How to hack an ATM in less than 5 minutes

Tuesday, October 31, 2017

As we head towards a cashless society, upgrading the technology of ATMs may not seem to be a priority. However, cash is still the main source of financial transactions in emerging Latin American markets.

Leigh-Anne Galloway is security resilience lead at Positive Technologies, a global provider of enterprise security solutions. Challenged by her company to find out how easy it is to hack into an ATM, Galloway found some surprising results which she shared with BNamericas during the recent 8.8 computer hacker conference in Santiago.

BNamericas: How did the idea of studying the security of ATMs come about?

Galloway: An idea was floated by my company that you could buy components of an ATM on the grey market, like eBay, and reconstruct a working ATM. I looked at the idea and thought it was feasible.

What was surprising was that it is easier to buy parts legally than illegally. Another surprise was that in Europe and the UK, the top threat to ATMs is still brute force - pulling the machine out of the wall.

BNamericas: You managed to hack an ATM in under five minutes. How?

Galloway: It's surprisingly easy to get access to the physical computer. This can be done through the front, which is typically made of plastic and can be drilled and removed. Some ATMs are so flimsily made that you can break part of the façade off, then cover it up. You can then access peripherals of the computer and connect USB devices. There are a few elements of security on most ATMs but not that many. There is one thing called kiosk mode, which limits the number of functionalities a user has on an ATM, just a screen. But it is quite easy to bypass it by plugging in a keyboard and entering a combination of keys. More often than not, the computer has a Windows operating system so you can use keys to navigate the file system.

Once accessed, I plug in a USB stick with malware that sends commands to the cash dispenser with instructions to eject money. It's pretty straight forward and a tactic typically used by attackers.

BNamericas: Aren't there security cameras?

Galloway: Interestingly, if you look at the physical security of ATMs, some have CCTV and more restrictions around the physical access. But there are a lot of ATMs that stand alone and you can get access to the service area at the back, which has direct access to the computer and to the dispenser. You can also often access parts of the network equipment like a modem. Sometimes you can plug directly into the network because the equipment is just sat on top of the ATM. So there are many security aspects that are overlooked. They are just computers sat on top of a vault. And it's not that difficult to break into them. The bottom is typically made of metal and reinforced concrete, while the top, where the computer is housed might have some metal around the sides but the front is plastic. The back will have a locked door to the back of service area but you can lock pick or bribe a service engineer. We've seen incidents where service engineers are bribed and allow attackers to put malware on the ATM and infect the network.

BNamericas: Is it possible to access ATM's remotely?

Galloway: Yes, because ATMs are connected to the banking network. You can also compromise VPN credentials. There are a lot of ways to get access to a computer network.

BNamericas: Barnaby Jack famously hacked two ATMs on stage at the Black Hat conference in 2010. What's changed since then?

Galloway: That was the first time that the security industry took notice of this. But not a lot has changed since then. Predominantly, 80% of ATMs have Windows operating systems, and most of those are Windows XP, which no longer even have security support. And as I said, you can easily get physical access to the network and computer, so not a lot has changed.

BNamericas: Have you seen an escalation in attacks?

Galloway: In Europe, for the first half of 2017, we saw a 300% increase in blackbox attacks on ATMs, which is where you take an embedded computer system like Raspberry Pi and connect it to a component of the ATM like the dispenser and you send commands to it directly. That is obviously more of a complex attack than pulling an ATM out of a wall.

But we haven't really seen a change in the amount of financial losses from breaking into ATMs, so the market isn't really going anywhere. But some attacks have become more complex.

BNamericas: Will your research be passed onto banks?

Galloway: The company I work for is quite active in talking to banks about security standards. There are some problems that still exist like ATM traditionally not falling under IT security departments. They often come under an entirely different department and sometimes are maintained by an external third party. There is also a big discrepancy as to where the responsibility for security lies. So if you talk to manufacturers, their response is you need to buy a new ATM. But the reality is the security of ATMs is all in the configuration. An ATM running XP could be 10 years old and you could make it a lot more secure than the latest ATM.

There is some software you can install in the operating systems that allows only good applications to run, but it is very flawed because there are some Windows applications that allow you to run third party executables. It is easy to bypass. So there needs to be more of a discussion about how to do this better. There isn't one solution. Security is an ongoing discussion.

About Leigh-Anne Galloway

Leigh-Anne Galloway has 10 years of information security experience and currently works as security resilience lead at Positive Technologies.

About the company

Positive Technologies provides enterprise security solutions for compliance management, incident and threat analysis, and application protection.

With expertise in banking, telecom, web applications, and ERP security, Positive Research has helped identify and fix over 250 zero-day vulnerabilities in products from Cisco, Google, Honeywell, Huawei, Microsoft, Oracle, SAP, Schneider Electric and Siemens, and earning a reputation for protection of devices and infrastructures from ATMs to nuclear power stations.