I've held off on posting anything about this for the better part of a year. In some part, there is always the fear of someone either trying to repeat it or being blamed for some ATM hack. Either way, with all the news in the past few weeks on ATM hacks, I figured it would be interesting to post my own experiments in the area. It was thoroughly entertaining!
So…before we begin…DO NOT DO THIS!! DO NOT ATTEMPT IT! IF YOU DO THIS WITHOUT PERMISSION, YOU WILL GO TO JAIL!! IF YOU DON'T KNOW HOW TO GET PERMISSION, DO NOT DO THIS!!
It isn't useful to discuss the who, what, when, where of this test, only suffice to say, this is likely repeatable on other vendors.
We start with said ATM…names obscured to protect the…well, me!
Sometimes this is easier than you might expect. Press the wrong combination of buttons. Tap the touchscreen and find a "magic combination" of places to trigger the admin mode. In my experience, the methods I just mentioned are pretty useless. You may get lucky, but there usually isn't an admin mode you can access without cracking into the box. You may have better luck…just saying.
In this instance, it was using a magnetic stripped card that wasn't a debit/credit card. Go figure right! I mean, who makes an ATM that doesn't validate that the information on the card isn't real? Well, apparently this ATM validated it, but did a rather poor job of handling errors. We'll get to that at the end, so lets continue.
Imagine my surprise that this thing is running Windows 7! Ok, so this should be pretty easy. Just wander your way through the menus and open the onscreen keyboard and…we're off!
Imagine my "WTF" when I open IE and it gets online! Why does it need to get on the internet? Oh, because many ATM vendors are putting them in locations where they share an internet connection. I'm not going to get into this one (as I'm sure many will refute it or "correct" me), but this is my observation of common practice. Sure, many still use dialup and some are using cellular and other connections, but there are many that are using ethernet connections to somewhere.
Also, why wasn't this thing "hardened" and non-required programs removed? This joker was a full blown Windows 7 Professional install! What were you thinking ATM guys! Moving on...
As I mentioned before...DO NOT DO THIS!! IF YOU ARE NOT AUTHORIZED, IT IS A FEDERAL OFFENSE.
Sometimes breaking into things is easier than magic key combinations and secret backdoor knowledge. Sometimes, a little perseverance and luck will get you farther. In this instance, it was bad error handling! Walking through the steps to withdraw or deposit and listening to the hardware engage and disengage even when failing to recognize my card gave me the hint. I don't know why, but it did.
I for sure as heck wasn't using a legit card. I used what I had available…my Flamingo hotel room card from a previous stay. After a series of trial and error I was able to repeatably generate errors when hardware would engage and I would swipe the card. The card would read as bad and cause the software to crash, but only in certain situations. I'm not going to say what they were.
As mentioned before, a little perseverance pays off. I found other instances where using combinations of the card and hitting cancel, enter, or touching buttons on the screen would allow the program to continue. This of course eventually lead to the mother load!
Name and pertinent info obscured for obvious reasons. You may notice, this is a deposit receipt. Why was I putting money in instead of taking money out you ask? Well, the long story short is not everything works right when you're breaking it and the machine would not generate withdrawal receipts. Pretty funny I guess!
This machine was particularly cool because, not only could you make realtime deposits to the bank, the machine would spit out prepaid debit cards! I was actually able to register my Flamingo debit card as a source the machine would repeatably recognize and was able to redeposit my ill gotten gains back into the machine and onto my card!
If I don't get in trouble for making this, my first serious post, there will be more to follow on other projects and failings.
On a side note, if you see me at a CON and I'm wearing the Flamingo hotel card, you now know why. It is a badge of honor that, until now, has been an inside joke. This was my hotel room card from DEFCON 20. And hilariously proved useful for more than just getting erased by my cell phone and locking me out of my room at an inconvenient moment of inebriation.
So…before we begin…DO NOT DO THIS!! DO NOT ATTEMPT IT! IF YOU DO THIS WITHOUT PERMISSION, YOU WILL GO TO JAIL!! IF YOU DON'T KNOW HOW TO GET PERMISSION, DO NOT DO THIS!!
It isn't useful to discuss the who, what, when, where of this test, only suffice to say, this is likely repeatable on other vendors.
We start with said ATM…names obscured to protect the…well, me!
Step #1: Generate Error
In this instance, it was using a magnetic stripped card that wasn't a debit/credit card. Go figure right! I mean, who makes an ATM that doesn't validate that the information on the card isn't real? Well, apparently this ATM validated it, but did a rather poor job of handling errors. We'll get to that at the end, so lets continue.
Step #2: Explore
Imagine my surprise that this thing is running Windows 7! Ok, so this should be pretty easy. Just wander your way through the menus and open the onscreen keyboard and…we're off!
Imagine my "WTF" when I open IE and it gets online! Why does it need to get on the internet? Oh, because many ATM vendors are putting them in locations where they share an internet connection. I'm not going to get into this one (as I'm sure many will refute it or "correct" me), but this is my observation of common practice. Sure, many still use dialup and some are using cellular and other connections, but there are many that are using ethernet connections to somewhere.
Also, why wasn't this thing "hardened" and non-required programs removed? This joker was a full blown Windows 7 Professional install! What were you thinking ATM guys! Moving on...
Step #3: Profit
As I mentioned before...DO NOT DO THIS!! IF YOU ARE NOT AUTHORIZED, IT IS A FEDERAL OFFENSE.
Sometimes breaking into things is easier than magic key combinations and secret backdoor knowledge. Sometimes, a little perseverance and luck will get you farther. In this instance, it was bad error handling! Walking through the steps to withdraw or deposit and listening to the hardware engage and disengage even when failing to recognize my card gave me the hint. I don't know why, but it did.
I for sure as heck wasn't using a legit card. I used what I had available…my Flamingo hotel room card from a previous stay. After a series of trial and error I was able to repeatably generate errors when hardware would engage and I would swipe the card. The card would read as bad and cause the software to crash, but only in certain situations. I'm not going to say what they were.
As mentioned before, a little perseverance pays off. I found other instances where using combinations of the card and hitting cancel, enter, or touching buttons on the screen would allow the program to continue. This of course eventually lead to the mother load!
Name and pertinent info obscured for obvious reasons. You may notice, this is a deposit receipt. Why was I putting money in instead of taking money out you ask? Well, the long story short is not everything works right when you're breaking it and the machine would not generate withdrawal receipts. Pretty funny I guess!
This machine was particularly cool because, not only could you make realtime deposits to the bank, the machine would spit out prepaid debit cards! I was actually able to register my Flamingo debit card as a source the machine would repeatably recognize and was able to redeposit my ill gotten gains back into the machine and onto my card!
If I don't get in trouble for making this, my first serious post, there will be more to follow on other projects and failings.
On a side note, if you see me at a CON and I'm wearing the Flamingo hotel card, you now know why. It is a badge of honor that, until now, has been an inside joke. This was my hotel room card from DEFCON 20. And hilariously proved useful for more than just getting erased by my cell phone and locking me out of my room at an inconvenient moment of inebriation.