What's Old is New Again - We Are Still Jackpotting ATMs

by lg0p89

Everyone loves money.  Money, money, money.

This allows us a certain level of freedom for the items we need to survive and what we want, where we would like to travel, gifts to our friends, and a level of comfort for the future.  They say cash is king, and certainly during this time period it has tended to be.  One piece of equipment that holds a mass amount of cash is the ATM.  People have dreamed of simply walking by and money flying out at them.  As the mountain of bills fall to their feet, they grab them as fast as possible.

As bizarre as this sounds, these attacks have been part of the Proof-of-Concept (PoC) world since at least 2010.  The history lesson begins with Black Hat in 2010.  The illustrious researcher Barnaby Jack had found a vulnerability with ATMs and sought to publish his results.  Barnaby Jack's presentation drew a large crowd and enthralled them as he showed two different methods to jackpot, or direct, the ATM to spew out the bills it contained.  One of the attacks was done over the Internet and the other required hardware access through the front of the machine.  The audience was naturally excessively impressed by his expertise.  At the time, he was the director of security research at IOActive Labs.  While this was impressive and clearly an advancement, over the years the research continued to build on Jack's hard work, and other methods to jackpot the ATMs were found and published.

The new attack is focused on the Diebold Nixdorf machines.  Diebold Nixdorf made $3.3 billion from ATM sales and the associated service plans in 2019.  The organization is one of the favored and notable manufacturers for ATM machines.  All you need to do is check a few bank ATMs in your area (but not in a suspicious manner) to understand the prominence the company has.

New Attack

The new ATM attack in town does not work on all ATMs.  The attackers have been using the new method against Diebold's ProCash 2050XE USB terminals.  In theory, if other manufacturers use similar software, the attack itself could be pivoted from only the Diebold ATMs to other manufacturers.

The newly published attack requires a black box being made by the attacker, and coding the hardware with adjusted (with a malicious intent) Diebold proprietary code.  This is used to attack the vulnerability in the ATM.  The code is from the ATM manufacturer (Diebold) and has been modified to dispense the cash.  The attackers have to connect the black box to the ATM to complete the attack.  This is done through unlocking the ATM chassis, drilling holes into the chassis at selected points, or otherwise physically bypassing the physical security.  At this point the attacker would plug their patch cord into the CMD-V4 dispenser in the place of the cord already plugged in.  The ATM is pwned as the attacker issues the malicious dispense commands to the ATM.

The end result is for the cash to flow from the machine to the attackers, who are not authorized to receive the money.  Depending on the inventory held in the ATM, this could be as many as 40 bills every 23 seconds or $800 every 23 seconds if the machine only holds $20s.

From what is known, the attacks appear to use a portion of the ATM software stack.  This had been reverse engineered, reviewed, and the commands to dispense cash uploaded onto the attacker's hardware.  It isn't known for certain how the attackers were able to gain access to the ATM dispenser code, as the software is proprietary and anyone isn't able to simply go to Google and download it.  They may have, however, gained the requisite information from an unencrypted hard drive that was secured by the unauthorized parties.

PoC or Not?

Noting an attack is workable and potentially viable is one thing.  To show this and also show where this has been done outside of the lab in the real world is another issue completely.  In this case, this attack has been used across Europe.

Mitigations

All is not lost and there does not need to be a 24-hour security guard at these specifically affected machines.  Diebold has provided mitigations for this and urgently recommended their customers verify if these were in place yet.  These include using the firmware version 2011 or later for CMD-V4; enabling the firmware fuse; securing encryption handling, enhanced keystore format, and 3DES encryption; verifying that this encryption is active and verifying that this is actually being done.  There have also been recommendations to secure the ATM itself from this attack.  The document from Diebold is very helpful in the implementation.

Potential

Yes, indeed, this is a viable attack and not just a lab exercise to show you are 1337 or - if you are super-special - 31337.  This, however, would need to be done in a very limited scope of potential events.  After all, if one of these was in the mall, someone isn't going to waltz up at noon on a Saturday and gingerly pry open the front of the ATM and hope no one notices or calls law enforcement - or better yet, drill through the aluminum plating several times and thread a patch cord through a hole.  There is always the key to unlock the ATM.  However, this would probably appear a bit fishy also as the attackers plug in the cord to the machine.  If the machine were to be outside, perhaps the attack could be done in the darkness.  The issue with this is there are cameras everywhere in the environment.  The attackers probably would be recorded, and they also run the risk of law enforcement stopping by.

It is also notable that the black box does not need to be a 13-inch monitor laptop.  This could be built with an Arduino or Raspberry Pi.  The housing for these is also very small comparatively.  While this would indeed appear a little odd to the shoppers in our scenario or others, the hardware is easily hideable and manipulated.

While this is an exciting advance, it continues to show our creative side and, when provided with a problem, we will work around or through it.  Remember, boot up or shut up.

Resources

Diebold Nixdorf  (2020, July 15)  "020-27/0003 - Jackpotting With Black Box in Europe"  Retrieved from dd80b675424c132b90b3-e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/diebold-nixdorf-security-alert-2.pdf

Diebold Nixdorf  "Cyber Attacks Are On the Rise.  Find Out How You Can Protect Your Network Comprehensively."  Retrieved from www.dieboldnixdorf.com/-/media/diebold/files/banking/insights/brochures/dn_brochure_security-jackpotting-overview_fa_20181005.pdf

Goodin, D.  (2020, July 20)  "Crooks Have Acquired Proprietary Diebold Software to 'Jackpot' ATMs"  Retrieved from arstechnica.com/information-technology/2020/07/crooks-are-using-a-new-way-to-jackpot-atms-made-by-diebold/

ThreatPost  (2020, July 21)  "Diebold ATM Terminals Jackpotted Using Machine's Own Software"  Retrieved from www.newsbreak.com/news/1604274576845/diebold-atm-terminals-jackpotted-using-machines-own-software and threatpost.com/diebold-atm-terminals-jackpotted-using-machines-own-software/157575

Zetter, K.  (2010, July 20)  "Researcher Demonstrates ATM 'Jackpotting' at Black Hat Conference"  Retrieved from www.wired.com/2010/07/atms-jackpotted