[vc_row type=”in_container” full_screen_row_position=”middle” scene_position=”center” text_color=”dark” text_align=”left” overlay_strength=”0.3″][vc_column column_padding=”no-extra-padding” column_padding_position=”all” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_shadow=”none” width=”2/3″ tablet_text_alignment=”default” phone_text_alignment=”default” column_border_width=”none” column_border_style=”solid”]
Two Spanish computer security experts, Rubén Garrote and Rubén Ródenas, members of the CyberSOC Ethical Hacking team at Deloitte, have developed software capable of violating ATM security measures, accessing the most sensitive parts of their code and exploiting it So that the automatic cajeto spits notes.
As part of their audit work, which involves finding vulnerabilities so that banks can correct them, they have discovered how simple it could be for a cybercrime to overcome the various barriers of the cashier until that point. However, stealing money is not what most alarms them. “Our customers, in fact, tell us that their concern is not cash but card theft, bank transactions and theft of account numbers.” A few months ago Garrote and Rodenas decided to take the final leap and hack a real cashier, one like the ones we use every day, to be able to inspect it and learn more about its mechanism. However, as reported in the security congress Rooted CON, held last week in Madrid, was not an easy task, as the purchase of ATMs by individuals is moving in a kind of legal limbo.
After a purchase of a Chinese cashier, who ended up canceling because of the lack of transparency of the transaction, these two enthusiasts were able to get in February with a couple of machines that were sold by a Turkish supplier. “Having a cashier allows us to develop specific auditing applications with total freedom and without time limit,” they detail.
Their work is based on circumventing the protections of the system. Every time they get past a safety measure, they learn about it and can give advice on how to improve it. Unfortunately, such knowledge is often not passed on to researchers, so it is often necessary to start from scratch (or almost) in each audit. To solve this problem, Garrote and Ródenas sought a way to simplify the process and began to develop a software capable of locating and using those security holes automatically.
“We saw the need to centralize the different tests on ATM so that the next partner that had to audit would start from that battery of tests as base and did not have to reinvent the wheel” they say. Thus was born TLOTA, the program still in beta phase that has allowed them to circumvent the protections of the money dispensers.
Once executed the software is able to bypass the security barriers by itself until, for example, to dispense money (something that they have already been able to check in several tests). However, we can rest easy. The program is in good hands and does not implement methods of hiding or persistence, so simply cancel the process so that it stops working. “It’s a tool for auditing, not malware. The ‘software’ must be consciously executed, “they point out.
Experts point out that the final code of TLOTA was written in a few hours, once they decided to collect all the pieces of programs they had loose to carry out different tests. In addition, it is “a live software, constantly expanding and improving.”
Once you have overcome the obstacles until you reach the lowest layers of the system, TLOTA is programmed to send the commands that the cashier expects to receive to perform certain actions (for example, to withdraw money), without it being necessary that in the layer High (which the user sees on the machine’s screen), enter the PIN or press the buttons that would give the same order.
Although visually the most shocking when it comes to running this program is that the cashier, if not properly protected, will dispense money as an unmistakable sample of the control taking of the terminal, could also be programmed with other objectives. “You can carry out theft of cards, PIN, etc., with the same technical effort and code, simply by changing the code of the command to send,” they explain.
But is it really that easy to get control of a cashier? Would it be enough to run a malware that works similarly to TLOTA? Although it is true that many of these cashiers operate with antiquated operating systems that facilitate the task, the truth is that for a real attacker would be a little more complex. Before running your tool, a criminal would have to gain access to the system, something that auditors already have.
According to experts, tellers can be connected to your bank through the branch’s corporate network, whether they are typical on the facade, or directly through the internet if they are terminals located in places such as a station Metro or a shopping center (for that reason, the latter is advisable to avoid them as much as possible).
Therefore, your infection could occur in a similar way to any other corporate or home computer. “From a technician who uses the internet on that computer to install the latest patch or read your corporate mail, or simply by some worm that exploits some bug for which is vulnerable and that is moving in said network,” said Ródenas and Garrote. “There are also cases where technicians infect ATMs in order to commit crime.”
On the other hand, it may also happen that there is already a malware controlling the computer of a cashier without anyone knowing it. It may have fallen into the clutches of a cybercriminal as part of a network of zombie computers (the famous ‘botnets’) and only discovered that it is an ATM when the control of such equipment changes hands, for example through Of some transaction on the dark internet. Although the buyer has somewhat more harmless purposes (for example, carrying out a ‘spam’ campaign), finding that he is a money dispenser might decide to change plans
learn, learning, the best security practice, ethical hacking, IT, Admin, Administrator, Server, User, Kali Linux, Phone, Download, Blog, WordPress, Free, Lab, Pentest, Pentester