãªãã£ãžã®ã¢ã¯ã»ã¹ã¯éåžžãããŒãœãã©ã€ãºãããããŒã¯ã³ã«éå®ãããŸãã ãŸããATM é庫ã®ãã¢ãéããŠããå Žåã«ã®ã¿æ©èœããŸãã ãã ãããŠãŒãã£ãªãã£ã®ãã€ã㪠ã³ãŒãã®æ°ãã€ãã眮ãæããã ãã§ãã«ãŒããŒã¯
ãã©ã¹ãã¯ã³ãã€ã«ããšåœè£ åŠçã»ã³ã¿ãŒ
ãã¹ããšã®éä¿¡ãè¡ããã«ãåšèŸºæ©åšãšçŽæ¥å¯Ÿè©±ããããšã¯ãå¹æçãªã«ãŒãã£ã³ã°æè¡ã® 25 ã€ã«ãããŸããã ä»ã®æè¡ã¯ãATM ãå€éšãšéä¿¡ããããã®ããŸããŸãªãããã¯ãŒã¯ ã€ã³ã¿ãŒãã§ã€ã¹ããããšããäºå®ã«äŸåããŠããŸãã X.XNUMX ããã€ãŒãµãããããã³ã»ã«ã©ãŒãŸã§ã Shodan ãµãŒãã¹ã䜿çšãããšãå€ãã® ATM ãèå¥ããŠããŒã«ã©ã€ãºã§ããŸã (ãã®äœ¿çšã«é¢ããæãç°¡æœãªæé ã瀺ãããŠããŸã)
ATM ãšåŠçã»ã³ã¿ãŒéã®éä¿¡ã®ãã©ã¹ã ãã€ã«ãã«ã¯ãã«ãŒãäŒç€Ÿã®ãšã³ã㪠ãã€ã³ããšããŠæ©èœããããŸããŸãªãã¯ãããžãè±å¯ã«çµã¿èŸŒãŸããŠããŸãã ã€ã³ã¿ã©ã¯ã·ã§ã³ã¯ãæç· (é»è©±åç·ãŸãã¯ã€ãŒãµããã) ãŸãã¯ç¡ç· (Wi-Fiãã»ã«ã©ãŒ: CDMAãGSMãUMTSãLTE) éä¿¡æ¹åŒãä»ããŠå®è¡ã§ããŸãã ã»ãã¥ãªã㣠ã¡ã«ããºã ã«ã¯æ¬¡ã®ãã®ãå«ãŸããŸãã1) VPN ããµããŒãããããŒããŠã§ã¢ãŸãã¯ãœãããŠã§ã¢ (äž¡æ¹ãšãæšæºãOS ã«çµã¿èŸŒãŸããŠãããã®ãããã³ãµãŒãããŒãã£è£œ)ã 2) SSL/TLS (ç¹å®ã® ATM ã¢ãã«ãšãµãŒãããŒã㣠ã¡ãŒã«ãŒã®äž¡æ¹ã«åºæ)ã 3) æå·åã 4) ã¡ãã»ãŒãžèªèšŒã
ããã
PCI DSS ã®äžæ žçãªèŠä»¶ã® XNUMX ã€ã¯ããããªã㯠ãããã¯ãŒã¯çµç±ã§éä¿¡ãããå Žåããã¹ãŠã®æ©å¯ããŒã¿ãæå·åããå¿ èŠããããšããããšã§ãã ãããŠå®éãç§ãã¡ã®ãããã¯ãŒã¯ã¯å ã ããã®äžã®ããŒã¿ãå®å šã«æå·åãããããã«èšèšãããŠããŸããã ãããã£ãŠããWi-Fi ãš GSM ã䜿çšããŠãããããããŒã¿ã¯æå·åãããŠããŸãããšèšããããªããŸãã ãã ãããããã®ãããã¯ãŒã¯ã®å€ãã¯ååãªã»ãã¥ãªãã£ãæäŸããŸããã ããããäžä»£ã®æºåž¯é»è©±ãããã¯ãŒã¯ã¯é·ãéãããã³ã°ãããŠããŸããã æåŸã«ããããŠåãè¿ãã®ã€ããªãããšã ããã«ãéä¿¡ãããããŒã¿ãååããããã€ã¹ãæäŸãããµãã©ã€ã€ãŒãããŸãã
ãããã£ãŠãå®å šã§ãªãéä¿¡ããå ATM ãä»ã® ATM ã«èªèº«ããããŒããã£ã¹ãããããã©ã€ããŒãããããã¯ãŒã¯ã®ããããã§ãMiTM ã®ãåœã®åŠçã»ã³ã¿ãŒãæ»æãéå§ãããå¯èœæ§ããããŸããããã«ãããã«ãŒãäŒç€ŸããATM éã§éä¿¡ãããããŒã¿ ãããŒã®å¶åŸ¡ãææ¡ããããšã«ãªããŸãã ATMãšåŠçã»ã³ã¿ãŒã
次ã®åçã§ã¯
åœã®åŠçã»ã³ã¿ãŒã®ã³ãã³ããã³ã
åºæïŒ habr.com