Mixed Tape

By Adam Cecchetti

The greatest trick a computer ever pulled was convincing you it was only one computer.

This recent Wired article describes how clever thieves managed to drill a small hole in an ATM to cause it to dispense money.

Not so long ago, enterprising thieves who wanted to steal the entire contents of an ATM had to blow it up. Today, a more discreet sort of cash-machine burglar can walk away with an ATM's stash and leave behind only a tell-tale three-inch hole in its front panel.[1]

You might be wondering: How is this possible?

Usually when people interact with an ATM, they think of just interacting with the ATM as a standalone box.

However, to build an ATM, first you have to build a communications network or the Internet. Then you have to make all the right pieces talk to each other.

An ATM works like this:

1. The ATM reads your ATM card and asks for your PIN to verify your identity.

2. The ATM uses the card information to make requests to your account via the Bank's network.

3. To talk to the server that keeps track of your account, the bank network can possibly use the Internet, a telephone network, a cellular network, or even a satellite connection if you are in a remote location.

4. Once the ATM has received approval from the bank's servers, it dispenses your cash for a night out on the town.

But how does the cash come out?

ATMs have a mechanism called the cash cassette that generally holds around 1000-2200 notes. Each ATM typically has two to four cassettes. The cassette itself sits inside a cash dispenser which counts and then dispenses the notes to you. This mechanism is operated by a tiny computer inside of it that controls the motors, monitors how much cash is left in the cassettes, and keeps track of what denomination is in each cassette.

For you to be able to instantly access the money in your bank account all these computers have to talk with each other. The ATM communicates with the bank servers, pin pad, monitor, and cash dispenser, which then talks to the cash cassettes.

What if you could skip the ATM interface and talk directly to the dispenser or the cassettes? That's exactly what these thieves did. By drilling a hole into the ATM, they were able to access the ATM's BUS and interface with the dispenser and cassettes directly. By executing the proper commands for the ATM's communications protocol, they told it to dump the cash, skipping the bank, ATM, and overdraft fees.

How can we prevent this? The company that made the cassettes had implemented simple XOR obfuscation to the commands the ATM sends to the dispenser, incorrectly betting that the physical security of the ATM would prevent this from happening.

But there are better ways.

Adding strong encryption authentication, identification, and authorization messages between the ATM and dispenser is a good first step. Upgrading older ATMs to handle this encryption has some logistical issues, but properly mitigates ATMs from more traditional attack methods.

Preventing physical access to the ATM's BUS network is another practical step to prevent this recent form of exploitation. Doing this would force thieves drill through the cassettes, increasing the time and complexity required to pull off a physical attack on an ATM.

However, even with strong command encryption and difficult to access wires, at some point one of the CPUs on the dispenser tells the motor to move and bills come out the front as a result. In theory if you can clip to the power line that drives the motors you can send 12-48 volts DC and it will cause the motor to spin, which might be enough to have a few bills move. This takes the computers out of the picture all together.

Ask yourself how you might attack the ATM and its components. Then ask yourself what mitigations might thwart those actions.

Understanding that no computer stands alone in 2017 is critical to securing any modern system. Every computer, even if it appears to be standalone, is networked. And every system is sure to have vulnerabilities that weren't anticipated.

[1] https://www.wired.com/2017/04/hackers-emptying-atms-drill-15-worth-gear/