Friday, January 31, 2020

Laurentienne bank ATM attack - Engineering 101 Failure

Laurentienne bank ATM attack - Engineering 101 Failure

Earlier this week, I was contacted by a journalist who had gathered some very high level details about the loss of funds at Laurentienne bank.

At that time, all we knew was that a few ATM had been targeted and the losses totalled $55k.

I explained to the journalist the various attacks that are possible on an ATM including attacks that take over the ATM, and the most probable scenario that remained appeared to be a simple card skimming/cloning attack.  Even though these attacks are less and less popular, I couldn't imagine that the actual ATM in a bank (not one in a corner store somewhere) would be victim to an actual jackpotting attack.  Original article.

Many years ago (15+) , I was in charge of ATM selection for a large bank and these attack vectors had already been examined, and the ATM solutions selected had to meet certain physical security characteristics to be considered for purchase.

Well, I think everyone is a little stunned to hear that the attack that was demonstrated 10 years ago at Defcon18 and BlackHat 2010 appears to be the attack that took place on a commercial grade ATM directly in several bank branches.  

I know that I am flabbergasted (to use the term of a colleague).

There is a significant difference between true commercial grade systems and the little ATM systems found in various stores.... or at least there should be.

Turns out, we are faced with a problem which we could call a SECURITY ENGINEERING FAILURE.

News report state with a large exaggeration that these ATMs spat out $200,000 in a minute, which mechanically they simply cannot do, but a significant engineering failure is still present.

Older ATMs from reputable vendors have a modification available that blocks this attack.

To recap, accessing the inside of the ATM and perhaps connecting to a service port (USB port anyone...) can grant access to the operating system either directly or through a vulnerability.  Since the software controls the cash dispenser, you can simply inject code that asks the cash dispenser to dispense.  

Emptying $100,000 in 20 dollar bills means spitting out 5000 bills.  This does take time, but if it is 1 am, perhaps no one would notice.

So how is this a failure of engineering ?

The cash dispenser can be equipped with an electronic circuit (with no computing intelligence) that simply counts how many bills have been dispersed in a given sequence or time period.

Most banks will let you take out a maximum of $500 per transaction, so if the electronic circuit detects 26 bills leaving the cartridge within say 3 minutes, the circuit could initiate a shutdown of the ATM, ring an alarm, call its mommy, or do whatever... resulting in the attack being uncovered, and the losses contained to $520 buckazoids.   Thats right folks... a space quest reference on a Friday!

So essentially, we have a series of commercial grade (cough cough) systems that have been engineering without security engineering in mind.

The electrical modifications to actually simply block this attack is actually relatively simplistic and therefor "cheap".

For the Laurentienne Bank, it seems it may have cost them a little shy of a million dollars in losses, that I am certain their insurance will cover with a smile.

Well... maybe not with a smile.

If you have never seen the original attack demonstrate at DefCon18 (2010) by Barnaby Jack, the link is here.

These types of engineering failures happen more frequently than one would think.

Debit card processing machines that allow you to configure the device with your banking information yet retains the default administrator password of "12345".  An attacker can simply get to the admin panel, and credit their debit card, walking out the door with amounts as high as $5000 a shot.

Airplanes not allowing system updates through a circuit that cuts the power to the USB service ports unless there is weight on the wheels....

Having a USB port front facing or "easily" accessible on a public ATM 

Here are links to two interviews I just did on this subject.

FM 98.5 (French):  The general topic of the breach

QUB RADIO (French): The general topic & the engineering aspect

Keep in mind that these ATM systems probably needed some serious software updates and might even be running Windows XP, the once gold standard of ATM controllers. ;-)

Minimally, from an engineering perspective, having a USB port that you can get to from the front of the ATM, also seems obviously like a bad idea to a typical guy like me.

But.... I ain't no engineer. ;-)


Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

No comments:

Post a Comment

Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...