ATM  Compromise  with  or  without  Whitelisting

Agenda  

1.  whoami  

2.  Application  Whitelisting  

3.  Threat  -­‐  ATM  Jackpotting  malware  

4.  Software  mitigations  have  improved  but  we  still  see  

weaknesses  

5.  Recommendations  

23/06/15 2 © FortConsult

whoami  Alexandru  Gherman  

Head  of  Research  |  Principal  Security  Consultant  

FortConsult  Denmark  |  NCC  Group  

Reverse  engineering  *  Firmware  *  UEFI  *  Finding  Bugs  *  Malware  analysis  

 

@alexgherman  

 

23/06/15 © NCC Group 3

What  we  do  @FortConsult  Ø  Reverse  engineering  Ø  Penetration  Testing  Ø  ATM  security  testing  (Physical  and  Software  attacks)  Ø  Security  assessments  Ø  Audits  *  Source  Code  Review  *  Static  and  dynamic  analysis  Ø  Hardware  security  testing  -­‐  ATM  controllers,  CCTV,  Bluetooth,  

Smart  TV,  Physical  Security  and  other  smart  devices  Ø  Malware  analysis  Ø  Threat  analysis  and  research  *  Incident  Response  *  Forensics  

   

23/06/15 © NCC Group 4

Application  Whitelisting      

23/06/15 5 © FortConsult

♦  Appropriate  for  ATM  devices  

♦  It  blocks  each  load/execute  attempt  (hooks  into  Windows  APIs  such  as  LoadLibrary,  WinExec,  CreateProcess)  

♦  Unique  way  to  secure  against  unauthorized  software  

♦  Reduces  the  risk  but  does  not  make  the  solution  infallible  to  

buffer  overflow  type  of  attacks  

 

However  there  is  still  a  risk    

23/06/15 6 © FortConsult

Only one of these has to be vulnerable … So that a system could be compromised!

Why? Still buffer overflows and other development errors…

 

23/06/15 7 © FortConsult

Still  vulnerable  on  the  network    

23/06/15 8 © FortConsult

Tyupkin  Malware  –  Backdoor.MSIL.Tyupkin  

♦  What  is  Tyupkin  ?  

♦  Stage  1      §  Physical  access  to  the  ATM  

§  Insert  bootable  CD  

§  Once  the  ATM  is  rebooted  the  infected  ATM  is  under  control  

♦  Stage  2  §  Infinite  loop  waiting  for  a  command  

§  Only  accepts  commands    at  specific  times  

 

23/06/15 © FortConsult 9

Tyupkin  Malware  –  Backdoor.MSIL.Tyupkin  

 

23/06/15 © FortConsult 10

23/06/15 © NCC Group 11

Tyupkin  Malware  –  Backdoor.MSIL.Tyupkin  

23/06/15 © NCC Group 12

 

23/06/15 13 © FortConsult

Bypassing  Whitelisting  can  lead  to  jackpotting  

 

Ø  FortConsult  performed  a  lot  of  research  and  developed  own  XFS-­‐compliant  code  

Ø  Although  we  worked  with  ATM  emulated  environments,  what  we  developed,  seems  to  work  on  any  XFS  compliant  ATM!  

Ø  Administrative  privilege  is  not  necessarily  required  to  jackpot  

Ø  Let  us  try  it  with  your  setup  ?  J  

 

 

23/06/15 14 © FortConsult

 

All  this  can  happen  while  offline  and  without  network  connectivity!  

Without  being  monitored…    

On  a  priority  scale,  you  don't  need  O-­‐day  detection,  you  need  compromise  detection  first.  Knowing  how  you  were  compromised  is  less  important  than  

knowing  that  you  were.  

 

23/06/15 © NCC Group 15

The  path  to  the  risk  ♦  In  every  application  there  are  design/development  Errors  

♦  It  takes  only  “whitelisted”  vulnerable  applications  and  other  underlying  components  to  compromise  a  system  

♦  “Buffer  overflow  detections”  don’t  work  always  as  advertised  

♦  Exploitation  §  Develop  exploit  

§  Control  EIP  

§  Gain  arbitrary  code  execution  

 

 

 

23/06/15 16 © FortConsult

 

 

 

 

23/06/15 17 © FortConsult

Unlike Tyupkin’s Physical Access, we used a buffer overflow in a Whitelisted Application!

An attacker would always look for a door that allows a bypass!

Software  Development    ♦  Software  mitigations  introduced  in  Windows  Vista/7/8  are  good,  but  they  

are  not  invincible  

 

 

 

23/06/15 18 © FortConsult

ASLR in Windows!

Demo  time!    

 

 

23/06/15 19 © FortConsult

Recommendations  ?  Probably  not  Uninstall/Disable.  It’s  still  one  of  the  Only!  

If  not,  probably  the  best  right  now!      

Ø  Thorough  application  inventory  review  of  all  the  applications  installed  on  the  ATM  Ø  Internet  Explorer  Ø  Java/Flash  Runtime  engines  Ø  Image  renderers,  Virtual  Browsers  Ø  Communications  and  message  parsers  

Ø  ATM  security  test  (Blackbox/Greybox)  Ø  Physical  attacks  Ø  Network  attacks  Ø  Application  attacks  

Ø  Source  Code  review  of  the  custom  applications  installed        23/06/15 20 © FortConsult

Recommendations  ?  Probably  not  Uninstall/Disable.  It’s  still  one  of  the  Only!  

If  not,  probably  the  best  right  now!      

Ø  Build  a  Lockdown  Suite  of  Security  Controls  formed  out  of  a  corroboration  of  Ø  Windows  Security  Features  (through  use  of  ASLR;  DEP,  Stack  Canaries)  

Ø  Disk  Encryption  Ø  Whitelisting  

Ø  And  other  security  controls  which  we  usually  see  Unleveraged!    

Ø  We  can  help  you  Here!  

 

 

 23/06/15 21 © FortConsult

Europe  Manchester    -­‐  Head  Office  

Amsterdam  

Cheltenham      

Copenhagen  

Edinburgh    

Leatherhead    

London  

Luxembourg  

Milton  Keynes  

Munich  

Zurich  

Sweden  

Vilnius  

Portugal    

 

North  America  

Atlanta  

Austin  

Chicago  

New  York  

San  Francisco  

Seattle  

Sunnyvale  

Australia  

Sydney  

 

Russia    

Moscow  

 

 

 

A  very  special  thank  you  to  the  expert  team  at  KAL  ATM  Software,  they  are  one  of  the  only  companies  worldwide  who  support  advanced  testing  and  

research.  

 

 

 

 

23/06/15 © NCC Group 23

23/06/15 © NCC Group 24