Hack An ATM With Raspberry Pi #piday #raspberrypi @Raspberry_Pi

Hacking an ATM with Raspberry Pi via blog.ptsecurity

First days of new year came with the warning about a new class of ATM fraud named “black box attack”. The crooks gain physical access to the top of the cash machine, connect their own computer to the the cash dispenser and force it to spit out cash, Krebs OnSecurity reports. In fact, this technics isn’t so new. The Positive Technologies experts Olga Kochetova and Alexey Osipov showed similar attacks on ATM at Black Hat Europe 2014 in Amsterdam.

For the experiment, the researchers used a cash machine and a popular controller Raspberry Pi. The small device can be easily hidden inside an ATM enclosure. Due to its size, it doesn’t draw attention of service engineers who, say, replace paper in built-in printers.

It is not much of a challenge to find ATM interface documentation. Regardless of the vendor, cash machines and payment terminals share the same API for accessing and manipulating various modules and use the Windows platform in accordance with the Extensions for Financial Services (XFS).

Knowing the API, one may easily gain access to an ATM host and directly manage multiple peripheral devices installed inside the money machine, e.g. a card reader, PIN pad, touchscreen display, dispenser unit, etc. Do not forget about ATM OS vulnerabilities — Windows has a lot of those in stock for many years to come.

Before Raspberry Pi can be installed inside an ATM and connected to Ethernet, USB, or RS-232 ports, an attacker needs to open up an ATM enclosure. At the machine’s upper part, there is a service area where the host that manages the ATM’s devices and network hardware, including poorly protected GSM/GPRS modems, are located. Unlike the safe located at the bottom, the upper part is quite easy to access — there is hardly any supervision over it if any. Attackers may open the service area using easy-to-make keys and simple materials at hands.

Yet it is not enough just to make it open — you need to be swift, and your manipulations must remain undetected.

At Black Hat, the Positive Technologies experts timed how long it took them to install the tiny computer inside the ATM service area for use as a sniffer to intercept PIN code and credit card info or as a skimmer that is virtually impossible to detect from the outside. The researchers were able to unlock the ATM enclosure, install, disguise, and bring their computer online in just two minutes.

When preparing for the presentation, the experts programmed Raspberry Pi to manage ATM peripheral modules. The computer connected to a Wi-Fi adapter, which you might access from any device like, say, your smartphone. A special web interface was designed to instruct the cash dispenser to empty the cassettes. The experts demonstrated how to make an ATM dispense several banknotes and, after some code adjustments, give out all the money. By the way, a typical ATM cassette holds two or three thousand banknotes, and there are usually four of those for different denominations inside a regular ATM.

It is needless to say that, as a result of the researchers’ proof-of-concept attack, the ATM dispensed all cash leaving no trace on the host; and though the camera was on, it was controlled by Raspberry Pi as well as any other devices on the hacked ATM.

How to Secure ATMs

It is not an easy feat to provide sufficient security protection for ATMs. A lot depends on an attack scenario. For example the UK’s LINK specialists advise replacing default locks for the service area and monitoring ATMs with cameras.

Meantime, the Positive Technologies experts are convinced that the main security problem lies in the possibility of installing any device or program (including Angry Birds) on ATMs exploiting OS and devices vulnerabilities. The tables may be turned if ATM vendors collaborate on a new, open specification for the components inside a cash machine to interact and authenticate securely. This would help to prevent anyone with a service area key from easily connecting whatever he or she wishes to the system.

Read more

998Each Friday is PiDay here at Adafruit! Be sure to check out our posts, tutorials and new Raspberry Pi related products. Adafruit has the largest and best selection of Raspberry Pi accessories and all the code & tutorials to get you up and running in no time!

Adafruit publishes a wide range of writing and video content, including interviews and reporting on the maker market and the wider technology world. Our standards page is intended as a guide to best practices that Adafruit uses, as well as an outline of the ethical standards Adafruit aspires to. While Adafruit is not an independent journalistic institution, Adafruit strives to be a fair, informative, and positive voice within the community – check it out here: adafruit.com/editorialstandards

Join Adafruit on Mastodon

Adafruit is on Mastodon, join in! adafruit.com/mastodon

Stop breadboarding and soldering – start making immediately! Adafruit’s Circuit Playground is jam-packed with LEDs, sensors, buttons, alligator clip pads and more. Build projects with Circuit Playground in a few minutes with the drag-and-drop MakeCode programming site, learn computer science using the CS Discoveries class on code.org, jump into CircuitPython to learn Python and hardware together, TinyGO, or even use the Arduino IDE. Circuit Playground Express is the newest and best Circuit Playground board, with support for CircuitPython, MakeCode, and Arduino. It has a powerful processor, 10 NeoPixels, mini speaker, InfraRed receive and transmit, two buttons, a switch, 14 alligator clip pads, and lots of sensors: capacitive touch, IR proximity, temperature, light, motion and sound. A whole wide world of electronics and coding is waiting for you, and it fits in the palm of your hand.

Have an amazing project to share? The Electronics Show and Tell is every Wednesday at 7pm ET! To join, head over to YouTube and check out the show’s live chat – we’ll post the link there.

Join us every Wednesday night at 8pm ET for Ask an Engineer!

Join over 36,000+ makers on Adafruit’s Discord channels and be part of the community! http://adafru.it/discord

CircuitPython – The easiest way to program microcontrollers – CircuitPython.org

Maker Business — “Packaging” chips in the US

Wearables — Enclosures help fight body humidity in costumes

Electronics — Transformers: More than meets the eye!

Python for Microcontrollers — Python on Microcontrollers Newsletter: Silicon Labs introduces CircuitPython support, and more! #CircuitPython #Python #micropython @ThePSF @Raspberry_Pi

Adafruit IoT Monthly — Guardian Robot, Weather-wise Umbrella Stand, and more!

Microsoft MakeCode — MakeCode Thank You!

EYE on NPI — Maxim’s Himalaya uSLIC Step-Down Power Module #EyeOnNPI @maximintegrated @digikey

New Products – Adafruit Industries – Makers, hackers, artists, designers and engineers! — #NewProds 7/19/23 Feat. Adafruit Matrix Portal S3 CircuitPython Powered Internet Display!

Get the only spam-free daily newsletter about wearables, running a "maker business", electronic tips and more! Subscribe at AdafruitDaily.com !

No Comments

No comments yet.

Sorry, the comment form is closed at this time.