A lot of ATMs sit in places like convince stores or strip clubs or other places where you might need quick cash. They are profit centers for those places, because those places get to keep some of the fees collected.
They are also very very insecure. You can literally just walk around behind them and attach stuff without anyone really noticing.
I was renewing my registration at a DMV kiosk, which is like an ATM that spits out registration tags instead of money. The machine was broken, and the supermarket said to just call the number on the side. I did so, and they told me to unplug it and plug it back in. So I went around the back and did exactly that. No one questioned me.
Then they remotely logged in, messed around on it (which I could watch them do on the display) and it was fixed.
But my point here is that no one questioned me when I went around back, no one questioned a mouse moving around on a touch screen, no one questioned random control panels coming up, and the people who owned it (the DMV) didn't seem to care about the information leaks they were providing me.
Still, though, what sort of data lines do ATMs use? Ethernet? If so, how would you exploit it?
It seems like the ATM's software might work like this: on bootup, connect to server atm.foobar.com at port xyz.
Oh, right. In that case, you'd write an MITM server. You could sneak a raspberry pi so that it goes ATM <-> RPI <-> ethernet, and then set up the RPI to broadcast all the network traffic via a wifi dongle to your laptop.
But... certificate pinning would trivially subvert that. I guess ATM manufacturers might not have done any pentests though, so perhaps they don't do cert pinning.
The number of times I've heard people in the tech community mention certificate pinning as a valuable security mechanism is like the amount of times I've heard about zombies, despite the fact that they just don't exist.
I've worked on a team that reverse engineered and did security audits on a lot of commercial and consumer applications. We've seen cert pinning implemented correctly was maybe like once or twice a year by companies large enough to where their security team was larger than most software companies entire payroll.
Basically, it's not a thing that exist because it is really hard to implement properly. The threat model for being MITM'ed with cert spoofing is pretty exotic. In the end, cert pinning means your application is not working if something goes wrong with the certs, which EVERYONE at some point forgets to renew, or, worse, you CA inadvertently gets hosed.
Would love some pointers too, I've run into it once implement in a way j could t circumvent and was blown away. I'd love to develop the skills to do the same myself.
The kind of ATM I see at gas stations usually seem to involve a legacy ethernet cable of some sort (I've been told it's probably RJ12) and/or a small antenna magnet-mounted to the top of it. Not sure if they both serve the same communications purpose.
The few times I've used one they also take a ridiculous amount of time to connect/return anything, on the order of 30s-1m.
Many of these even now remain on dial-up, so they just have a modem and the cable is a phone jack. If you have a favorite bodega ATM that always takes 15 seconds to respond after you type your PIN, it's probably dialing. Newer ATMs almost certainly use wireless modems, if they aren't just connected to the Internet.
Fun fact, the modems still negotiate at 2400 or 9600 baud, because the extended negotiation times of higher-speed protocols more than negate time saved in transferring the small payload.
For remote attacks what usually happens is the malicious actor will first get access to a banks network and from there pivot to the ATMs. Often times they have some remote tool to shoot off commands and so forth. The malware itself is rather basic and easy to understand-the security layer once remotely accessed is rather moot. Depending on the malware strain they can than program the ATM to be “cashed out” during certain time or even if certain cards will be inserted.
They are also very very insecure. You can literally just walk around behind them and attach stuff without anyone really noticing.
I was renewing my registration at a DMV kiosk, which is like an ATM that spits out registration tags instead of money. The machine was broken, and the supermarket said to just call the number on the side. I did so, and they told me to unplug it and plug it back in. So I went around the back and did exactly that. No one questioned me.
Then they remotely logged in, messed around on it (which I could watch them do on the display) and it was fixed.
But my point here is that no one questioned me when I went around back, no one questioned a mouse moving around on a touch screen, no one questioned random control panels coming up, and the people who owned it (the DMV) didn't seem to care about the information leaks they were providing me.