NCR ATMS - Aurum Ex Machina
So, I was out at a mall and I needed some cash and I walked up to an ATM at Lenox Mall. It was a PNC Bank ATM, and I couldn't help but wonder why a bank from Pittsburgh had ATMs in a mall in Georgia. Anyway, something was wrong with it, and it appeared that a repairman must have been working on it because the screen showed some kind of configuration program. It looked a lot like the BIOS config screen on any PC.
The screen had something like eight options, things like change system time, change system data, change drive settings, print config, and reboot. These options were printed along the sides of the screen next to the buttons. I pushed the button next to "print config" (or something like that), and instead of taking me to a screen to configure the thermal printer, the ATM hummed for a second, and out of the receipt printer came a print out of the current configuration of the machine. Here is the print-out word for word:
PNC BANK ***** 01/01/07 12:19:19 ***** SETUP DATE (YY/MM/DD) 07/01/01 TIME (HH:MM:SS) 12:19:20 FLEX DRIVE A 1.44MB FLEX DRIVE B NONE DRIVE 1 TYPE 127 DRIVE 2 TYPE NONE TOTAL MEMORY (KB) 16000 COPROCESSOR YES
Other than the "Flex" thing, this looked just like the specs of a simple computer. I didn't want to change the date or anything, and I couldn't do much at this screen. I knew I didn't have much time, and the "reboot" option looked really good. So I hit it, and the machine went blank. And nothing happened. Then it whirled to life, and in the top left counter I saw numbers: 4096, 8192, and the way up to 16000. Hello POST! Then what should my wondrous eyes see but "Phoenix BIOS Ver 4.something or other." The machine the did some kind of check on its Flex drives, and then a big IBM logo came up. On the bottom on the screen it said "IBM OS/2 Version 3. Government." There was something after "Government," but the screen was smeared with something so god awful, I sure as Hell wasn't going to touch it. The screen cleared and then the words "Load 40" came up. At this point, the screen went to 40 columns and I started attracting serious attention, so I decided I should go. As I left, I saw the machine default into the setup program again.
I had always thought ATMs had specialized hardware and crazy stuff like that, not a PC running OS/2 of all things. The more I researched, the weirder it was. ATMs are quite a complex blend of software and hardware, and a comprehensive study of them is beyond the scope of this article. However, information on ATMs and their specifics is (for obvious reasons) very hard to come by. This should clear some of the mystery up.
The standard computer equipment available on an NCR ATM is: a Pentium processor (speeds from 100 to 166 MHz), RAM (16 MB to 32 MB), a 1.2 GB IDE hard drive, one 1.44 MB flex drive (it's just a floppy); a 10-inch VGA color or monochrome monitor (notice VGA, not SVGA, so its only doing 320x200x256), and RS-232 port. Optional parts include a sound card (to play digitized speech), an IDE CD-ROM to store the speech (speeds range from 6x to 24x), a second Flex drive, and other banking specific hardware (a better thermal printer for receipts, currency cassettes, etc.).
I found the RS-232 interface a great think to hack. It is there allow remote video card systems to be controlled by the ATM. However, this is a rarely used option. RS-232 is extremely well documented, but sadly slow. On the other hand, ATMs have really weird connectivity. The NCR ATMs I researched (Personas and 5xxx series) didn't support TCP/IP. They had weird protocols like NCR/ISO Async, IBM 3275 Bisync, and a lot of other very obscure stuff. RS-232 is the only guaranteed way to move lots of data on and off the system.
There is a lot of banking specific hardware in these things. I don't want to fill this article with specs of currency cassettes or magnetic card canisters. If you are interested, check my references. The only thing of interest is a DES hardware encryption system.
The operating system running on the ATMs is OS/2 Version 3. (I have since seen versions of OS/2 Warp for sale for ATMs as well.) I know next to nothing about OS/2, so study on your own if you want. I do know, however, that OS/2 is used for its multi-tasking abilities.
The main NCR programming running is something called the "Self-Service System Software" (S4). This keeps a log on the hard drive of "all significant customer and supervisor activity." It also manages all the applications such as the communications software and the graphical display. S4 has an API programmers can use called ADI. ADI handles things like memory allocation and access to the file system. However, programmers can call OS/2's API directly. These machines use FAT as their file system, and since its IBM, it is most likely still FAT16. Other software running on these ATMs is NCR Direct Connect, which seems to be the interface to the communications. (It handles the protocols, and can convert between them, or emulate other ATMs).
The software running on the ATMs could be pretty old. I mean, the diagnostics asked if I had a co-processor to enable. Math co-processors have been standard inside processors since 386DXs and 486DXs. Also, NCR offers a book for Pascal programmers to develop applications for the ATM.
ATM Software is developed on standard PCs, and since they use Intel x86 Pentium class processors with a standard DOS-based operating system, anything that doesn't use Windows API calls should work. In fact, a lot of Windows 3.x programs work in OS/2. A good rule of thumb is, if it works in DOS, it will work in OS/2.
Communication in the ATM is conducted through leased lines, though some ATMs in less high-traffic areas may still use dial-up. By Federal law, all information traveling on these lines must be encrypted. The NCR ATMs uses DES.
Alarms on the ATM mainly protect against a physical attack. These are the mechanical and thermal alarms, and they make sure you don't take a crowbar or a blowtorch to the money door. However, NCR does have an enhanced alarm system which protects the Flex disk drive door. This enhanced version also has seismic sensors. However unplugging the ATM or rebooting it a lot shouldn't mess anything up.
There is a lot more info about ATMs, and you can check my references. I have no desire to try and steal money from them, so I never really looked at the data lines or ways to intercept key presses inside the machine. However, my research shows that the computer part of the ATM, since it uses standard PC parts, is vulnerable. I rebooted it for God's sake. I wish I knew the OS/2 equivalent of [F5] which would have let me interrupt the boot and get to a command prompt. The machines most hackable are in malls and other public places. These have much less armor plating and other countermeasures, and instead rely on their exposure to protect them. If you look like you know what you are doing, no one will question you... Who would like to put anti-virus software on an ATM? With a little research about OS/2 and how it loads, you could easily drop out of the boot-up and get to a command prompt. Using the floppy and the RS-232 port (or better yet a CD-ROM, if it's there), you could install your own software. How cool would it be to have an ATM running Doom?
- NCR PersonaS 88 ATM System Description: Got the bulk of my info from this. Found it after a ton of searching on a cached Google page of NCR's Russian web site. I don't think they wanted this out in the public, but I got it and moved it to my site: www.prism.gatech.edu/~gte344p/NCR-ATM.pdf
- The Bankers Exchange: They sell ATM parts and accessories. Used them to check on parts: www.bankersx.com/home.html
- The Idiots at Lenox Mall: For leaving the ATM in diagnostic mode.