ATM hackers tap the power of the USB

News by Steve Gold

Hackers combine physical and electronic attack vectors to get access to hard cash.

 Hackers have reportedly learned where on an ATM system board that a USB socket is located, then drilling into the machine frontage and inserting a USB flash drive with their own custom malware code - giving them electronic control over the note cartridges inside the cash dispenser.

According to the BBC, researchers at the 30th Chaos Computer Club meeting in Germany have revealed that hackers had started cutting holes in the ATM frontages back in July, inserting their USB stick, loading the software - then repairing the damage and making sizeable withdrawals using the ATM keyboard.

Most ATMs - even today - run on embedded versions of Windows, SC Magazine UK notes. This means they can only be updated using custom code inserted on a USB stick.

Unconfirmed reports about hackers gaining access to ATM schematics and programs have been circulating for several years, with the late security researcher Barnaby Jack revealing his `ATM Jackpotting' techniques at Black Hat USA in 2011, since when ATM vendors have reportedly locked down their machines in several ways, most notably by blocking user keyboard access to anything other than regular ATM functions.

In gaining access to a USB socket on the cash machine system board, however, the hackers appear to have sidestepped these precautions. And downloading ATM schematics, meanwhile, is easy via Google's search engine, once you know the unit model numbers.

Reports of cash cartridges being incorrectly loaded have appeared over the years. Last February, a rash of mistakes at Spanish bank ATMs led to the coining of the term `The ATM of Happiness' - allowing card users to draw 50 Euro notes instead of smaller denominations.

And last November, ABC news  posted a story about a Californian ATM dispensing US$ 50 bills instead of US$ 20 notes.

According to Chaos Computer Club researchers, the European ATM hack was only discovered after the bank spotted that cash was being withdrawn without the use of a card. Further investigation then revealed the physical damage to the machine - and the USB-driven code insertion.  

The hackers used their unauthorised code access to the ATM diagnostic/cash loading mode to instruct the machine to dispense its highest value notes and so minimise the time spent in front of the cash machine.

As well as using a 12-digit code to gain access to the diagnostic mode, the hackers also reportedly used a two-step authentication process - the criminal reportedly entered a second code in response to a unique random sequence of numbers shown on the ATM. The cash machine would return to its normal user state after three minutes of malicious inactivity.

Commenting on the story, Professor Peter Sommer, a digital forensics specialist with Leicester's de Montfort University, said that the feature that intrigues him most of all is the physical aspect, namely how the criminals were able to insert a doctored USB key by drilling holes in the exterior-fascia of the ATM - and apparently not be detected.

"It turns out that ATM schematics are widely available on the Web and that none of the ATMs either had armour-plated front panels, nor the simplest of intrusion detection systems of the type in low-cost domestic burglar alarms. What were the ATM manufacturers - and the banks - thinking of?" he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews