Hubots: New Ways of Attacking Old Systems

by S. Pidgorny

Distributed denial of service attacks are a sad reality of today.  Coordinated botnets are using their numbers to overwhelm their target, consuming either all processing resources or all bandwidth.  The attacks are incredibly hard to counter, as often there's no detectable difference between the bots and legitimate users.  Even if there is, the intrusion prevention systems should have enough capacity to process large numbers of requests, making them targets of the attack themselves.

But what if the participants of distributed attacks were not bots but real people?  That opens new opportunities for attacks against well known targets.  A good example would be PIN brute-forcing in an Automatic Teller Machine (ATM).

ATM cards generally use a magnetic strip and require a PIN to get the account balance or withdraw cash.  You have three tries to get the PIN right.  After the first or second time you can cancel and get the card back.  PINs are generally four digit decimal numbers (0000 to 9999).  So one gets two shots at guessing the PIN (ATM swallows the card after the third wrong PIN attempt), and the probability of a successful guess is therefore 0.02.  It will take days of full-time PIN guessing for somebody to get access to the money if they have a card but don't know the PIN.

Unless PIN brute-forcing is distributed.  Copying an ATM card is a trivial task.  Equipment for it is cheap and widely available.  Picture a group of 5000 people doing PIN guessing at the same time.  The coordinator distributes magnetic strip information, the force (do we call them hubots?) writes strips on white plastic and uses 5000 ATMs at the same time with preassigned PINs, just two for each hubot.  Success is certain, the attack takes just minutes, and is as hard to counter as any other distributed attack.

A few factors still offset the risk: forming the army of hubots, which is very geographically distributed (thousands of ATMs are needed), extraordinary organizational skill is needed, the magnetic strip information needs to be obtained somehow, and monitoring systems could flag the use pattern and prevent the card from being used until the owner contacts the bank.  But the required resources can already be in place, as the criminal economy has significant scale and workforce.  Only completely switching from easily "clone-able" cards to cryptographic chip cards will fully mitigate the risk of such distributed attacks against bank cards.

Shouts to the P&A squad, J. K., Cookie, and Nicky.  We shall outsmart.