One basic tenet of computer security is this: If you can’t vouch for a networked thing’s physical security, you cannot also vouch for its cybersecurity. That’s because in most cases, networked things really aren’t designed to foil a skilled and determined attacker who can physically connect his own devices. So you can imagine my shock and horror seeing a Cisco switch and wireless antenna sitting exposed atop of an ATM out in front of a bustling grocery store in my hometown of Northern Virginia.
I’ve long warned readers to avoid stand-alone ATMs in favor of wall-mounted and/or bank-operated ATMs. In many cases, thieves who can access the networking cables of an ATM are hooking up their own sniffing devices to grab cash machine card data flowing across the ATM network in plain text.
But I’ve never before seen a setup quite this braindead. Take a look:
Now let’s have a closer look at the back of this machine to see what we’re dealing with:
Daniel Battisto, the longtime KrebsOnSecurity reader who alerted me to this disaster waiting to happen, summed up my thoughts on it pretty well in an email.
“I’d like to assume, for the sake of sanity, that the admin who created this setup knows that Cisco security is broken relatively simple once physical access is gained,” said Battisto, a physical and IT security professional. “I’d also like to assume that all unused interfaces are shutdown, and port-security has been configured on the interfaces in use. I’d also like to assume that the admin established a good console login.”
While it’s impossible to test the security of this setup without tampering with the devices, “considering that this was left like this in the front vestibule of a grocery store with no cameras around AND the console cable still attached, my above assumptions are likely invalid,” Battisto observed.
“In my experience, IT departments often overlook basic security practices, and double down on the oversight by not implementing proper physical security controls (you’d be surprised, maybe, at the number of server rooms that I’ve been in that had the keys to all of the racks taped to the outside of the doors),” he said.
If something doesn’t look right about an ATM, don’t use it and move on to the next one. It’s not worth the hassle and risk associated with having your checking account emptied of cash. Also, it’s best to favor ATMs that are installed inside of a building or wall as opposed to free-standing machines, which may be more vulnerable to tampering.
If you liked this piece, check out my entire series on skimming devices, All About Skimmers.
Not another blog post about ATMs. I think you should change your website to Krebs on ATMs. ….zzzzzzz
I appreciate the information — no matter if it is regarding ATMs or the updating us on pending court cases.
I appreciate all of your hard work Krebsonsecurity!
I needed the laugh today…… Keep em coming Brian!
Don’t read his blog then. It’ll free up your time for BuzzFeed and ClickHole, or commenting on Yahoo with brilliant insights like ‘This isn’t news.”
And it has a console cable sitting there inviting everyone to hack into the router, love it!
I’m sure this ATM is perfectly safe as well:
https://twitter.com/ITSecurity/status/523587385482051584
great post, Brian!
I was summoned to jury duty in the LA criminal courts. I asked some police officers if they knew of am ATM, they pointed at a machine that was sitting on a hand truck in the hallway. They seemed suprised at my look of horror. Needless to say, I went to my bank’s ATM.
Is the switch even bolted/glued to the ATM?
Forget the console port. There’s a factory-reset button on the back.
I don’t agree with Frank. It isn’t just another ATM blog post. This has to be one of the funniest and scariest things I have seen. Something like this I would quickly avoid most people would not. If things like this are not drilled into people more and more scammers get rich.
Mike
So ummm…where specifically was this ATM? And how much cash would you guess was in it? Asking for a friend. 🙂
Unbelieveable!
I wouldn’t worry about Cisco security if I were the criminal. I’d just replace it with my own switch.
which grocery store is this? giant?
Giant uses machines privileged by their partner PNC Bank and Safeway machines are from Suntrust.
Did the grocery store’s manager know anything about the add-ons, or just take the attitude that since it was outside the door it was no business of theirs?
This type of post is a welcome chuckle for me.
+1 if I were a criminal, replacing existing devices with my own.
Wow, it’s practically begging to be hacked. Perhaps it’s a sting operation?
I’ve seen worse things at community banks and retailers who have ATMs. Not much worse though…. People don’t think. I’ll bet the employees and management of the store uses that ATM frequently.
Keep up the good work. No matter how often someone says don’t do this, someone will do it and say, “See…… Nothing bad has happened today.”
Oh, you must know my sister in law!!
any idea what grocery store?
I wonder who stole the sign reading “account/password information available here free” sign?
Thanks, Brian. No such thing as too many posts about these skimmers as long they continue to be a problem.
http://imgur.com/ksWMjJl
I KNEW IT!
Drats! I knew it too.
Worst Photoshop job ever, Phil.
HOW DARE YOU SIR, this was all MSPaint +2 minutes
She probably thought it was one of those Diebold voting machines! ;0)
No one seems to be assuming (as I am) that perhaps this outside gear was added on by a perp.
More importantly – I’d like to know what if anything has been done to alert someone (bank?) to the issue to fix it. No offense Brian but anyone of us can take a pic and share it – you have credentials and knowledge to help fix the issue.
I wondered the same thing. Has anyone been notified about this?
I don’t think there are enough “automatic door” warning stickers in the vicinity of this ATM.
Perhaps it’s already been owned and the wireless is just a first-hop link to the bad guy’s fraudulent proxy.
I have a need of a cisco switch. What grocery store is this again?
Never know, could be the work of a burnt out employee not giving two cents about any means of integrity whatsoever. Say it was my last job for the day and my company/boss repeatedly told this grocery store what we needed and they failed to come through: Network drops, power drops, etc; nothing set up as they said it would be; but they demand this ATM be out front by end of day or I’m out a job. I’m getting my job done any way I see fit, and when they come back and speak on how asinine the setup is, I’ll be sure to have my fire power tucked away for defense. The console cable? That’s being left in place for the sheer fact that they demanded I set this up without proper resources, maybe even AFTER I spoke on how insecure this could be for everyone that might utilize the ATM. Not a good attitude by any means, but I’ve been down that path when I’m frustrated and overwhelmed. I could just see the guy installing the devices speaking on the lack of security while some ignorant manager stands by barking orders insisting that it’s completed regardless of the ‘how’ simply because his boss is barking at him. I.T. can be such a mess, and the smallest things we often overlook can so greatly comprise security.
Isn’t it a PCI requirement to encrypt the traffic from the device to the payment processor, how are these ATMs like you mentioned in http://krebsonsecurity.com/2016/02/skimmers-hijack-atm-network-cables/ being so easily exploited? Are they really just sending in plain text?
And this setup clearly fails PCI Requirement 9 which is all about the physical security for both point of sale systems and for the location of all in scope endpoints and network jacks in the card date environment.
I see the Internet connection cable
I see the cable going to the Atm
I see the console cable
What is the antenna for?
The antenna is likely for 4G backup in case the main circuit goes down.
So that means this ATM uses the store’s Internet connection as its primary connection?
I’d still check to see if it’s Wi-Fi and broadcasting its network name or even has encryption turned on.
I would have snapped some quick photos of the said setup and retreated to a quite spot , to await 5-0.
Did I pass selection for further shadowing sequence?
As I bow, I do so with great attention of simple said tried and true simple tactics.
Shanks.
FiloExacto- De Oppresso Liber
WGAF about the technical security, just get a trolley and take the bloody thing away
Job Done
LE org Honeypot?
Counterfeit ATM? (You get 20$ to buy a loaf of bread while your card data is already at Best Buy purchasing a TV.)
Love this post with the picture ! Everytime I see an ATM isolated I carefully inspect wondering if it was compromised. brilliant post! thanks for you great insight Brian. You are educating us and it is greatly appreciated.
Scott Schober
Author of Hacked Again
http://www.scottschober.com