feature article
Subscribe Now

How to Rob a Bank

ATM Security is Startlingly Lax

“Because that’s where the money is.” – Willie Sutton, when asked why he robs banks

When you think of secure, reliable, mission-critical computers, you naturally think of Windows, right? It’s obvious. It’s so bulletproof, especially Windows XP. 

That’s evidently the thinking behind many, and perhaps most, of the world’s automated teller machines (ATMs), which are little more than PC motherboards connected to a cash drawer. Everything you know and love about Windows is on display (sometimes literally), including its file system, patch history, security protocols, command prompt, help system, and the dreaded Blue Screen of Death. 

If you want to rob a bank today, all you really need is a USB thumb drive, a CAT5 cable, and a passing familiarity with Windows. No Tommy gun or 1934 Ford Fordor Deluxe sedan required. Oh, and it helps to have a fake bank guard’s uniform. 

Unlike, say, your home Wi-Fi router or a PlayStation 5, the average ATM isn’t based on custom hardware or custom software. “An ATM is basically a block of metal with a PC computer inside,” says Bruno Gonçalves de Oliveira, a “white hat” ATM security expert at Trustwave SpiderLabs. As such, it’s susceptible to most of the usual Windows hacks – if you can get near it. It’s physical security, not cybersecurity, that protects the majority of ATMs. And it’s not that hard to get inside one of the machines, as Oliveira has documented.  

The first – and sometimes, the only – level of protection is a metal box surrounding the PC motherboard and other components. It’s typically sheet metal with a lock or two to keep out evildoers. But PCs need ventilation, so the boxes have holes in them to promote airflow. These holes are sometimes large enough that Oliveira has been able to insert tools, remove cables, or otherwise tamper with the computer, all without so much as unlocking the enclosure. 

Not that unlocking it is all that difficult. “Any person with entry-level expertise” in lock picking can do it, he says. “You don’t need the skills to open a bank vault or crack a safe” in order to gain access to an ATM computer. 

But surely you can’t just waltz into a bank and start picking the locks? You might be surprised. First off, not all ATMs are inside banks. They’re so ubiquitous now that many are in remote, unmonitored locations. Second, SpiderLabs has found that bank employees don’t take much interest in the “maintenance guy” standing around the ATM. Having a toolbox and a uniform helps. 

ATMs often have cameras, and these are usually little more than USB-connected webcams. A USB connection implies a USB cable and a USB port, and these both present security holes. It’s sometimes possible to disconnect the camera and plug a different USB device in its place. A USB flash drive, for example. With your own software on it. 

Then there’s the network, which is usually wired Ethernet, although some ATMs have wireless GSM connections, particularly in remote areas. That Ethernet cable has to go somewhere, which means it sometimes snakes across the floor to another computer. Oliveira has found unprotected CAT5 cables dangling out the backs of ATMs, making network-based attacks almost too easy. 

Once you get inside the metal box, the security is lax there, too. Exposed USB, keyboard, mouse, and Ethernet jacks are common. Sometimes these have been disabled in Windows’ security settings, but oftentimes they’re not, and plugging in a keyboard allows access to the Windows UI. USB ports will sometimes recognize – and even autoload – whatever they find on a flash drive. 

With a keyboard connected, it’s easy to press Alt-Tab to switch tasks. If that doesn’t work, try pressing F1, the default Help key for Windows. The Windows Help system was designed to work even when applications crash, with the side effect that it breaks out of the security “sandbox” and allows user access to a command prompt and other programs. 

Rebooting can work, too. BIOS passwords are often left with their default or changed to something criminally simple, like 0000. Most BIOS bootloaders will happily boot from whatever medium you specify, opening the door to any operating system you care to bring along on your heist. 

Variety and inconsistency seem to be the order of the day. Some ATM manufacturers are good about changing passwords, managing user privileges, and locking out unwanted programs. Others seem content with Windows’ default settings. Some banks add their own layer of security, while some leave the manufacturer’s settings alone. 

Most ATMs use CEN/XFS, the optional Windows APIs for banking applications. The standardized APIs make it easy to develop financial software, but they also present a security hole, says Oliveira. You can’t protect an API from misuse; you can only catch mistakes. Windows might prevent a legitimate program from passing the incorrect number of parameters, but it can’t prevent a malicious program from using the API correctly and opening the cash drawer. Thus, the onus is on the operating system to prevent malicious software from running in the first place. And many ATMs just don’t do that. 

Although Windows allows system administrators to control access to applications, it’s harder to control individual components of Windows that can be leveraged for nefarious purposes. Oliveira uses the example of a malicious .DLL file that’s on the system’s approved whitelist but that has been corrupted or rewritten to do bad things. Common Windows files like MSBuild.exe and RunDLL32.exe both provide good gateways into the heart of the system, he says. 

ATMs have nice touch-screen GUIs and many play video, either as a cheerful user interface, or to kill time while it counts out the bills, or to promote the bank’s other services. Video playback is mediated by the operating system, and therefore difficult to replace. Video plugins can bridge the connection between the ATM application and the OS, giving hackers a chance to escape the application sandbox.

Do most ATM thieves simply take the money and run, or do they play a longer game and leave malware behind? “They’ll normally inject something into the ATM,” says Oliveira. “They don’t want just the money. They want it running something for them.” Infected ATMs can harvest users’ debit card information, for example. It might also have access to the Windows file system, with whatever trove of information that contains. Many ATMs don’t bother to encrypt their file systems, by the way, even though it’s a built-in feature of Windows. 

Are ATMs getting better? Are there any secure, hack-proof ATMs out there? Oliveira is blunt: “No.” 

Surely, Windows must be the problem and so a shift away from the generic PC platform would be an improvement? He’s not so sure. “Windows is updated constantly, so it gets better on its own.” It’s a better choice than Linux, for example, which has even more gaping holes in it than Windows does.

I’m no security expert, but it seems like ATMs suffer from the monoculture syndrome. They’re all so similar that one virus, one type of attack, could flatten them all. It becomes economically attractive to work on ATM malware, and not just for the obvious reason of the cash drawer in front. If you successfully crack one Windows-based ATM, you’ve got a leg up on them all. 

Maybe diversity is the answer. Custom hardware and custom software would fragment the ATM market, and in this case, that’s a good thing. Plus, custom hardware is obscure by its very nature. Unless you’re using Raspberry Pi or some other commercially available hardware platform, your average hacker won’t know where to start. Security through obscurity might actually work in this case. Or at least help. 

There are plenty of RTOS vendors creating secure operating systems, too. It’s not as though the high-reliability market didn’t exist before ATMs. If Green Hills Integrity-178 RTOS can fly military aircraft, I’m pretty sure it can handle a different kind of cash machine.  

As it stands, your neighborhood ATM might be less secure than the cash register at your local McDonald’s. Although to be fair, those also run Windows… and sometimes Doom. Just be careful if you see B.J. Blazkowicz pitching low-interest loans. 

Leave a Reply

featured blogs
Feb 28, 2021
Using Cadence ® Specman ® Elite macros lets you extend the e language '”€ i.e. invent your own syntax. Today, every verification environment contains multiple macros. Some are simple '€œsyntax... [[ Click on the title to access the full blog on the Cadence Comm...
Feb 27, 2021
New Edge Rate High Speed Connector Set Is Micro, Rugged Years ago, while hiking the Colorado River Trail in Rocky Mountain National Park with my two sons, the older one found a really nice Swiss Army Knife. By “really nice” I mean it was one of those big knives wi...
Feb 26, 2021
OMG! Three 32-bit processor cores each running at 300 MHz, each with its own floating-point unit (FPU), and each with more memory than you than throw a stick at!...

featured video

Designing your own Processor with ASIP Designer

Sponsored by Synopsys

Designing your own processor is time-consuming and resource intensive, and it used to be limited to a few experts. But Synopsys’ ASIP Designer tool allows you to design your own specialized processor within your deadline and budget. Watch this video to learn more.

Click here for more information

featured paper

Making it easier to design with mmWave radar sensors using the TI third-party ecosystem

Sponsored by Texas Instruments

If you are new to radar or interested in replacing your existing sensing technology with radar, there can be a significant learning curve to both designing your product and ramping to production. In order to lower this barrier, Texas Instruments created a third-party ecosystem of radar experts who can provide solutions no matter how much help you need.

Click here to download the whitepaper

Featured Chalk Talk

General Port Protection

Sponsored by Mouser Electronics and Littelfuse

In today’s complex designs, port protection can be a challenge. High-speed data, low-speed data, and power ports need protection from ESD, power faults, and more. In this episode of Chalk Talk, Amelia Dalton chats with Todd Phillips from Littelfuse about port protection for your next system design.

Click here for more information about port protection from Littelfuse.