Teller Machines (ATMs) are an obvious target for criminals since a
successful compromise results in immediate monetary gain for them and a
loss of public trust in the machine's manufacturer. Once the domain of
banking institutions, the growth of third party ATM development has led
to the appearance of these machines everywhere from public libraries to
nightclubs. In addition to heightened demand, the need for improved
usability and additional functionality also has increased. As ATMs
become more sophisticated, the attack surface widens.
on our first-hand research in this exciting market, IOActive is
uniquely experienced to assess the security of various ATM types,
ranging from hole-in-the-wall banking machines to stand-alone retail
models. IOActive combines its collective expertise in software,
firmware, and hardware security assessments to provide a breadth and
depth of skill that few other service firms can offer. We employ
custom-built tools and elite techniques that we developed specifically
for performing audits and penetration tests on ATMs, enabling us to
deliver accurate and stable results to our clients.
Beyond Physical Security - The New Software Threat
to this point, ATM security has been focused on preventing
physical-based attacks-skimmer, ram-raids, and physical theft are the
threats we hear most about. Countermeasures, such as increased
surveillance and physical hardening of the ATM's construction, have
gone a long way toward better security; however, a new class of threats
has arisen. IOActive Labs is a leader in discovering software-based
attack vectors that cannot be mitigated by existing countermeasures
alone; software-based attacks require a whole new level of security
solutions at the software level.
IOActive Labs ATM Research:
IOActive Labs has conducted research on many new ATM models, uncovering
previously unknown weaknesses-weaknesses that were unveiled at Black
Hat 2010 and demonstrated both local and remote attacks that resulted
in full compromise. During that demonstration, IOActive Labs uploaded a
root-kit designed specifically for ATMs that gives an attacker the
ability to dispense cash from the machine, retrieve ATM passwords and
settings, and capture and retrieve tracking data remotely.
Black Box Penetration Testing:
During an ATM black box penetration test, IOActive assesses the
firmware and software's security by simulating an attack without any
source code access. Conducting this type of penetration test enables
IOActive to identify weaknesses, vulnerabilities, and what type of
attack vectors could be exploited during a real-world compromise.
IOActive performs local penetration tests (walk-up attacks), remote
penetration tests (auditing networks and dialup-based services), and
management infrastructure penetration tests.
The recent disclosure of ATM-based malware in Eastern Europe highlights
the severity and reality of this infection type. To help our clients
mitigate and avoid escalating malware problems, IOActive offers malware
analysis services during which we utilizes tools we designed
specifically to facilitate both the detection and reversal of ATM-based
malware. We also can ensure the integrity of ATMs and assert when they
are free from malware infection.
Source Code Review:
IOActive consultants have years of code auditing experience, regularly
assisting organizations with highly complex and advanced security
challenges. Because our expert consultants often conduct source code
reviews of ATM firmware and management software, they know how to
identify and examine vulnerable design points to uncover flaws that may
result in severe security compromise. We deliver detailed documentation
about the location and nature of problems we find, and our consultants
will advise your developers on how to address each problem immediately,
mitigating the risk of repeating problems in the future.