ATM Hacking Adventures Trustwave

 

Intro

Earlier than this pandemic, Neil Burrows and myself (Bruno Oliveira) from Trustwave’s SpiderLabs had been assigned to an ATM engagement in a phenomenal nation by the coast in Central America. Beforehand, I had some expertise with PoS (Level of Sale) units and entertained myself with kiosks at hacking conferences, however by no means had touched an ATM earlier than. My companion on this saga had already some enjoyable hacking with these units and had some valuable insights to information us throughout our engagement.

On this engagement, we labored with two totally different manufacturers. The following ATM schema could be utilized for each.

ATM Schema

Even not with the ability to contact/hack ATMs earlier than, we all know by incontrovertible fact that ATMs are nothing greater than a easy PC with some safety hardening and a giant lock!

We enumerated some challenges that might be divided into 4 components: Bodily, Software program, OS, and Community.

The bodily half consists of the locks, tampers, and secure. Every vendor makes use of a particular producer for the parts and will enhance high quality over the variations and updates. Generally, the client might replace their locks with no contact with the ATM vendor. So every ATM has distinctive traits. The bodily half additionally features a USB or one other port (e.g. Firewire) the place entry might permit interplay between the attacker and the machine.

The software program is a crucial piece of this puzzle because it offers the interface between the consumer and machine and in addition handles all of the transactions. After all, this contains ATM steadiness and withdraws — our most important aim. The software program usually works with a regular API known as CEN/XFS or XFS (extensions for monetary providers) to take care of this sort of operation. That is very related info since that might be utilized for compromise.

Then, we’ve the Working System that might be manipulated as a way to attempt to forestall unauthorized entry to recordsdata and purposes. There are quite a few methods for bypassing safety controls set to guard the system’s internals. This might permit malware execution. Every vendor takes its personal precautions within the enviornment as nicely.

And at last, the community. Whereas many of the purposes work via encrypted visitors, it’s doable to research the visitors to find holes within the transmission the place plain-text knowledge could be recognized. Additionally, as seen on this case, it represents the community safety setup to guard the perimeter of the ATMs when receiving and sending knowledge over TCP/UDP ports.

In each factor of this schema, the seller would possibly work to ship probably the most safe setting doable and we, as testers, have to seek out safety flaws for efficiently exploiting the units.

Exploitation Steps

Whereas exploring the alternatives for exploitation we set some targets for the engagement:

• HID (Human Interface Gadget) Attachment
• Escaping from the software program “sandbox”
• Infiltrate/Exfiltrate Information
• Bypassing Software Management
• Community Management

After we bypassed the bodily half and opened the ATM, the machines had been all ours for management.

USB Ports

As soon as opened the USB ports had been enabled and out there for each ATMs. This allowed us to plug in our HID units and proceed with the engagement.

Escaping the Sandbox – 1st ATM Vendor

Within the 1st ATM, we had been unable to name any software or sources utilizing shortcut keys together with Microsoft Assist which is “helpfully” identified for breaking out of a gated system or sandbox when invoked.

Default Operator Mode Password

After discovering that the Operator Mode was protected by a default password (“000000”), we found that it was doable to change settings to permit us to leap to the Microsoft Assist.

After we had been capable of get away of the sandbox after which we might seek for “cmd” and open it.

This wasn’t straightforward at first. I attempted a number of purposes like explorer, notepad, and others with little luck. We shortly recognized that the context menus had been disabled. It implies that it was not doable to make use of the right-click for executing an software. Subsequently we had been unable to make use of the “open/save file” characteristic and work together with system recordsdata to open the “cmd” software.

Escaping the Sandbox – 2nd ATM vendor

Within the 2nd ATM, we might name the Assist (Win+F1) after utilizing the ALT+TAB keys to maneuver from the ATM software to the desktop. At this level, we thought we had been finished and will use the identical course of as 1st ATM. However, alas, “cmd.exe” was disabled.

The context menus had been enabled within the 2nd ATM vendor, so we had been capable of open purposes like notepad.exe utilizing Microsoft Assist however whereas making an attempt to make use of “open/save recordsdata” we had been unable to see the recordsdata on the disk, solely by itself listing. There was some form of jail that was utilized — totally different from 1st ATM the place it was doable to browse all recordsdata with no restriction.

Nonetheless, whereas on the lookout for recordsdata from “System” as root search we might attain any file on the disks. We had been nonetheless unable to execute “cmd.exe”, however happily, we might search and run “command.com” which gave the identical capability to execute instructions on the system as nicely.

Infiltrate/Exfiltrate Information

On the first ATM vendor, the USB mass storage was disabled, so we used an FTP server on our native machine to switch the recordsdata to the ATM. On the 2nd ATM vendor, the USB mass storage was enabled making it doable to plug a USB flash drive for copying recordsdata.

Community Connectivity

We had been solely capable of talk with the ATM as a result of the community entry on the ATMs’ motherboard was accessible — in some circumstances, the cable with the connector was supplied as nicely. That allowed us to attach and obtain connections from the first ATM.

Bypassing Software Management

Even with the protections that might be finished within the OS, it is rather frequent for the consumer to undertake further safety layers for controlling what binaries are allowed to run on the system. The applying management will whitelist the particular binaries that may be executed as a way to forestall malicious recordsdata.

To bypass the applying management in place for each ATMs we used the authorized binary MSBuild.exe from the .NET bundle together with C# code. That allowed us to run something on the system together with a meterpreter payload.

We additionally utilized the RunDLL32.exe with our particular code compiled as being DLL. This code takes benefit of the XFS API for coping with the transactions on the ATM.

The applying was then used to withdraw take a look at cash from the machine, our final aim!

Extras

BIOS Password

The first ATM was operating utilizing the default BIOS password (“*******12345”), so we might change the boot order to make use of some other transportable system and examine the put in one.

Disk Encryption

Each ATMs didn’t have disk encryption. On the first ATM with a default password on BIOS, it was doable to gather essential recordsdata from the system together with the SAM database.

Home windows 7 Finish-Of-Life

Each ATMs had been operating Home windows 7 even if it has been end-of-life with no extra safety patches being issued by Microsoft.

Conclusion

Regardless of these methods being comparatively well-known, we nonetheless have loads of previous/outdated/unhealthy ATM variations operating the world over. The topic nonetheless calls for extra consideration and through this engagement, we noticed some attention-grabbing issues. Whereas the first ATM had the context menus and USB mass storage disabled, it was operating beneath the native administrator. The 2nd ATM disabled the “cmd.exe” execution, tried to jail the consumer, and was operating beneath restricted entry. That made us surprise, why not apply all hardening methods on one? It might make it a bit tougher for us 😉