Adafruit will not be shipping orders Martin Luther King Jr. Day, Monday January 21, 2019. Any expedited orders placed after 11am ET Friday January 18 will go out Tuesday January 22.

Hack An ATM With Raspberry Pi #piday #raspberrypi @Raspberry_Pi

Hacking an ATM with Raspberry Pi via blog.ptsecurity

First days of new year came with the warning about a new class of ATM fraud named “black box attack”. The crooks gain physical access to the top of the cash machine, connect their own computer to the the cash dispenser and force it to spit out cash, Krebs OnSecurity reports. In fact, this technics isn’t so new. The Positive Technologies experts Olga Kochetova and Alexey Osipov showed similar attacks on ATM at Black Hat Europe 2014 in Amsterdam.

For the experiment, the researchers used a cash machine and a popular controller Raspberry Pi. The small device can be easily hidden inside an ATM enclosure. Due to its size, it doesn’t draw attention of service engineers who, say, replace paper in built-in printers.

It is not much of a challenge to find ATM interface documentation. Regardless of the vendor, cash machines and payment terminals share the same API for accessing and manipulating various modules and use the Windows platform in accordance with the Extensions for Financial Services (XFS).

Knowing the API, one may easily gain access to an ATM host and directly manage multiple peripheral devices installed inside the money machine, e.g. a card reader, PIN pad, touchscreen display, dispenser unit, etc. Do not forget about ATM OS vulnerabilities — Windows has a lot of those in stock for many years to come.

Before Raspberry Pi can be installed inside an ATM and connected to Ethernet, USB, or RS-232 ports, an attacker needs to open up an ATM enclosure. At the machine’s upper part, there is a service area where the host that manages the ATM’s devices and network hardware, including poorly protected GSM/GPRS modems, are located. Unlike the safe located at the bottom, the upper part is quite easy to access — there is hardly any supervision over it if any. Attackers may open the service area using easy-to-make keys and simple materials at hands.

Yet it is not enough just to make it open — you need to be swift, and your manipulations must remain undetected.

At Black Hat, the Positive Technologies experts timed how long it took them to install the tiny computer inside the ATM service area for use as a sniffer to intercept PIN code and credit card info or as a skimmer that is virtually impossible to detect from the outside. The researchers were able to unlock the ATM enclosure, install, disguise, and bring their computer online in just two minutes.

When preparing for the presentation, the experts programmed Raspberry Pi to manage ATM peripheral modules. The computer connected to a Wi-Fi adapter, which you might access from any device like, say, your smartphone. A special web interface was designed to instruct the cash dispenser to empty the cassettes. The experts demonstrated how to make an ATM dispense several banknotes and, after some code adjustments, give out all the money. By the way, a typical ATM cassette holds two or three thousand banknotes, and there are usually four of those for different denominations inside a regular ATM.

It is needless to say that, as a result of the researchers’ proof-of-concept attack, the ATM dispensed all cash leaving no trace on the host; and though the camera was on, it was controlled by Raspberry Pi as well as any other devices on the hacked ATM.

How to Secure ATMs

It is not an easy feat to provide sufficient security protection for ATMs. A lot depends on an attack scenario. For example the UK’s LINK specialists advise replacing default locks for the service area and monitoring ATMs with cameras.

Meantime, the Positive Technologies experts are convinced that the main security problem lies in the possibility of installing any device or program (including Angry Birds) on ATMs exploiting OS and devices vulnerabilities. The tables may be turned if ATM vendors collaborate on a new, open specification for the components inside a cash machine to interact and authenticate securely. This would help to prevent anyone with a service area key from easily connecting whatever he or she wishes to the system.

Read more

998Each Friday is PiDay here at Adafruit! Be sure to check out our posts, tutorials and new Raspberry Pi related products. Adafruit has the largest and best selection of Raspberry Pi accessories and all the code & tutorials to get you up and running in no time!

Stop breadboarding and soldering – start making immediately! Adafruit’s Circuit Playground is jam-packed with LEDs, sensors, buttons, alligator clip pads and more. Build projects with Circuit Playground in a few minutes with the drag-and-drop MakeCode programming site, learn computer science using the CS Discoveries class on, jump into CircuitPython to learn Python and hardware together, or even use Arduino IDE. Circuit Playground Express is the newest and best Circuit Playground board, with support for MakeCode, CircuitPython, and Arduino. It has a powerful processor, 10 NeoPixels, mini speaker, InfraRed receive and transmit, two buttons, a switch, 14 alligator clip pads, and lots of sensors: capacitive touch, IR proximity, temperature, light, motion and sound. A whole wide world of electronics and coding is waiting for you, and it fits in the palm of your hand.

Join 10,000+ makers on Adafruit’s Discord channels and be part of the community!

What do you want from CircuitPython in 2019?

Have an amazing project to share? Join the SHOW-AND-TELL every Wednesday night at 7:30pm ET on Google+ Hangouts.

Join us every Wednesday night at 8pm ET for Ask an Engineer!

Follow Adafruit on Instagram for top secret new products, behinds the scenes and more

Maker Business — A field guide to designing your PCBs, learned the hard way

Wearables — 5 meter fun

Electronics — Current limiting!

Biohacking — A Gene to Predict Modafinil Response

Python for Microcontrollers — Python snakes its way on the SparkFun SAMD21 Mini,, 10k thanks, and Tim’s magazine #Python #Adafruit #CircuitPython @circuitpython @micropython @ThePSF @Adafruit

Get the only spam-free daily newsletter about wearables, running a "maker business", electronic tips and more! Subscribe at !

No Comments

No comments yet.

Sorry, the comment form is closed at this time.