Black Hat, Day 1: Cracking GSM and skimming ATMs

Black Hat, Day 1: Cracking GSM and skimming ATMs

Summary: Day 1 at Black Hat brought some outstanding talks. The day started off with David Hulton (aka h1kari, also the producer of ToorCon) and Steve (from THC), who presented on "Cracking GSM".

TOPICS: Security, Networking

Day 1 at Black Hat brought some outstanding talks. The day started off with David Hulton (aka h1kari, also the producer of ToorCon) and Steve (from THC), who presented on "Cracking GSM". It was quite interesting due to the tie-in that David has with Pico and their use of FPGAs (Field Programmable Gate Array).

Basically, they were able to capture GSM traffic -- the traffic most of our cell phones use -- and decrypt that traffic. They reverse-engineered the encryption process and then used the FPGAs to increase the speed of the whole process by an amazing amount. I don't have the exact numbers, but let's just say it went from impossible to potentially done in 30 seconds. As always, David is brilliant. The talk, while complex, was easy to follow and understand and the audience had some great questions.

The next talk I watched was a presentation by my good friends Billy Rios and Nitesh Dhanjani called "Bad Sushi". I have to say that this was the best talk of the whole day -- completely unique and untouched upon by previous research. Basically they were able to track down phisher's and paint a picture of the ecosystem and economy that drives phishing. It was unbelievable the lack of sophistication used in a majority of these attacks, yet they are still so successful. This seems to be contrary to the corporate belief that phishers are elite hackers with hardcore ninja hacking skills. They also moved into a process called ATM skimming whereby people retrofit ATM machines with their own hardware that is actually able to capture card swipes and pin entries, while still maintaining the functionality of the original ATM device. This was unbelievable to see, and I honestly believe I'll never use an ATM machine again. Also of note, it was clear that phishing is not really the major concern; identity theft is the concern, and the people exploiting this are using any means possible.

Rob Carter and I followed up the "Bad Sushi" talk with our talk on "URI Use and Abuse". More of the same research you've seen us talk about over the last year with a fresh set of vulnerabilities including a format string flaw on the Mac OS X. I won't elaborate much and toot my own horn, but the talk went really well and the audience seemed to be entertained and engaged. I can't begin to mention how much of an honor it was to speak at Black Hat again. I can remember saying when I was younger that if I ever spoke at Black Hat, I'd know that I had made it in the security world, right after watching David Litchfield present at my first ever Black Hat. Today, we delivered our presentation while Litchfield was in the next room talking about Oracle security -- a bit of a surreal experience really.

That's all for today and I'm off to the bar to celebrate a great day!

Topics: Security, Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • a Congrats to you George.

    It sounds like those would have been some interesting talks, I would have loved to have been there, especialy for those two. Good job then, to you two for being right up there with the big boys. Anagi congrats to you George for achieving one of your goals in live. -d
    • too bad it was actually Nathan McFeters that attended (NT)

      Not George (NT)
      • I see that now...

        You are correct, thanks for pointing that out to me. Well my earlier 'Congrats' went to the wrong person.
        I hope he (the right guy, this time) gets it. It was a good article IHMO, so, I hope he keeps writing them. -d
        edited to ask: what did they do to 'edit'?
  • RE: Black Hat, Day 1: Cracking GSM and skimming ATMs

    This was a great story. I just love it. Keep up the great work.
  • Retrofitting ATMs

    I'm not surprised that someone could redesign ATM hardware and software to capture card swipes and pin entries. What would be of more interest is how hard or easy is it to circumvent the hardware security to replace the legit ATM with the bogus one, what means exist for a financial institution to query the hardware for legitimacy, and how hard is it to detect by either the remote financial institution or the person who comes out to service the machine?
    • Oh dear!

      Around most of the world ATM this has already been done.
      One case involved using a stolen ATM machine in a fake bank which actually gave money when the customer asked for it while taking all the required information. The customers had no clue what-so-ever that this was taking place.
      A more common occurence is a small device mounted to the card reader slot that reads the card details while a remote camera inside the kiosk takes sneek peeks at your keystrokes.
      In most ATM's in europe they already issue warnings not to use ATM's if you suspect that ATM looks different from the ordinary. Many ATMs have a plastic see-thro device that prevents them from installing such a piggy-back reader device. Also the card from most ATM's are now fed and ejected very slowly to prevent such devices from reading the MCR tracks.
      • I saw this nearly five years ago...

        I used to work at the Royal Bank of Scotland in London and there was a fake ATM in a shopping mall nearby - it took your card, let you enter your PIN and then told you that the service was currently unavailable... The only reason it was found out was that one of the guys responsible for the ATM network saw an out of date screen on it!
    • Card Duplication


      If the entire swipe is recorded... It is an easy matter to take any mag stripe card and write the information back to it.

      No logo required just the PIN and Mag Stripe Info...

      This is why we will probably be forced to Smart Cards and BioMetrics

      Of course then the really innovative thieves will just cut your finger off!

      Mike Sr.
      • true

        exactly true. There is a show on truTV (formerly CourtTV) called "The Real Hustle" where a group of hustlers did exactly this stunt. They wrote the information onto a standard hotel keycard and successfully used it in the ATM.
    • That's not really new...

      In fact, the article makes it appear to be easier. What used to have been done was to catch one just as it was going on-line (with a dial-up connection. Still in use, in too many places) and just 'listen in' VPN makes that a little harder. But not hard enough it seems.
    • wha

      Why would you service a machine that has no money in it and is only capturing PIN and card information?

      You could take everyone's money and buy a new machine while probably still making a profit. THe machine could just be considered expendible.

  • This isn't new...

    Basically you just put a "faceplate" card reader in front of the other card reader and it reads the info. I read about this back in 2004.

    I'm not sure how they would do the pin capture unless they did another faceplate on it.

    Then they can retrieve the data at their leisure and boom! All of a sudden, your account is empty.

    So if you find that the ATM you normally use suddenly looks different, make sure it was actually upgraded BY THE BANK.
    • No, they don't need another face plate

      Just some sort of a visual recording of you entering your pin. either a camera on the ATM or somewhere close by.
      • They usually add a faceplate that has an extra reader for

        the magnetic stripe.
        However, the battle is not completely lost yet.
        In some places in europe the banks installed secret pinhole-cameras to catch the action of fitting the reader. They then get the police to track them and get to catch them as they withdraw cash from someones bankaccount.
        Pretty quick and VERY efficient.
    • how to capture pin

      the Pin is captured by a tiny integrated camera aimed at the pin pad on the ATM. refer to my 'true' post about me seeing this stunt pulled on a "reality"-like show on truTV
      • oops

        just saw that thespasticone pretty much already said this :)
  • ATM ideas from TV maybe?

    Those that have responded to this saying that its been done are correct. A few seasons back on CSI they had a person stealing money directly from peoples accounts. It turns out that the person doing it was using a card reader that was added on to the out side of the machine, plus a wireless camera in an informational pamphlet box stuck to a wall where it could see the pin pad. The person was then sitting some where with in range of both with his laptop, a card coder, and a box of blank magnetic stripe cards.
    By the way, the guy got caught by not moving around to much for marks, and panicking when the cops showed up to look at the machine. He hit another car.
    • also on another show

      also saw the stunt pulled on a show called "The real hustle" on truTV
  • RE: Black Hat, Day 1: Cracking GSM and skimming ATMs

    There are always people who have to make life miserable for everyone else. That's their hobby. That's how they get their jollies.
  • RE: Black Hat, Day 1: Cracking GSM and skimming ATMs

    Since GSM has been cracked, how about CDMA? I am a Verizon customer and am very concerned about this.