https://www.tomshardware.com/news/raspberry-pi-used-to-rob-atm

--

Chris Elvidge, England
I WILL NOT FAKE RABIES

Am 05.09.2023 um 15:19:14 Uhr schrieb Chris Elvidge:

> https://www.tomshardware.com/news/raspberry-pi-used-to-rob-atm

And that is called security?
For me it looks like bank's security isn't real security if that can be
disabled with a product that can be bought by everyone.

On Tue, 5 Sep 2023 17:01:42 +0200
Marco Moock <mo01@posteo.de> wrote:

> Am 05.09.2023 um 15:19:14 Uhr schrieb Chris Elvidge:
>
> > https://www.tomshardware.com/news/raspberry-pi-used-to-rob-atm
>
> And that is called security?
> For me it looks like bank's security isn't real security if that can be
> disabled with a product that can be bought by everyone.

Many things can be broken with the aid of a battery powered drill
or angle grinder that anyone can buy.

The article talks about interception or tapping so it sounds like
they managed to tap the link between the ATM and the bank and figure out
how to fake a bank's OK response to the request from the ATM using a Pi to
do the work.

Chances are the bank was depending on the line being secure rather
than using good encryption to provide secure communications over an insecure
line.

--
Steve O'Hara-Smith
Odds and Ends at http://www.sohara.org/
Host: Beautiful Theory meet Inconvenient Fact
Obit: Beautiful Theory died today of factual inconsistency

Ahem A Rivet's Shot <steveo@eircom.net> writes:
> Chances are the bank was depending on the line being secure rather
> than using good encryption to provide secure communications over an
> insecure line.

Banks have been aware of the need to encrypt communications for many
decades.

In this case:

| According to court records, the three used a device called a
| “raspberry pi” that is plugged into ATMs and deactivates its security
| systems so they could remove the cash drawer.

My guess is they compromised some kind of software-controlled electronic
lock.

--
https://www.greenend.org.uk/rjk/

On 05/09/2023 15:19, Chris Elvidge wrote:
>
> https://www.tomshardware.com/news/raspberry-pi-used-to-rob-atm
>
Don't wander around at night carrying a Raspberry Pi or you might be
arrested for "going equipped"!

---druck

On 05/09/2023 20:52, Richard Kettlewell wrote:
> Ahem A Rivet's Shot <steveo@eircom.net> writes:
>> Chances are the bank was depending on the line being secure rather
>> than using good encryption to provide secure communications over an
>> insecure line.
>
> Banks have been aware of the need to encrypt communications for many
> decades.
>
> In this case:
>
> | According to court records, the three used a device called a
> | “raspberry pi” that is plugged into ATMs and deactivates its security
> | systems so they could remove the cash drawer.
>
> My guess is they compromised some kind of software-controlled electronic
> lock.
>

My guess is that the ATMs were the on-third-party premises kind. They
are available second-hand in an uncontrolled market, and various online
videos have surfaced showing teardowns - for which some study has
revealed software exploits.

On the subject of ATMs

Funny true story
"The ATM Glitch That Made a Millionaire"
https://www.youtube.com/watch?v=m4Fi_a9QATM

--
Adrian C

Am 05.09.2023 um 20:52:58 Uhr schrieb Richard Kettlewell:

> | According to court records, the three used a device called a
> | “raspberry pi” that is plugged into ATMs and deactivates its
> security | systems so they could remove the cash drawer.

Why is it possible to plug something in without having to crack a door
open or similar?
Why isn't the software access directly at the hardware secured by a
password?

Marco Moock <mo01@posteo.de> writes:
> schrieb Richard Kettlewell:
>> | According to court records, the three used a device called a
>> | “raspberry pi” that is plugged into ATMs and deactivates its security
>> | systems so they could remove the cash drawer.
>
> Why is it possible to plug something in without having to crack a door
> open or similar?

Maybe they did crack a door open. The information presented is very
thin.

> Why isn't the software access directly at the hardware secured by a
> password?

Maybe it is, and the Pi was somehow involved in bypassing that.

Another possibility would be authentication based on some physical token
(e.g. a smartcard) with the Pi emulating it and attacking the control
software via that channel.

--
https://www.greenend.org.uk/rjk/

On Wed, 6 Sep 2023 12:50:20 +0200, Marco Moock wrote:

> Am 05.09.2023 um 20:52:58 Uhr schrieb Richard Kettlewell:
>
>> | According to court records, the three used a device called a |
>> “raspberry pi” that is plugged into ATMs and deactivates its security |
>> systems so they could remove the cash drawer.
>
> Why is it possible to plug something in without having to crack a door
> open or similar?

Because the ATM is designed to be installed in a secured room? The only
think anybody needs to enter it for is the stuff more cash into its cash
drawer (or in India, where ATMs typically can accept as well as pay out
cash), to remove incoming cash from its deposit drawer.

> Why isn't the software access directly at the hardware secured by a
> password?
>
No need. You typically need a physical key to access the cont of the ATM's
cash drawer(s). Each ATM is run by its own copy of a fairly dumb finite
state machine (FSM), which knows just enough to run its display, handle
the smartcard reader and interpret the punter's key presses. The ATM's
controlling FSM is in turn overseen by an ATM network management process
running on a bigger box back at head office.

--

Martin | martin at
Gregorie | gregorie dot org

Marco,

> Why is it possible to plug something in without having to crack a door
> open or similar?
> Why isn't the software access directly at the hardware secured by a
> password?

How come you think that neither (door, password) was present ? What's your
underbuilding for it ?

Also, what makes you think they "plugged something in" to begin with ? The
security-system "hacking" intruders on TV always seem to be using "alligator
clip" wires connected to some gizmo they bring with them.

In this case the Pi /could/ have been connected to a dummy bank card (with a
thin flat cable) and used to emulate a special kind of smart-card. Who
knows ...

IOW, when thinking about *possibilities*, be carefull not to put them
forward as if they are facts (and /especially not/ post complaints based on
such "facts").

Regards,
Rudy Wieser

P.s.
You might like the below link :
https://krebsonsecurity.com/all-about-skimmers/

On Wed, 6 Sep 2023 12:13:50 -0000 (UTC), Martin Gregorie wrote:

> On Wed, 6 Sep 2023 12:50:20 +0200, Marco Moock wrote:
>
>> Am 05.09.2023 um 20:52:58 Uhr schrieb Richard Kettlewell:
>>
>>> | According to court records, the three used a device called a |
>>> “raspberry pi” that is plugged into ATMs and deactivates its security
>>> |
>>> systems so they could remove the cash drawer.
>>
>> Why is it possible to plug something in without having to crack a door
>> open or similar?
>
> Because the ATM is designed to be installed in a secured room? The only
> think anybody needs to enter it for is the stuff more cash into its cash
> drawer (or in India, where ATMs typically can accept as well as pay out
> cash), to remove incoming cash from its deposit drawer.
>
>> Why isn't the software access directly at the hardware secured by a
>> password?
>>
> No need. You typically need a physical key to access the cont of the
> ATM's cash drawer(s). Each ATM is run by its own copy of a fairly dumb
> finite state machine (FSM), which knows just enough to run its display,
> handle the smartcard reader and interpret the punter's key presses. The
> ATM's controlling FSM is in turn overseen by an ATM network management
> process running on a bigger box back at head office.

I should have added that, at least back in the 90s when I was dealing with
ATM networks and the software that interfaces that network to the
financial system the ATM network is front-ending, the network was
typically using X.25 or SDLC (if connected to an IBM box).

I'd imagine the RPi was being used to emulate an idle ATM while the actual
ATM's cash drawers were being emptied: because it would be normal for an
ATM to report access to its cash drawer(s) to the network manager both as
a security check as well as to report events such as the machine running
out of cash to the network operators. The short disconnections while the
RPi was plugged in and removed would typically be reported as network
blips but otherwise ignored because the ATM network protocols are
typically fairly fault tolerant.

--

Martin | martin at
Gregorie | gregorie dot org

Am 06.09.2023 um 12:49:18 Uhr schrieb Richard Kettlewell:

> Another possibility would be authentication based on some physical
> token (e.g. a smartcard) with the Pi emulating it and attacking the
> control software via that channel.

A good concept of that is that such a card carries information like a
certificate or a password, so simply emulating such a card cannot go
around the normal authentication.

On 05/09/2023 15:19, Chris Elvidge wrote:
>
> https://www.tomshardware.com/news/raspberry-pi-used-to-rob-atm
>

<pedant>

Robbery is stealing something from someone by using force or threatening
to use force.

So it should be "raspberry-pi-used-to-steal-from-atm"

</pedant>

On 05/09/2023 15:19, Chris Elvidge wrote:
>
> https://www.tomshardware.com/news/raspberry-pi-used-to-rob-atm
>
OK, all done.

Remember SMS spotting has a per spot cost to SOTA and so it should be
used only when your mobile internet connection is not available at the
summit.

73
Andy

On 06/09/2023 18:24, mm0fmf wrote:
> On 05/09/2023 15:19, Chris Elvidge wrote:
>>
>> https://www.tomshardware.com/news/raspberry-pi-used-to-rob-atm
>>
> OK, all done.
>
> Remember SMS spotting has a per spot cost to SOTA and so it should be
> used only when your mobile internet connection is not available at the
> summit.
>
>
> 73
> Andy
How did that get there and not in an email. :-(

"R.Wieser" <address@is.invalid> writes:
> Also, what makes you think they "plugged something in" to begin with ?

That’s what the reporting says. Whether it’s accurate or not I can’t
say, but that’s what we’ve got to work with.

--
https://www.greenend.org.uk/rjk/

Richard,

>> Also, what makes you think they "plugged something in" to begin with ?
>
> That's what the reporting says. Whether it's accurate or not I can't
> say, but that's what we've got to work with.

I've read the linked article, and all it says is "nor was it confirmed how
the Pis were used beyond as tools to bypass security somehow". IOW, no
"plugged in" of any kind mentioned. For all I know they used it as a wedge
to keep the cash drawer open. :-)

Yes, I did read that article. Though alas, the "EverythingLubbock" link
just shows an "not available in your region" page to me.

Regards,
Rudy Wieser

On Wed, 6 Sep 2023 12:13:50 -0000 (UTC), in
<ud9qdu$2dslj$1@dont-email.me>, Martin Gregorie
<martin@mydomain.invalid> wrote:

[ snip ]

>Each ATM is run by its own copy of a fairly dumb finite
>state machine (FSM), which knows just enough to run its display, handle
>the smartcard reader and interpret the punter's key presses. The ATM's
>controlling FSM is in turn overseen by an ATM network management process
>running on a bigger box back at head office.

Really? I had a drive thru ATM reboot on me once, The boot screen said
it was running Windows. Any chance it was a case of a bigger box way
back at the head office rebooting and displaying a reboot screen on
that ATM. Not a chance! The bank was Synovis.
--
Jim H

On Wed, 06 Sep 2023 18:45:43 +0000
Jim H <invalid@invalid.invalid> wrote:

> Really? I had a drive thru ATM reboot on me once, The boot screen said
> it was running Windows.

A good many of them were running Windows NT when Microsoft ended
support - ISTR hearing the banks negotiated a support extension.

That being said this doesn't invalidate the claim that they run a
fairly dumb FSM (flying spaghetti monster) under Windows NT.

--
Steve O'Hara-Smith
Odds and Ends at http://www.sohara.org/
Host: Beautiful Theory meet Inconvenient Fact
Obit: Beautiful Theory died today of factual inconsistency

On 06/09/2023 13:13, Martin Gregorie wrote:
> Each ATM is run by its own copy of a fairly dumb finite
> state machine (FSM), which knows just enough to run its display, handle
> the smartcard reader and interpret the punter's key presses. The ATM's
> controlling FSM is in turn overseen by an ATM network management process
> running on a bigger box back at head office.

That's how they were originally, but these days some run Windows (often
out o support versions) and serve advertising while you try to get your
cash out. They offer the a huge range of world class vulnerabilities
that only Microsoft can provide.

---druck

On 06/09/2023 13:24, R.Wieser wrote:
> In this case the Pi /could/ have been connected to a dummy bank card (with a
> thin flat cable) and used to emulate a special kind of smart-card. Who
> knows ...

When I was working with Richard K we had some pen testers give a talk on
how they discovered how to program a smart card to compromise a mobile
payment terminal. They demonstrated this by making the payment terminal
play space invaders when the card was inserted.

So it's not beyond imagination that a doctored smart card connected to a
Raspberry Pi could exploit a vulnerability in an ATM. It them may have
been possible to dispense cash without debiting their own accounts.

----druck

On Wed, 06 Sep 2023 18:45:43 +0000, Jim H wrote:

> On Wed, 6 Sep 2023 12:13:50 -0000 (UTC), in
> <ud9qdu$2dslj$1@dont-email.me>, Martin Gregorie
> <martin@mydomain.invalid> wrote:
>
> [ snip ]
>
>>Each ATM is run by its own copy of a fairly dumb finite state machine
>>(FSM), which knows just enough to run its display, handle the smartcard
>>reader and interpret the punter's key presses. The ATM's controlling FSM
>>is in turn overseen by an ATM network management process running on a
>>bigger box back at head office.
>
>
> Really? I had a drive thru ATM reboot on me once, The boot screen said
> it was running Windows.
>
There are several ATM manufacturers, and anyway the models I worked on in
the late '80s and '90s are quite unlikely to be around now. I forget who
made the ATM varieties I was familiar with or what, if any OS, their FSMs
or equivalent ran on: its quite likely that some ATM makes and models ran
under Windows.

Similarly, the ATM network management server which interfaced the
financial system to the ATM network and managed ATM states did the same:
this was the software I mostly worked on in the '90s. It ran on NCR's
Intel 386 boxes under their proprietary UNIX flavour.

Most of the ATM management and interfacing software was C code though some
chunks of that was written in MicroFocus COBOL. These ATM networks were
often quite small, with the financial software written in RPG3 (UGH!!) and
running on IBM AS/400 midrange kit: I liked the AS/400s despite the RPG3.
They were dead reliable and OS/400 had a really nice scripting language,
they though the standard text editor was surprisingly agricultural: the
current Linux editors (I mainly use gedit and sometimes vi) are far more
polished editing tools.

--

Martin | martin at
Gregorie | gregorie dot org

On Wed, 6 Sep 2023 21:40:10 +0100, druck wrote:

> On 06/09/2023 13:13, Martin Gregorie wrote:
>> Each ATM is run by its own copy of a fairly dumb finite state machine
>> (FSM), which knows just enough to run its display, handle the smartcard
>> reader and interpret the punter's key presses. The ATM's controlling
>> FSM is in turn overseen by an ATM network management process running on
>> a bigger box back at head office.
>
> That's how they were originally, but these days some run Windows (often
> out o support versions) and serve advertising while you try to get your
> cash out. They offer the a huge range of world class vulnerabilities
> that only Microsoft can provide.
>
Sure. I haven't touched any of that stuff since 2000, and as I said, even
then I was more concerned with the software managing the ATM network and
interfacing it to the financial system it was front ending. Thats where
virtually all the client-specific custom code was situated.

--

Martin | martin at
Gregorie | gregorie dot org

On Wed, 6 Sep 2023 21:48:00 +0100
druck <news@druck.org.uk> wrote:

> When I was working with Richard K we had some pen testers give a talk on
> how they discovered how to program a smart card to compromise a mobile
> payment terminal. They demonstrated this by making the payment terminal
> play space invaders when the card was inserted.

I like these pen testers, the ones I've known are much less fun
they'd have just had it display "Penetrated" or some such boring result.

--
Steve O'Hara-Smith
Odds and Ends at http://www.sohara.org/
Host: Beautiful Theory meet Inconvenient Fact
Obit: Beautiful Theory died today of factual inconsistency

On 06/09/2023 17:59, mm0fmf wrote:
> On 05/09/2023 15:19, Chris Elvidge wrote:
>>
>> https://www.tomshardware.com/news/raspberry-pi-used-to-rob-atm
>>
>
> <pedant>
>
> Robbery is stealing something from someone by using force or threatening
> to use force.
>
> So it should be "raspberry-pi-used-to-steal-from-atm"
>
> </pedant>

Its more legal than that. Some years ago I was burgled, and they caught
the guys.
For my burglary, it was 'breaking and entering' and 'theft' but when
they did the same to a young woman with a child on the premises that
they didn't know about, the policewoman in charge of my part of the case
wet her pants 'that's robbery with violence - 8 year stretch!'

--
Climate is what you expect but weather is what you get.
Mark Twain