Researchers from the Russian security firm Kaspersky on Monday detailed a new ATM-emptying attack, one that mixes digital savvy with a very precise form of physical penetration. Kaspersky’s team has even reverse engineered and demonstrated the attack, using only a portable power drill and a $15 homemade gadget that injects malicious commands to trigger the machine’s cash dispenser. And though they won’t name the ATM manufacturer or the banks affected, they warn that thieves have already used the drill attack across Russia and Europe, and that the technique could still leave ATMs around the world vulnerable to having their cash safes disemboweled in a matter of minutes.
“We wanted to know: To what extent can you control the internals of the ATM with one drilled hole and one connected wire? It turns out we can do anything with it,” says Kaspersky researcher Igor Soumenkov, who presented the research at the company’s annual Kaspersky Analyst Summit. “The dispenser will obey and dispense money, and it can all be done with a very simple microcomputer.”
Drill, Baby, DrillFor Kaspersky, the mystery of the drilled ATMs began last fall, when a bank client showed them an emptied cash machine whose only evidence of tampering was a golf-ball sized hole next to its PIN pad. To hide their tidy surgery, the thieves had even covered the entry point with a sticker. Eventually, the researchers learned of close to a dozen similar ATM heists. And when police arrested a suspect in one of the cases, they found a laptop, along with a cable he’d apparently snaked into the PIN pad hole. “Just a laptop, some wiring, and a hole in the ATM, that’s it,” says Soumenkov.
Kaspersky’s researchers already had the same model of ATM in their test lab, one that’s been in wide use since the 1990s. They removed its front panel to find a serial port that would have been accessible from the thieves’ hole. It connected to a wire that ran through the ATM’s entire internal bus of components, from the computer that controlled its user interface to the cash dispenser. Then the researchers spent five solid weeks with an oscilloscope and logic analyzer, decoding the protocol of the ATM’s internal communications from raw electric signals. They found that the machine’s only encryption was a weak XOR cipher they were able to easily break, and that there was no real authentication between the machine’s modules.
In practical terms, that means any part of the ATM could essentially send commands to any other part, allowing an attacker to spoof commands to the dispenser, giving them the appearance of coming from the ATM’s own trusted computer.
Eventually, the researchers were able to build their own device capable of sending cash-ejecting commands through just that exposed port. Their compact gadget, far smaller than even the arrested suspect’s laptop, consisted of only a breadboard, an Atmega microcontroller of the kind commonly found in Arduino microcomputers, some capacitors, an adapter, and a 9 volt battery. All told, it took less than $15 worth of equipment.
In their tests, the researchers found their finished tool could trigger the cash dispenser within seconds of connecting, and then spew as many bills as they wanted. The only limit to the attack’s speed came when the ATM’s computer “noticed” the dispenser acting independently and rebooted. But the researchers say that they could extract thousands of dollars before the reboot kicked in, and afterward they could simply repeat their attack, pulling more cash out of the machine until it was empty.
Easy MarksKaspersky says it’s alerted the vulnerable ATM manufacturer to the technique, but there’s no easy patch for the problem: The units’ software can’t be updated remotely. A fix, Kaspersky researchers say, will require replacing hardware in the ATMs to add more authentication measures—or failing that, adding physical security measures, like access controls and surveillance cameras, that might prevent thieves from daring an in-person raid on the machines. WIRED reached out to the ATM Industry Association for comment, but the trade group didn’t respond by the time of publication.
ATMs are a frequent hacker target. Lately, attacks from Thailand and Taiwan to Russia have infected banks’ own networks with malware that’s been used to trigger ATM cashouts. In tightly coordinated operations, money-mules retrieve the stacks of bills in person from the victim bank’s cash machines. In their conference talk Monday, Kaspersky researchers also revealed a new form of ATM malware they’ve found, which they say had been planted through stealthy fileless infections of banks in Russia and Kazakhstan. And other physical access attacks have planted malware on machines by opening their cases—either picking or breaking the panels’ locks—or used that physical access to a machine’s internals to connect a hacking tool directly to the cash dispenser.
But the Kaspersky researchers say the drill technique represents a simpler and stealthier path to an ATM’s innards. Breaching a bank’s back-end network requires far more sophisticated network intrusion skills, while opening the machine’s panel to plant malware or to connect a tool directly to the cash dispenser triggers an alarm. Drilling a gaping hole in the front of the machine, in this case, doesn’t set off that same warning.
Physical attacks on ATMs are, in some sense, an unsolvable problem. Computer security experts have long warned that no computer should be considered secure if an attacker takes physical control of it. But weak encryption and a lack of authentication between components leaves ATMs particularly vulnerable to physical attacks—access to any part of the insecure machine Kaspersky describes means access to its most sensitive core. And for computers that are left standing unprotected on a dark street in the middle of the night, stuffed full of money, a little more thought to digital security might be a worthwhile investment.