The presentation discusses the vulnerabilities of an ATM system and how an attacker can exploit them to gain control of the system.
- The presenters created their own web server to interface with the ATM system since they did not have a way to interface with it directly.
- They found that the XFS middleware used in financial devices could be exploited to execute arbitrary code on the ATM system.
- They were able to hijack the startup process and launch their own executable to probe the device.
- They demonstrated how an attacker could use a remote monitoring system vulnerability to execute shell code and gain control of the ATM system.
- The NVRAM controls all the settings on the ATM system and can be modified to point the system to a malicious server.
- The presenters were able to modify the NVRAM to point the ATM system to a malicious payment processor on a laptop.
The presenters demonstrated how they were able to execute shell code on the ATM system by exploiting a vulnerability in the remote monitoring system. They showed how they could modify the NVRAM to point the system to a malicious payment processor on a laptop. This allowed them to extract more money from the ATM by changing the denomination of the bills. They were able to accomplish this by using Visual Studio 2005 and installing various packages to get it to work. Despite the challenges they faced, they were able to build an OS image from scratch using a wizard, which was an amazing feat. They also found a build of Doom for the device and got it up and running, but had to remove it due to the system randomly rebooting. Overall, the presentation highlighted the vulnerabilities of ATM systems and the importance of securing them against attacks.
ATMs are networked computers that dispense cash, so naturally they’re uniquely interesting devices to examine. We all remember ATM jackpotting from a decade ago. Unfortunately, it doesn’t look like ATM security has improved for some common models since then.
We present our reverse engineering process for working with an ATM and modifying its firmware. For this, we became our own "bank" by creating software that's able to speak the obscure protocols used by ATMs. For working with the device software at a low level, we restored JTAG access, defeated code signing, and developed custom debugging tools. We then leveraged this research to discover two 0-day network-based attacks, which we will demonstrate live. The first vulnerability takes advantage of the ATM’s remote administration interface, which can lead to arbitrary code execution and total device compromise. The second vulnerability is in the OEM’s implementation of a common middleware for ATM peripherals. This allows for command injection and jackpotting of ATMs over the network.
The high barrier to entry for even legally opening up one of these devices has left a lot of attack surface area unchecked. Through this talk, we want to shed light on the state of ATM security and encourage the security community to continue to challenge ATM vendors to do better.