Friday, January 31, 2020

Laurentienne bank ATM attack - Engineering 101 Failure

Laurentienne bank ATM attack - Engineering 101 Failure

Earlier this week, I was contacted by a journalist who had gathered some very high level details about the loss of funds at Laurentienne bank.

At that time, all we knew was that a few ATM had been targeted and the losses totalled $55k.

I explained to the journalist the various attacks that are possible on an ATM including attacks that take over the ATM, and the most probable scenario that remained appeared to be a simple card skimming/cloning attack.  Even though these attacks are less and less popular, I couldn't imagine that the actual ATM in a bank (not one in a corner store somewhere) would be victim to an actual jackpotting attack.  Original article.

Many years ago (15+) , I was in charge of ATM selection for a large bank and these attack vectors had already been examined, and the ATM solutions selected had to meet certain physical security characteristics to be considered for purchase.

Well, I think everyone is a little stunned to hear that the attack that was demonstrated 10 years ago at Defcon18 and BlackHat 2010 appears to be the attack that took place on a commercial grade ATM directly in several bank branches.  

I know that I am flabbergasted (to use the term of a colleague).

There is a significant difference between true commercial grade systems and the little ATM systems found in various stores.... or at least there should be.

Turns out, we are faced with a problem which we could call a SECURITY ENGINEERING FAILURE.

News report state with a large exaggeration that these ATMs spat out $200,000 in a minute, which mechanically they simply cannot do, but a significant engineering failure is still present.

Older ATMs from reputable vendors have a modification available that blocks this attack.

To recap, accessing the inside of the ATM and perhaps connecting to a service port (USB port anyone...) can grant access to the operating system either directly or through a vulnerability.  Since the software controls the cash dispenser, you can simply inject code that asks the cash dispenser to dispense.  

Emptying $100,000 in 20 dollar bills means spitting out 5000 bills.  This does take time, but if it is 1 am, perhaps no one would notice.

So how is this a failure of engineering ?

The cash dispenser can be equipped with an electronic circuit (with no computing intelligence) that simply counts how many bills have been dispersed in a given sequence or time period.

Most banks will let you take out a maximum of $500 per transaction, so if the electronic circuit detects 26 bills leaving the cartridge within say 3 minutes, the circuit could initiate a shutdown of the ATM, ring an alarm, call its mommy, or do whatever... resulting in the attack being uncovered, and the losses contained to $520 buckazoids.   Thats right folks... a space quest reference on a Friday!

So essentially, we have a series of commercial grade (cough cough) systems that have been engineering without security engineering in mind.

The electrical modifications to actually simply block this attack is actually relatively simplistic and therefor "cheap".

For the Laurentienne Bank, it seems it may have cost them a little shy of a million dollars in losses, that I am certain their insurance will cover with a smile.

Well... maybe not with a smile.

If you have never seen the original attack demonstrate at DefCon18 (2010) by Barnaby Jack, the link is here.

These types of engineering failures happen more frequently than one would think.

Debit card processing machines that allow you to configure the device with your banking information yet retains the default administrator password of "12345".  An attacker can simply get to the admin panel, and credit their debit card, walking out the door with amounts as high as $5000 a shot.

Airplanes not allowing system updates through a circuit that cuts the power to the USB service ports unless there is weight on the wheels....

Having a USB port front facing or "easily" accessible on a public ATM 

Here are links to two interviews I just did on this subject.

FM 98.5 (French):  The general topic of the breach

QUB RADIO (French): The general topic & the engineering aspect

Keep in mind that these ATM systems probably needed some serious software updates and might even be running Windows XP, the once gold standard of ATM controllers. ;-)

Minimally, from an engineering perspective, having a USB port that you can get to from the front of the ATM, also seems obviously like a bad idea to a typical guy like me.

But.... I ain't no engineer. ;-)


Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

Tuesday, January 14, 2020

Scaring grandma - A vicious news cycle of incompetence

As someone pointed out, its been awhile since I published something to stimulate the mind and piss off someone in need of an attitude readjustment.

Well.... happy new year !  

The last months have been overwhelming for many enterprises, as breaches surface faster then grandpa's bubbles in the spa.

No lack of cases to pick at, and over the last month and a half, I was called into over 30 television and radio interviews for various screws up and potentially news worthy events.

This week, some news stories floated to the top, but as is often the case, the media misunderstands risks, and sometimes they call in technology experts that are not tuned to security and the results are messages that frighten everyone with no significant value.

Lets take this case:  Quebec hacker arrested for Sim Swapping and stealing millions in bitcoins.

I was listening to one of my favourite talk show hosts... drive the car literally off the cliff.  I actually texted him while he was on the air with the word "STOP!".

His interviewée was going on about how SIM swapping takes over the persons phone.

First off, NO.  SIM swapping takes over the persons PHONE NUMBER.  It has very little to do with their emails on their phone or the other applications on that phone without numerous other attack vectors.

As the car drove off the cliff.... it accelerated.... going on about how emails and everything on the phone was compromised.....  once again... a stern and firm NO.

I'm all for scaring grandma.   But I prefer to use valid old school techniques like C4 or the right mixture of potassium nitrate, sulfur and carbon in her granny panties drawer with a drawstring and a hidden camera.

So lets make sure we break this down and understand.

If someone called your provider and had the right personal information, they could activate a new SIM on your current phone number.  Your phone would go mostly dead (no calls, no phone carrier internet), but if you are on wifi, you might not even notice until you try and make a call.

If that same someone, had access to even more personal information, like your banking information (bank name, account name, password) they could log into your bank account even if your bank uses SMS based MFA (Multifactor authentication).  They would simply login, when asked for the temporary secret code, they would receive it on their newly configured cell phone SIM card enabled device, and you wouldn't receive anything nor know that this happened.

So back to the bitcoins worth millions.

These victims are not the sharpest tools in the shed.

Sure they had MFA activated on their ONLINE WALLETS..... 

But these wallets are ONLINE and they had millions in them.

So not only did they trust the MFA (which is ok to do under most circumstances), but they also trusted a software system, hosted on the internet, to hold millions of dollars in bitcoins.

That is not a very smart move.

As a solid comparison, I have an electronic bitcoin wallet in an android phone.  This device is ONLY connected to the internet via wifi (no SIM card) when a bitcoin transaction is to be done.   I have the wallet secret key encrypted with a mechanism that only I know, and printed and placed in a physical vault.

So my risk is reduced to a window of time, equal to the moment I connect to the Internet to perform a transaction (a few minutes).

Ok sure, some additional risks exists.  Since I just mentioned that I have a paper version that only I can decrypt stored away in a vault somewhere.  So I'm now a potential kidnap victim.  On the positive side, I'm batshit crazy, heavily armed, ex-military, over 50 with a short fuse.  

That is called risk management.

And you won't hear me crying that someone stole my bitcoins anytime soon.

So all these people, rapidly moving with the technology are not aware even at the simplest level, of the risks they are taking.

Trusting a website to hold your bitcoins (or anything related to your wallet) to me, is as close to crazy as one can get.

So once again, everyone relying on technology would benefit from a lunch with a qualified security professional.

People, feed your nerds and geeks.

It can save you millions . ;-)

And as for the media, it would be nice if they would gradually learn to stop calling an 18 year old "hacker" a computer genius simply because he had the patience to exploit a series of people who where totally useless and careless in their protection of valued assets.

Just to be clear, because someone knows more about something than you do, does not by default make them a genius.

And also, how many people actually have millions in bitcoins protected by their phones.....


On a second note, big news today about various social media being caught selling your shit again.  How this is new news is beyond me, since all experts keep saying that if it is free, you're the product.

Ok, in this case, these services are not ALL free ( Tinder & Grindr ), but some features are, and lets face is, companies are there to make money, not offer a quality service as a primary objective.

Now I'm not saying that quality isn't important to them and that all social media and dating apps are bad, I'm saying that most will sell any data they can to make more money because companies prioritize profites over quality of service.

What we do not know at this exact moment are the exact data elements sold.  Is it just statistical data (so many men looking for XYZ in this geographic area).  But either way, are we really surprised that they package usage data and sell it..... come on now.  Grow up.

So, back to basics:

1) If it is free (or mostly free) you are the product or part of the product
2) If it is extremely valuable, it shouldn't be on anything connected to the Internet

Paris Hilton and many other famous people learnt that the hard way (no pun intended).


Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

Disposerons-nous un jour d'une carte d'identité numérique provinciale qui sécurise réellement vos opérations bancaires ?

  J'ai fait une entrevue ce matin sur QUB Radio basée sur un article du Journal de Montréal qui a été publié aujourd'hui et qui disc...