06
Jan 15

Thieves Jackpot ATMs With ‘Black Box’ Attack

Previous stories on KrebsOnSecurity about ATM skimming attacks have focused on innovative fraud devices made to attach to the outside of compromised ATMs. Security experts are now warning about the emergence of a new class of skimming scams aimed at draining ATM cash deposits via a novel and complex attack.

The attackers responsible for this "black box" ATM attack relied on a mobile device and a USB-based circuit board.

The attackers responsible for this “black box” ATM hack relied on a mobile device and a USB-based circuit board.

At issue is a form of ATM fraud known as a “black box” attack. In a black box assault, the crooks gain physical access to the top of the cash machine. From there, the attackers are able to disconnect the ATM’s cash dispenser from the “core” (the computer and brains of the device), and then connect their own computer that can be used to issue commands forcing the dispenser to spit out cash.

In this particular attack, the thieves included an additional step: They plugged into the controller a USB-based circuit board that NCR believes was designed to fool the ATM’s core into thinking it was still connected to the cash dispenser.

“They didn’t have to do this [to get away with the money] but our guess is they thought this component would buy them some time,” before the ATM’s owners figured out something was wrong, said Charlie Harrow, solutions manager for global security at NCR.

NCR says the crooks then attached a smart phone (a virgin, out-of-the-box Samsung Galaxy 4), which they used as a conduit through which to send commands to the cash dispenser remotely. According to Harrow, the mobile phone was set up to relay commands through a dynamic IP service.

“Which meant that the real attacker sending the commands was somewhere remote from the ATM,” Harrow said.

Why would the ATM thieves set it up so that the dispense commands could only be issued remotely, when co-conspirators would still need to be present at the hacked cash machine to retrieve the money? Harrow believes it’s so that the boss running the crime operation can call the shots.

“There is no honor among thieves, and these guys will delegate responsibility,” Harrow observed. “That way, you have the Mr. Big back at the hideout who’s sending the commands, and the mules are the ones at the ATMs. So the mule who has the black box is unable to activate the attack unless he gets the command from the Mr. Big, and the mobile phone is the best way to do that.”

The mobile phone component also made it difficult for investigators to piece together how the attackers pushed commands through to the cash dispenser.

“The mobile phone was simply a pass-through for commands sent from the remote server, so we had no idea about commands being sent to the dispenser,” Harrow recalled. “It took us a while to figure out how they were doing this attack.”

NCR notes that black box attacks are one of two “logical” attacks seen so far against ATMs. The other type of logical attack uses malicious software that similarly “jackpots” the cash machine, forcing it to spit out cash. In both cases, the attacks are made possible because thieves are able to physically access the top part of the ATMs where the USB ports are located.

“It’s one of two logical attacks we have seen increasing in frequency,” said Owen Wild, NCR’s global marketing director, noting that the company has seen only two black box attacks so far, including this one. “So far we’ve seen far more malware attacks than black box attacks. The ATM malware attack is simpler because you don’t need hardware. But in principle, there’s no reason black box hacks couldn’t become more common.”

To help prevent the type of physical access that allows thieves to perpetrate logical attacks, NCR urges customers who plan to deploy cash machines in unattended areas to consider wall-mounted units as opposed to stand-alone units. The company also recently shipped a software update for its ATMs that strengthen the encryption used to manage communications between the cash dispenser and the ATM core. More importantly, the update changes the system so that the encryption key exchange between those two components is only done when the dispenser receives a specific authentication sequence.

“All things considered, this is a pretty cheap attack,” Harrow said. “If you know the right commands to send, it’s relatively simple to do. That’s why better authentication needs to be there.”

Harrow said the update also makes it so that the underlying firmware which powers the ATM core cannot be rolled back to previous versions of the firmware. According to Harrow, ATM thieves in Mexico did just that in a recent attack that tried to undo security upgrades that were bundled into a recent software update.

If you liked this story, check out my ongoing series about ATM skimmers.

Tags: , , ,

44 comments

  1. mmm hate chicken… first!

  2. It seems like these posts are always referring to NCR ATMs. Is that simply due to it being the major vendor in these areas where institutions don’t spend much on ATM security? Or does it speak to an issue with NCR? All the ATMs in my area are Diebold. I wonder what attacks Diebold is seeing?

    • > NCR vs. Diebold

      The disparity could also be source dependent. e.g. Brian’s sources at NCR may be more open about what’s happening than their counterparts at Diebold

    • Or it means NCR is the only manufacture to speak candidly about threats facing their hardware.

    • Diebold is only open to electoral hacks.

      • Welcome to 20 years ago.

        Or it just means NCR machines suck. And those two 14 year olds who hacked an ATM at lunch? NCR…

  3. Wow…this really changes the game of ATM safety. It seems like this type of attack is really complex though, so hopefully that has an effect on its impact.

    I really can’t see too many thieves getting away with this in the US (at least with the big banks) because they
    1) aren’t placed in remote areas
    2) are monitored by security cameras
    3) are monitored by security guards most of the day

    We’ll see, though. It seems that NCR continues to have problems, and I rarely hear about other vendors’ issues.

    • Don’t fall into the trap of assuming NCR has more problems just because they are addressing them in a transparent manner.

      Diebold has always been about deny, deny, deny (at least when I was following the controversies surrounding their electronic voting units).

      It’s my guess that it’s the worry that these sort of assumptions really drive companies to reactively clam up about their own security issues.

    • What about everyone else? Tons of ATMs don’t have cameras and even NCR wall ATMs are often placed in utility areas where unauthorized people could potentially access them.

      The keys that secure the hood are a joke. On many NCR models if you squeeze the hood in the right spots you can pop the latch with ease.

    • I work at a “Big Bank”. I can assure you that we do indeed have ATMs in remote, unmanned areas. This can most certainly happen in the US, although it would be harder to pull off without getting caught.

  4. Brian, bro, when will you upload more dumps to my shop? Your dumps are always bestsellers.

  5. We do live monitoring (electronic, status on the big screen in the NOC) of all our ATMs, along with the company that supports them. We don’t wait for customers to complain (ATMs are not super reliable), or to find out the next day one was hacked. Nothing beats a good set of eyes on things.

  6. old story, discussed at BH EU 2014 http://scadastrangelove.blogspot.com/2014/10/different-type-of-scada.html

    weaknesses of internal components auth, pinpad mitm and (in nearest future) GSM/wireless routers/usb modems attacks.

  7. So the HNIC can restrict the drones (so to speak) from accessing the money … but I don’t get the point raised in the article still: can’t the person at the machine still make off with the cash after it’s dispensed?

    To me it seems more like a “DRM” type device instead: the attacker cannot use the device on his own, he must “license” it from the seller and it will not work without the remote commands being used to actually use the device.

    Or not, I am just musing here.

    • You mean, like the attacker has no knowledge of the commands and they pay a % for a transaction (say, from the mobile they are carrying) and the supplier sends the commands once payment is authorized or ordered?

      I was thinking it was along the lines of a MITM maybe so the exploit could stay in place for an extended period. The ATM thought it was connected to the cash and the board forwarded commands on to the phone that processed them to the cash box. Commands could come remotely to the phone and an attacker could just look, publicly, like someone on their phone using the ATM.

      They could use it to gather intel on the commands sent by the ATM too if they didn’t already know everything they wanted to.

  8. “That’s why better authentication needs to be there.”

    In otherwords it’s a plain-text unauthenticated port…. Nice one!

  9. Gilbert Godfrey

    Good article , a little bit speculative

  10. Diebold is a major vendor of voting systems. If anything like this came out about their hardware, they would cover it up faster than you can say “recount”. NCR is a company with a long history of quality products and commitment to improvement. Diebold? Not so much.

    • Agreed. Just like when Diebold stated their voting machine audit logs could not be altered via human intervention, so BlackBox Voting trained Baxter the Chimp to alter the logs in less than an hour:

      http://www.youtube.com/watch?v=N4-wQhtRiP8

      • Diebold doesn’t do voting machines…

        And only NCR ATM are able to be hacked like this.

        Diebold > NCR machines

        • Technically you are correct that Diebold doesn’t do voting systems. But only because they sold that division in 2009. However, I’m sure there are plenty of Diebold voting machines still in use.

  11. re Why is the phone being used as the remote control device? I suppose there could be a trust issue among the thieves but it strikes me that if this is the case then the solution adopted does not really solve the fundamental problem (it that is in fact the problem). e.g. if ‘Mr Big’ does not trust his assault team then any solution that leaves the assault team in physical control of the money does not solve the problem. Given this, I would think it more likely that using the smart phone to short-stop the commands was a technical necessity for ‘Mr Big’. Perhaps it is as simple as the hacker had access to a off the shelf android utility that would allow him to use remote desktop software on the android to send commands directly to the USB port to control the cash dispenser. He then ran the hack remotely because he could not trust the technical abilities of his knuckle draggers in his assault team to do anything beyond plugging in the USB cable.

  12. I must be missing something. You’re saying that they disconnect the ATM’s core computer from the cash dispenser, but on all ATMs I’ve seen here in Brazil the core computer is in the safe (the bottom part of the ATM) together with the cash dispenser. To disconnect one from the other, the thieves would have to crack the safe first, but if they can crack the safe, they can simply take the money from the dispenser.

    The most the thieves can access without opening the safe is the ports for peripherals like the touchscreen or camera.

    • On many NCR Models there is a top hood that locks and covers up the computer/cage and the peripherals. Only the cassettes and dispenser are actually in the safe.

      Many times the deposit boxes sit outside the safe too.

      Example:
      Under the Hood: https://i.imgur.com/5DamIYE.jpg
      Safe: https://i.imgur.com/37Cxhmz.jpg

    • @Cesar – the article says this specific attack is made possible by means of access to the usb ports. That’s enough for defensive purposes.

      If I were NCR I wouldn’t say any more about how this facilitates disconnecting the dispenser.

  13. I think my bank solved the problem. They no longer seem to have any ATM’s that they own, or that bear their name. They do participate with a number of ATM systems, so one could normally find an ATM bearing a supported service system. My bank also rebates the service fees for the ATM use for banking customers, with some modest stipulations and requirements.

    I suspect the ability to no longer have to monitor, service, and be responsible for the security of a physical ATM machine easily offsets the service fees rebated to the customer.

  14. With physical access and enough time, people will always find a way to gain access.

  15. Another reason for the remote triggering is that the “boss” or whomever will know exactly how much is taken, so the hands-on thieves can’t “skim” (forgive the pun)

  16. hi, i’m a engenier of a brazilian public bank and i’m interested in this “circuit board that NCR believes was designed to fool the ATM’s core into thinking it was still connected to the cash dispenser.”
    where can i get more information about this or where can i get this circuit?
    if you can contact me by email, i appreciate.

    thanks

    • If you were a real engineer, you would know how spell. Your nothing more than a fake hack, I can only presume.

    • Victor , Contate seu representante brasileiro NCR. Tê-los em contato com Charlie Harrow , gerente de soluções para a segurança global da NCR , ou Owen selvagem, diretor de marketing global da NCR.

      Victor, Contact your Brasilian NCR representative. Have them contact Charlie Harrow, solutions manager for global security at NCR, or Owen Wild, NCR’s global marketing director.

  17. ATM attacks are absolutely fascinating to me. The potential reward is so high that even convoluted and multi-step attacks are worth it, so they make for a really interesting read every time.

  18. I will preface the following comment with two things; this was over ten years ago, and, this was before Diebold was in the voting-machine business.

    I worked as an ATM systems admin for a large credit union in a previous career-path. At one time, we entertained the idea of adding NCR machines to our network (perhaps replacing Diebold since NCR was considerably cheaper). We quickly found that NCR did not incorporate what I would consider some very basic physical and logical security measures in their ATMs – things that were present in Diebold’s. Needless to say, after careful internal testing and discussion, we never even went so far as to bring the NCR ATM live on our network. There was clearly a reason why the Diebold ATM was more expensive – we got what we paid for. It would appear this may still be the case.

    I also recall the news (and mishaps) regarding Diebold’s entrance into the voting machine space. I do not believe their ATM engineers were involved in the engineering of their voting machines as it was (to my recollection) a totally different division.

    • Interesting how dim a company’s corporate team can be. To have a group of experts on ATM’s yet not employ some to do the voting machines beggars belief. Well, almost. I’ve worked for and with big companies!

      Add regards the attack, this is the small stand alone machines. In the UK the majority of cash machines are built into a very secure little room so there is no way to get into the machine from outside without massive damage. But the little standalone machines obviously can’t have that defence in depth.

      Mine, a ‘miniNCR’, had a 10 second lock on the front, & a ten minute lock on the safe itself. (I’m an expert locksmith though – YMMV) & after purchase it took me a timed 10:36 to get into the cash. (Which was of course empty! )

      These are not for leaving lying around!

  19. Brian, I have the source code to their bot and am modifying it to botkill all there stuff while not infecting the routers with any malware. you can contact me if you would like on a secure ircd or xmpp.

  20. Please let us know the places where the attack was reported