Networked ATMs have been in continuous operation since the 1980s, and with that comes an industry built around legacy software, hardware, and network protocols. These are the original “IoT” devices, and it shows – picking apart many ATMs will reveal the dirty secret of a dial-up modem hiding behind steel walls. Despite this, the high barrier to entry for legal reverse engineering efforts has resulted in large-scale ATM deployments without sufficient testing. In this talk we share a reverse engineer’s perspective on ATM security, present our findings on two new network-based vulnerabilities we discovered, and demonstrate these vulnerabilities live on stage.
First, we present our initial reverse engineering efforts. This involves achieving persistent firmware modification, creating our own payment processor server, and developing custom debugging tools.
Next, we discuss different network attack surfaces we found on the ATM and present an in-depth analysis of the protocols used. This includes the aforementioned payment processing service, the remote management service, and IPC used to control ATM peripherals.
Lastly we will disclose two vulnerabilities on the network services we reverse engineered. The first vulnerability takes advantage of the ATM’s network-based administration interface – Remote Management Service (RMS). A vulnerability in this interface was first presented by Barnaby Jack nearly a decade ago. While that vulnerability was patched, we discovered a new vulnerability which can lead to arbitrary code execution and complete compromise of the device.
The second vulnerability lies in the OEM’s implementation of their XFS middleware. CEN’s eXtensions for Financial Services (XFS) describes a standard client/server architecture for financial applications running on Windows. A vulnerability in the manufacturer’s implementation of this specification allows for command injection and trivial jackpotting of any ATM reachable on a network.
At the end, we demonstrate the aforementioned vulnerabilities live on stage with a real ATM. This includes:
1. Redirecting an ATM to a malicious server to defraud customer credit card information.
2. Jackpotting ATMs over the network through XFS command injection