One basic tenet of computer security is this: If you can’t vouch for a networked thing’s physical security, you cannot also vouch for its cybersecurity. That’s because in most cases, networked things really aren’t designed to foil a skilled and determined attacker who can physically connect his own devices. So you can imagine my shock and horror seeing a Cisco switch and wireless antenna sitting exposed atop of an ATM out in front of a bustling grocery store in my hometown of Northern Virginia.
I’ve long warned readers to avoid stand-alone ATMs in favor of wall-mounted and/or bank-operated ATMs. In many cases, thieves who can access the networking cables of an ATM are hooking up their own sniffing devices to grab cash machine card data flowing across the ATM network in plain text.
But I’ve never before seen a setup quite this braindead. Take a look:
Now let’s have a closer look at the back of this machine to see what we’re dealing with:
Daniel Battisto, the longtime KrebsOnSecurity reader who alerted me to this disaster waiting to happen, summed up my thoughts on it pretty well in an email.
“I’d like to assume, for the sake of sanity, that the admin who created this setup knows that Cisco security is broken relatively simple once physical access is gained,” said Battisto, a physical and IT security professional. “I’d also like to assume that all unused interfaces are shutdown, and port-security has been configured on the interfaces in use. I’d also like to assume that the admin established a good console login.”
While it’s impossible to test the security of this setup without tampering with the devices, “considering that this was left like this in the front vestibule of a grocery store with no cameras around AND the console cable still attached, my above assumptions are likely invalid,” Battisto observed.
“In my experience, IT departments often overlook basic security practices, and double down on the oversight by not implementing proper physical security controls (you’d be surprised, maybe, at the number of server rooms that I’ve been in that had the keys to all of the racks taped to the outside of the doors),” he said.
If something doesn’t look right about an ATM, don’t use it and move on to the next one. It’s not worth the hassle and risk associated with having your checking account emptied of cash. Also, it’s best to favor ATMs that are installed inside of a building or wall as opposed to free-standing machines, which may be more vulnerable to tampering.
If you liked this piece, check out my entire series on skimming devices, All About Skimmers.
The only ATM I ever use is at the bank or one of the same banks’ ATM’s at a convenience chain (Wawa) because there is no fee and the machines are in a high traffic area so sticking something on them would be observed quickly and the stores are full of video cameras. When I see one of those stand-alone in a remote spot ATM, usually just plugged into a telephone jack (one of my customers has this type in his laundromats) I not only steer clear because of the fees but also the security at the site.
I believe we have candy and soda machines at work now that take credit/debit cards, also with an antenna on top of the machine. I haven’t investigated further but would not use plastic for a soda or a bag of cheese doodles in the first place.
Come on, give them credit for good cable management, at least. See how prettily the console cable is wrapped and zip-tied? 🙂
i have seen ATM’s in my area and they don’t look like the one that is pictured in this article at all
The cabinet looks like it was repurposed from an old MicroVAX with a replaced front.
The ATM system is broken in the first place if it relies on that cisco *ROUTER* do do anything but forward in the first place.
If this setup is as vulnerable as this rant implies then you shouldn’t use any ATM what so ever. That would mean that the communication is not encrypted (nor authenticated) when it leaves the ATM. And if any ATM had that property then you can’t trust any of them.
I don’t trust using any ATM and don’t use them. Of course, nothing electronic is safe to use but eliminating one form of possible theft is better than doing nothing.
Ha ! Even better, a crook can pilfer the goods on the top of the unit and do a sale via a trunk or ebay. Unless this stuff is hardware mounted to the ATM, its free money for someone, and the ATM is useless.
There are a lot of Mom and Pop owned ATM’s out there with little to no upgrades to the device. Add in the vulnerabilities and the additional ports avaliable to plug in a sniffer and listen, or simply crack the unit and own any data by sitting nearby and waiting for the tech to mash in the username and password to reconfigure, as some one else has the data needed to monitor any traffic without being detected.
I have to assume – that the stuff was owner supplied and not a crook attempting to simply have people overlook a completely out in the open heist.
you can’t assume it isn’t encrypted because it goes through a router.
I wonder if it even dispenses cash or if just collects your data, transmits it and then gives you an “Out of Cash” message?
I would not want to be the fool that tries it to see if it works!
unless you are using a stolen card, then it’s a moot point.
The guy who sold the ATM to the grocery store owner now:
“Ma friiieeennd, this ATM is total legit ma frent, it workt as we advertised it to you in your contrakt my frent. when your customer put kart in machine, machine says you heff zero, because trust me maam with dis antena it is prety damn fast accurate, you can be sure you have zero, this is exact working machine it tells you how much you heff before sending your money obivously.”
ATM builders are the first crooks mark my words.
I would hope that they at least put black tape over the access key sticker so that no one could read it. Otherwise we would have anarchy.
Maybe it’s a honey-pot?
Notice the blue cable dangling? That’s a cisco console cable. One would hope it’s not something configured so someone could plug into and get into console without any authentication or logins at all.
What? no screwdriver or key taped to the back of the cabinet? No sticky note with the admin password on the front?? How inconvenient!!!
Not so fast, it is prolly taped to the bottom of the switch
I think everyone missed one key point…using good security practices, they have employed a layered defence model. see the sign placed on top to block your view for the router and antenna.
They must read Kerbs!
Well I live in a small town and the ONLY ATM is in the back corner of a Shop’N Rob surrounded by mountains of pop cans and sundry dreck. The ceiling is also falling down tiles. And they charge a fee even if you have the bank brand card but it is used a lot. The only bank (Wells Fargo) will not install a ATM for some reason. The local dollar store, seeing a good thing, charges a fee for cash back purchases. So we have to go 35 miles to ValMort for cash. Be thankful you have choice!
Came across this today.
At first, I thought this would be a story about brazen (or stupid) criminals given the obvious way they compromised the ATM. Nope, this is normal to somebody.
Tank you fur shopping at kwik e mart,would you like a slushie with your data breach?
“you’d be surprised, maybe, at the number of server rooms that I’ve been in that had the keys to all of the racks taped to the outside of the doors”
That’s commonplace because server racks have terrible locks. In most cases, a given rack vendor will have about 5 total key variations, meaning that just about anyone can get the key to your rack.
If you can’t trust the physical access protocols of the server room itself, then you should find a new facility.
I can’t believe how unsafe this one is! It’s a good thing that most other ATM’s are secure! It seems like anything is secure compared to this, though. Thank you for sharing!