My first job was being a field technician for a bank automation supplier.
We had a "test" card that could be insert on the eprom socket. This small card was almost the same size of the original chip but had a few buttons that allowed us to make the mechanism deliver notes in order to fine tune it.
In a particular ATM design used by major banks in Brazil, this location were accessible by removing a front panel, although you would have to be kind of a contortionist in order to plug it.
Why we can find whole ATMs at junkyards is beyond me: there are many easy to spot flaws. They should grind everything when decommissioning this kind of equipment.
> Why we can find whole ATMs at junkyards is beyond me: there are many easy to spot flaws.
If there are many easy to spot flaws, I don't think finding them in a junkyard is the root of the problem here. This is good old security by obscurity.
As Bruce Schneier says (at least about safes), you should be able to publish the blueprints and source code for the machines, then maybe they'll be secure. There should be enough physical security to ensure an attack will take longer to perform than the response time of the authorities. Any components which are vulnerable to physical attack need the same level of physical protection as the cash that's being protected.
Until this happens, 'hackers' (thieves) are going to keep finding flaws and exploiting them.
It's a false dichotomy. Your private keys are just "obscure" information that requires some effort to find too. And security protocols can be designed so the keys aren't enough.
At the end of the day it's an arms race, and you're just trying to slow attackers down.
Well, they're provably secure for some (mind-bogingly massive) search space.
Security by obscurity tends to refer to measures which can be broken once, and thereafter opened trivially. It sounds like the article is about one of these trivial openings.
Everything can be broken; the goal is to move it or arrest them before they can get in, physically or virtually. It just so happens that, virtually, the time required to brute force it can, at times, be on heat-death-of-the-universe scales. Safes tend to rely on men with guns following soon after alarms trigger.
Physically obtaining them through malware, viruses, bugs, backdoors, social engineering, coercion(physical threats, blackmail, application of force), tapping, physical spying, etc.
What part of the parent are you responding to here?
> Your private keys are just "obscure" information that requires some effort to find too.
I think this is highly misleading. There is nothing "just" or "some" about it. Your private keys are "obscured" information that requires a (mostly) specific and quantifiably very large amount of effort to find, and which if it were to become exposed, can be changed without requiring any new design to restore security.
Blueprints and wiring diagrams are "barely if at all obscured" information that requires vague, hard-to-quantify, and often trivially little amount of effort to find, and if exposed, can't be easily changed without requiring entirely new designs, manufacturing, and engineering.
Well, that's why I said "mostly". The thing I need to protect, the key, is a very specific piece of data, which is used for one specific purpose, and I can take specific measures to prevent that secret from leaking. Everything from not writing it down, to key-sharing, to physical lock boxes with multiple locks, to offline-only storage, etc. It's much harder to do any of that with blueprints, since blueprints have competing needs -- they are no good if locked in a box most of the time.
I think you're misusing the word "obscure" here. Private keys are not obscure, they're private. You can steal them but you can hardly reverse-engineer them. Finding how a specific model of ATM works is an obscure piece of information but it's not private: people who sell,buy,repair, maintain,design this ATM have this piece of information. Giving enough will and effort one can reverse engineer this information from the ATM itself.
I beg to differ, security by obscurity only gives a false sense of security and hats have all kind of colors.
Serge Humpich[1] worked with decommissioned ATMs, found and expose a vulnerability allow to withdraw cash with a card not linked to a bank account. Of course instead of listening and fixing the issue the banks tricked him and sued and gave rise to the yescard which forced the banks to patch up their security and replace ATMs. But hey, banks can't do the right choice all the time, can they?
> They found that the machine’s only encryption was a weak XOR cipher they were able to easily break, and that there was no real authentication between the machine’s modules.
This reminds me of many many years ago some guy in a bimmer forum figured out BMW's iDriver music file formats (BR3/BR4/BR5) were simply DRM'd via XOR.[1] I was able to verify it via a simple script. Kudos to the reverse engineering masters!
XOR is rather easy to spot, you just XOR each byte with the bytes N positions downstream, and at the N for which the distribution of bytes changes dramatically, you've found the key's period. Finding the key is also not hard if you suspect that the file is a known format (and thus will have a known structure at some places).
In the world of chip cards, it's not uncommon to think xor is a secure encryption scheme for some reason, historical maybe or more probably cost related, I don't know.
Though I remember even worse when a chip card encryption was found not cost effective enough to be enable and security on this card was limited encoding[1], too bad it was a government issued healthcare card which lead a minister to argue that using ASCII and binary was efficient in securing the data. While the GIE (Economic Interest Group) in charge of the chip tricked the whistleblower to demonstrate the vulnerability and sued him for having done so. Fun Times !
Most communication happens either at serial, SPI, or i2c busses. If it's cars, CAN.
And if you can plug in a wire somewhere, you can damage or pwn it. Most things don't have security, other than software security and physical locks. And even when there is other types of security, like cryptokeys and such, physical wires can usually bypass even those.
If they wanted something that was secure, they could do that glass mesh thing the ORWL does, and have some sort of black dyepack on the money that explodes everywhere. Go for "we ruin so you cant have". But then again, I could see criminals pissed off and taking a hammer primarily to ruin their money, and cause customer consternation.
I could see a more effective solution being embedded chassis intrusion meshes.
Disrupt the meshes in any way (EG drilling) would result in three actions.
1) Electronic erase MOST programmable memory in the machine. (Brick it)
2) Engage something akin to an EMO (Emergency Machine Off)
3) If an uplink of some sort exists, broadcast repeatedly on it that such an event occurred and the current uptime.
I mean, there's chips that have that in their top metal layers, and there's still crazy people out there with electron microscopes and tiny pins that subvert them.
That's way easier to trigger a false positive on... Not that my mesh idea doesn't need fine tuning as well.
The drilling idea I could see someone just walking by with a very loud powertools song... watch the ATM brick in the face of their first amendment freedom of expression.
I wonder how many older models of ATMs are still in service and what the process for "updating" them would be like, or perhaps that it wouldn't be realistic at all. I see a lot of small family-owned corner stores with very old machines.
I don't think there is a process for updating them, other than in the interest of adding new features or when they break. Recently I saw a green-screen CRT ATM in use by a bank in the UK. Maybe the internals have been updated, but it seems unlikely that they would change that and not the screen.
>Computer security experts have long warned that no computer should be considered secure if an attacker takes physical control of it.
I think the lack of physical security is more surprising than the lack of electronic security. A three-inch hole is pretty big, all things considered. I have to imagine that ATMs are designed to resist drilling three inch holes through to the money or the dispenser mechanism. Why isn't the computer protected to similar degree?
I can confirm this. I used to work for a major ATM supplier and this was the answer I got every time I asked bank personal about the lack of physical security. They would compute the average loss from burglarized ATMs against the cost to install and maintain better alarm systems and decide against it.
"I have to imagine that ATMs are designed to resist drilling three inch holes through to the money or the dispenser mechanism"
I would use a hole saw (https://en.wikipedia.org/wiki/Hole_saw), and would think it fairly hard to protect a large enclosure against that. Locally strengthening the enclosure might be enough, but chances are thieves would start drilling around it to remove a larger patch or start employing an endoscope to connect something to the serial port.
Hardware-wise, it probably is easier to glue the connector shut, giving up on using the diagnostic port.
I know what a hole saw is. The thing is you aren't going to be cutting through hardened steel with a normal hole saw, assuming the cash box is metal. They could probably have made the enclosure for the cash 8 inches taller and put the computer inside of that, and routed the cables for the modem, the pin pad and the screen through
Making a hole in hardened steel is not easy. If you use a hole saw, it will either need to have diamond abrasive, or you will need carbide bits. If you don't use a hole saw, you are going to be using an angle grinder or a plasma torch.
Getting in fast will either generate a ton of heat or a ton of noise, or both. Plus, carbide and diamond tools are super expensive. Angle grinders, not as much, but I'd notice someone with a 3 foot trail of sparks behind them before I'd notice someone running a drill at a few hundred rpm.
Anyways, I do think they probably used a hole saw, which leads me to believe the computer was located behind some combination of aluminum/plastic/ordinary steel. Which is pretty ridiculous
> It is pretty surprising that the computer board/diagnostic ports are not inside the "armored" part of the machine
Well humans have to interact with the machine somehow. You can't exactly prevent physical access to the keypad, and from the nature of this attack, thieves could just hack out the pin pad to connect to the internal bus.
It would be noticed much more quickly, but they'd still be away with the cash.
"Plus, carbide and diamond tools are super expensive."
I don't know what those tools cost, but I do know that, in the Netherlands, "open my bike lock as a service" is a thing, and they will do that, using a battery-operated grinder, in 30 seconds or so, for €15 (http://www.fietssleutelkwijt.nl/bike-lock-cutting-service.ht...), including traveling to wherever your bike is.
=> Education welcome, but I doubt tooling will be prohibitively expensive for this task, which brings in thousands of dollars.
I am currently designing food machines, which have security concerns equal to financial machines in some senses (you don't want people to get poisoned through environmental contaminants, malicious reprogramming, etc.).
The article claims there is essentially no authentication between disparate modules, only simple XOR encryption. That seems a clear fail.
In my experience, ATM control boards (I was literally at a factory in China for these a few weeks ago) tend to be custom PCBs but there is a move towards genericization. Presumably because their designs tend to date from bygone eras, they do not use software-based approaches in favor of hardware and security through obscurity. Perhaps it is time for a software-oriented modular ATM redesign project with an emphasis on modern internal security? Anyone want to collaborate? Serious question. (I have an existing ATM component factory group potentially on side already.)
Second, to 'notice' the independent activity of any given module, power draw should be easy to detect. Again, the lack of such a feature probably harks back to a bygone-era hardware-oriented design psychology.
Everything we sell will be made to order from fresh ingredients. Sugar is only traditionally used in a few noodle cuisines (eg. Thai) and customers can opt out of any ingredient they wish. Likewise significant lipids are really only present in meats, oils, cheeses and coconut milk. Again, Thai is a strong contender. Calorie counting is transparently supported for those who want to do the numbers. Launching in Asia, for Asia, nothing we sell will likely come close in calories to an average US serving of anything.
Ah brings backs sweet memories to Terminator, for real now! IIRC in the movie Connor used some portable Atari with a cable attached to a creditcard to hack an ATM to spit out money.
From a 2013 reddit AMA: "Each ATM is different. We do 12,500, but have ones with metal cases that reach 26k."
From a 2010 time article: "The average size machine can hold as much as $200,000, though few do. In off hours, most machines contain less than $10,000."
In the article they cite a Philadelphia theft case where a single stolen machine held $96,000.
The Firefighters' Guild has been formed and dissolved repeatedly throughout the history of Ankh-Morpork. Usually formed in response to fires which cause significant damage to large parts of the city, the guild is usually dissolved in response to... er, fires which cause significant damage to large parts of the city. The Guild suffers from the undying capitalist spirit of Ankh-Morpork, as those men who are paid per-fire extinguished eventually begin to guarantee a regular supply of fires to be put out (see also Inn-Sewer-Ants). This has led to the frequent destruction of large portions of the city and ultimately to the Guild's being banned.
Seems we need lots of new ATMs, lots of them. And then prayer, for the fire-fighter-guild to not run out of money.
I see these kind of stories floating around from time to time, I wonder how much money is lifted each year from banks this way. It seems to not be significant enough for banks to be proactive about the issue.
To be fair, drilling a 3 inch hole in a modern ATM is no easy task. We are talking about high-grade steel, a layer of fiberglass, etc. Hence "portable power drill" is a bit misleading.
Maybe some of them are. Ive also found some that are crap.
I have a tendency to pull on things like ATM covers, credit card slots, and the like. And that's because we have lots of skimmers that are found at local gas stations and places around here (big college presence).
So far, I've found an opened gasoline pump door. I called attendant and went to a different pump (attendands didnt have keys for that....) .
Ive also found an ATM that was partially locked and came opened when I gave it a tug. I called our bank's security after that one.
I also found a skimmer on a gas pump as well. It had a fishy look to it and gave it a tug. Pop. Was just a simple card reader and cam module in 1. I harvested the parts and put the microsd card through a good format.
This worries me, especially given some locations take your card and swipe it for you. I'm going to be checking these types of things more closely from now on... It is kind of sad, how difficult it is to educate the public on scams such as these.
Location surprisingly has less to do with the possiblity of it happening than one might think. There was a huge scam in Silicon Valley with card readers stuck inside of gas pumps so they were undetectable, that started five years ago. http://sanfrancisco.cbslocal.com/2014/02/21/six-arrested-for...
I'm on the -announce list so I get the occasional e-mail but, TBH, there really isn't much that interests me. I haven't been to the place on Rogers but I did visit the previous place (off Curry Pike) several times (I started a class there but "dropped out" after a few weeks due to work/travel).
Perhaps I'll drop by the new place some time, though.
I own one of these. It's inside a building that would be closed when no staff were around, and it doesn't ever contain enough money to be worth it to most people.
I wouldn't leave that thing at an outside location with enough money in it to hurt me, unless the robberies were insured or so seldom as to be considered a cost of doing business.
Where the are drilling, next to the keypad is usually some kind of thin sheet metal or plastic or combination. The 'top' part of the ATM (which houses the PC running it, the cables and a bunch of other electronics) is usually extremely insecure (wafer locks you can pick, flimsy construction).
The hardened part of the ATM is only the safe (which, by design, actually has several large holes in it as well).
You won't be casually drilling through the safe with a hole-saw or other portable equipment without spending a considerable amount of time.
You cannot casually drill a safe. Not talking about your hardware store variety of safe, or a 'fireproof safe'. But a legit safe like you'd find in an ATM has a number of countermeasures to ensure that its not possible to drill the safe in a short amount of time.
Mixed into the steel is usually a number of drill-bit-breaking things like hardened ceramic/steel ball bearings, odd shaped chunks of metal, plastics which all react differently to different attacks in order to ensure that one attack does not compromise the door and that its near-impossible to do quickly.
Bigger safes employ the use of fancy mixtures of concrete and metal to resist even more aggressive attacks like thermal lancing etc by turning the whole door/wall into a giant heat-sink.
I can understand how it's possible to design quite strong small safes. But what about big bank safes? Are the same design techniques used?
If not, why bother going through the front door? Isn't that door mostly for show? Aren't the other five sides mostly concrete and rebar? Isn't that easier to go through? Or do big safes really have thick steel on all six sides?
Depends on design and cost. Your thinking of a vault. Vaults have a solid door (as described above) and essentially its layers of security. The other 5 sides sometimes are the weakest point, but will still take significant amounts of time to penetrate on any properly designed vault.
No point in putting an extremely expensive vault door in a room that's got just concrete and re-bar.
The other thing is to make it harder to access those other walls as opposed to the front where you can walk up to it.
Drilling through the generic zinc pot metal that everything that can't be made of plastic seems to be made of nowadays could leave one with a wildly inaccurate idea of how difficult it is to drill in hardened steel.
Sure there is. It's simple. If there are abrasives and cutting tools hard enough to drill rock, they will also carve through whatever steel alloy you care to bring to the party. Admittedly brick isn't the optimal choice for demonstrating my point but I can't find my favorite video of this guy drilling a sink drain out of a solid granite boulder so... Also, we are talking about ATM housings, not the internal cash box. You really think they're constructed out of unobtanium?
Took him 8 minutes on what's probably mild steel. A high security enclosure might use something like hardened cast vanadium steel with carbide chips. You'll go through a sack of those drill bits even going through half an inch.
It's not misleading at all. My portable power drills can injure you if you aren't careful. They are very powerful. Fiberglass is like butter to a hole saw. A carbide tipped hole saw can cut high grade steel, including stainless. It might not make many holes, but you only need it to make one.
But it cannot cut an old, dirty, high carbon cast pipe ;) an agle grinder with a universal cutting wheel can, but those are so loud that it would be better than an alarm, though personally, I'd just fill up the ATM with a little propane and let the sparks do the rest, as an anti-theft measure...
We had a "test" card that could be insert on the eprom socket. This small card was almost the same size of the original chip but had a few buttons that allowed us to make the mechanism deliver notes in order to fine tune it.
In a particular ATM design used by major banks in Brazil, this location were accessible by removing a front panel, although you would have to be kind of a contortionist in order to plug it.
Why we can find whole ATMs at junkyards is beyond me: there are many easy to spot flaws. They should grind everything when decommissioning this kind of equipment.