I have a tendency to pull on things like ATM covers, credit card slots, and the like. And that's because we have lots of skimmers that are found at local gas stations and places around here (big college presence).
So far, I've found an opened gasoline pump door. I called attendant and went to a different pump (attendands didnt have keys for that....) .
Ive also found an ATM that was partially locked and came opened when I gave it a tug. I called our bank's security after that one.
I also found a skimmer on a gas pump as well. It had a fishy look to it and gave it a tug. Pop. Was just a simple card reader and cam module in 1. I harvested the parts and put the microsd card through a good format.
I wouldn't leave that thing at an outside location with enough money in it to hurt me, unless the robberies were insured or so seldom as to be considered a cost of doing business.
The hardened part of the ATM is only the safe (which, by design, actually has several large holes in it as well). You won't be casually drilling through the safe with a hole-saw or other portable equipment without spending a considerable amount of time.
https://www.youtube.com/watch?v=Xyq7xBUhsAo
Hell, depending on the gauge you could probably carve out a 3" hole with a dremel tool and a diamond bit in a reasonable amount of time.
You cannot casually drill a safe. Not talking about your hardware store variety of safe, or a 'fireproof safe'. But a legit safe like you'd find in an ATM has a number of countermeasures to ensure that its not possible to drill the safe in a short amount of time.
Mixed into the steel is usually a number of drill-bit-breaking things like hardened ceramic/steel ball bearings, odd shaped chunks of metal, plastics which all react differently to different attacks in order to ensure that one attack does not compromise the door and that its near-impossible to do quickly. Bigger safes employ the use of fancy mixtures of concrete and metal to resist even more aggressive attacks like thermal lancing etc by turning the whole door/wall into a giant heat-sink.
Safes are really cool.
Most communication happens either at serial, SPI, or i2c busses. If it's cars, CAN.
And if you can plug in a wire somewhere, you can damage or pwn it. Most things don't have security, other than software security and physical locks. And even when there is other types of security, like cryptokeys and such, physical wires can usually bypass even those.
If they wanted something that was secure, they could do that glass mesh thing the ORWL does, and have some sort of black dyepack on the money that explodes everywhere. Go for "we ruin so you cant have". But then again, I could see criminals pissed off and taking a hammer primarily to ruin their money, and cause customer consternation.
Disrupt the meshes in any way (EG drilling) would result in three actions.
1) Electronic erase MOST programmable memory in the machine. (Brick it)
2) Engage something akin to an EMO (Emergency Machine Off)
3) If an uplink of some sort exists, broadcast repeatedly on it that such an event occurred and the current uptime.https://web-beta.archive.org/web/20111124050620/http://www.f...
I wouldn't be surprised if increased physical security on ATMS isn't worth the practical difference in losses.
I think the lack of physical security is more surprising than the lack of electronic security. A three-inch hole is pretty big, all things considered. I have to imagine that ATMs are designed to resist drilling three inch holes through to the money or the dispenser mechanism. Why isn't the computer protected to similar degree?
It was cheaper not to.
I would use a hole saw (https://en.wikipedia.org/wiki/Hole_saw), and would think it fairly hard to protect a large enclosure against that. Locally strengthening the enclosure might be enough, but chances are thieves would start drilling around it to remove a larger patch or start employing an endoscope to connect something to the serial port.
Hardware-wise, it probably is easier to glue the connector shut, giving up on using the diagnostic port.
Making a hole in hardened steel is not easy. If you use a hole saw, it will either need to have diamond abrasive, or you will need carbide bits. If you don't use a hole saw, you are going to be using an angle grinder or a plasma torch.
Getting in fast will either generate a ton of heat or a ton of noise, or both. Plus, carbide and diamond tools are super expensive. Angle grinders, not as much, but I'd notice someone with a 3 foot trail of sparks behind them before I'd notice someone running a drill at a few hundred rpm.
Anyways, I do think they probably used a hole saw, which leads me to believe the computer was located behind some combination of aluminum/plastic/ordinary steel. Which is pretty ridiculous
This reminds me of many many years ago some guy in a bimmer forum figured out BMW's iDriver music file formats (BR3/BR4/BR5) were simply DRM'd via XOR.[1] I was able to verify it via a simple script. Kudos to the reverse engineering masters!
[1]: http://www.e90post.com/forums/showthread.php?t=279294#5
Though I remember even worse when a chip card encryption was found not cost effective enough to be enable and security on this card was limited encoding[1], too bad it was a government issued healthcare card which lead a minister to argue that using ASCII and binary was efficient in securing the data. While the GIE (Economic Interest Group) in charge of the chip tricked the whistleblower to demonstrate the vulnerability and sued him for having done so. Fun Times !
[1]: http://bigbrotherawards.eu.org/Jerome-Cretaux-et-Patrick-Gue...
We had a "test" card that could be insert on the eprom socket. This small card was almost the same size of the original chip but had a few buttons that allowed us to make the mechanism deliver notes in order to fine tune it.
In a particular ATM design used by major banks in Brazil, this location were accessible by removing a front panel, although you would have to be kind of a contortionist in order to plug it.
Why we can find whole ATMs at junkyards is beyond me: there are many easy to spot flaws. They should grind everything when decommissioning this kind of equipment.
If there are many easy to spot flaws, I don't think finding them in a junkyard is the root of the problem here. This is good old security by obscurity.
As Bruce Schneier says (at least about safes), you should be able to publish the blueprints and source code for the machines, then maybe they'll be secure. There should be enough physical security to ensure an attack will take longer to perform than the response time of the authorities. Any components which are vulnerable to physical attack need the same level of physical protection as the cash that's being protected.
Until this happens, 'hackers' (thieves) are going to keep finding flaws and exploiting them.
At the end of the day it's an arms race, and you're just trying to slow attackers down.
Serge Humpich[1] worked with decommissioned ATMs, found and expose a vulnerability allow to withdraw cash with a card not linked to a bank account. Of course instead of listening and fixing the issue the banks tricked him and sued and gave rise to the yescard which forced the banks to patch up their security and replace ATMs. But hey, banks can't do the right choice all the time, can they?
From a 2010 time article: "The average size machine can hold as much as $200,000, though few do. In off hours, most machines contain less than $10,000."
In the article they cite a Philadelphia theft case where a single stolen machine held $96,000.
In Japan, an ATM inside a bank might hold up to 40 million yen (≅ USD 350k) while an external one might have up to 30 million (≅ USD 270k).
Japan's a fairly safe country but there have been many cases of ATMs getting stolen too. Power shovel seems to be the method of choice.
The article claims there is essentially no authentication between disparate modules, only simple XOR encryption. That seems a clear fail.
In my experience, ATM control boards (I was literally at a factory in China for these a few weeks ago) tend to be custom PCBs but there is a move towards genericization. Presumably because their designs tend to date from bygone eras, they do not use software-based approaches in favor of hardware and security through obscurity. Perhaps it is time for a software-oriented modular ATM redesign project with an emphasis on modern internal security? Anyone want to collaborate? Serious question. (I have an existing ATM component factory group potentially on side already.)
Second, to 'notice' the independent activity of any given module, power draw should be easy to detect. Again, the lack of such a feature probably harks back to a bygone-era hardware-oriented design psychology.
Seems we need lots of new ATMs, lots of them. And then prayer, for the fire-fighter-guild to not run out of money.