Black Box is Dead. Long Live Black Box!

Conference:  BlackHat USA 2018



The presentation discusses the vulnerabilities of ATM machines and the different types of physical and logical attacks that can be used to exploit them. It also explores the different interfaces used to connect dispensers to PCs and the potential security risks associated with them.
  • ATM machines are vulnerable to physical and logical attacks
  • Physical attacks include brute force attacks and resonant attacks
  • Logical attacks include malware attacks and black box attacks
  • Different interfaces are used to connect dispensers to PCs, including RS-232, SDC bus, and USB
  • USB is the most common and complex interface, with a lot of abstractions and the need for a hardware sniffer to see data at a low level
The presentation mentions a specific example of a black box attack, which involves using extra hardware devices connected to the hardware bus. The device is called a black box and can be used to withdraw cash from the ATM. This type of attack requires low-level protocols and knowledge of the ATM's power, and does not depend on processing center operation systems or other software.


The number of logic attacks on ATMs continues to rise. Some of them involve a "black box," a device that is physically connected to the cash dispenser and sends commands to push out cash. Within five years of the first known black box attacks (starting from 2012), almost all new ATMs started encrypting commands to the dispenser as a precautionary measure. The research community attempted to investigate security of the implemented encryption and even obtained positive results (such results were described by Positive Technologies researchers). Criminals concentrated their efforts on easier targets, since unprotected ATMs remained plentiful. However, this situation changed rapidly in the fall of 2017 when criminals began to employ attacks on the "secure" dispenser interface. The current state of security is discouraging: we analyzed four commercially available dispensers from major vendors and successfully withdrew cash from all of them. So despite all the efforts, ATM security is still little better than in 2012.