Sunday, August 1, 2010

Sightline Payments: ATM Hacking- Fact or Fiction?

The Sightline Payments LLC Team and IT group are working with industry resources to determine “fact or fiction” in this identified hacking scheme. Sightline uses enterprise level NCR ATM3X devices which do not use the Windows CE systems (which is the operating system the vulnerability has been shown to occur). Sightline uses the latest proprietary PCI tools, firewalls, and secure telecommunications to detect and stop these types of hacking events.

In the gaming industry, Windows CE based systems are used on certain ticket redemption and ATM devices(confirm with your provider).

An article in ZD Net discussed this in more detail.

Using home-brewed software tools and exploiting a gaping security hole in the authentication mechanism used to update the firmware on automated teller machines (ATMs), a security researcher hacked into ATMs made by Triton and Tranax and planted a rootkit that dispensed cash on demand. Barnaby Jack, Director of Research at IOActive Labs, used a laptop with a custom-built software tool called “Dillinger” (named after the famous bank robber) to overwrite the machine’s internal operating system, take complete control of the ATM and send commands for it to spew cash on demand.

At the Black Hat security conference in Las Vegas, Jack demonstrated two different attacks against Windows CE-based ATMs — a physical attack using a master key purchased on the Web and a USB stick to overwrite the machine’s firmware; and a remote attack that exploited a flaw in the way ATMs authenticate firmware upgrades.

He did not provide any technical details that would allow anyone to reproduce the attack techniques but suggested that a skilled hacker could exploit these weaknesses if ATM manufacturers continue to create software with gaping security holes.

“There are attack vectors in all these standalone or hole-in-the-wall ATMs,” Jack warned, noting that many ATMs are protected by a master key that can be bought for $10.78 on hundreds of web sites. ”With this master key, I can walk up to a secluded ATM and have access to USB [and] SD/CF slots. In some cases, opening and inserting my USB key was faster than installing a skimmer,” he said.

The most impressive attack, which used the “Dillinger remote ATM attack/admin tool, was done via a laptop connected to the ATM. It launched an exploit against an authentication bypass vulnerability in the ATM’s remote monitoring feature (this is enabled by default on all ATMs) and allowed the hacker to retrieve ATM settings, master passwords, receipt data and the location and name of the business hosting the ATM.

The Dillinger tool came with a graphical UI that included features to “Retrieve Track Data,” or simply “Jackpot!”. A click of the Jackpot button and the commandeered ATM started spewing cash on demand.

The “Black Hat” computer security conference originated in 1997 as an annual conference. Its attendee list includes government representatives, FBI agents, computer hackers and other computer experts. The 2010 Black Hat Conference was just held in Las Vegas. One speaker, Barnaby Jack, did a presentation pertinent to the ATM industry. His topic: “Jackpotting Automated Teller Machines.” In his demonstration, he took a detour from the commonly known ATM hacks (skimming devices or smash and grabs). Barnaby was able to have the terminal spew out currency by attacking the terminal’s software.

Updating the gaming industry on issues like this to protect their business is one more example of how Sight Line Payments is on your side.

Regards, The Sightline Payments LLC Team- Kirk Sanford, Tom Sears, and Diran Kludjian


Anonymous said...

As a casino IT director I was forwarded your newsletter today from our CEO. We are not always aware of the 3rd party cash access vendors systems since they are outsourced but whether it is "fact or fiction" being made aware of risks like this is very important. Thanks Sightline, I encourage you to continue to send informative information like this. Ron S.

Rohan said...

I agree with the previous post. This is good information to know more so on redemption machines which it is our money filling the machines.

Fran said...

Does anybody know what TITO kiosk providers may be at risk?

Akash said...

Maybe I am missing the obvious here. Aren't the USB ports behind a locked cabinet or vault on the ATMs? if the hacker is able to access that area aren't they already in a position to take the cash out of the dispensers?

John said...

Many of the ATM's and redemption machines have standard keys that allow access to the non-cash vault areas for repairs etc, which is where access to the hardrives and ports are located.

Coach Jack said...

This scheme is something to think about and not to discount the imprtnce, but, that type of acitivy is alot more likley in a remote ATM situaiton not a casino with cameras and seciruty 24/7. Who has a solution to detect when the wrong bill demoninations are put in the cassettes by employees and it dispenses $100's and not $20's. Mostly explained as a mistake, but, who knows the damage is done.