Robbers cut into ATMs to plug in USB drives

Robbers cut into ATMs to plug in USB drives

Summary: A BBC report says thieves in Europe cut holes in ATMs in order to plug in USB drives with malware on them.

TOPICS: Security, Banking

Citing a presentation at the Chaos Computing Congress in Hamburg, Germany, the BBC is reporting that thieves at European ATMs cut holes in the machines in order to access USB ports.

The thieves then inserted USB drives into the ports which then installed malware. This allowed the thieves to take control of the ATMs.

The two researchers who detailed the attacks have asked for their names not to be published.

After noticing that some ATMs were being emptied, the bank increased surveillance and noticed that attackers were physically cutting holes in the machines, inserting the drives and then patching up the holes. With the malware running, the attackers needed to enter a special 12 digit code in order to bring up a user interface which displayed how many bills of each denomination were in the machine. They could then specify how many of each to dispense. The attackers would then dispense the highest denomination bills in order to minimize the time they were at the machine.

Distrustful of the people who actually inserted the drives, the malware authors put a second one-time code process into the activation of the software which required the attacker to read a code off the screen and tell it to another gang member.

There is much information missing from this description: If the attackers were able to install malware simply by inserting a USB thumb drive, then Autorun or some such feature may have been turned on. These have been turned off in Windows by default for many years. What operating system and version were the ATMs running? Or perhaps there is some other interface device, like a keyboard, inside the ATMs, accessible through the hole. It may be that USB drives are used by ATM technicians for legitimate purposes.

In any case, it would appear that the attackers are highly sophisticated with inside knowledge of the ATM hardware and software. The BBC story also says that the malware itself was hardened against analysis.

ATM hacking is a fairly widespread problem all over the world. If you want more information, security researcher/reporter Brian Krebs has extensive reports of attacks on ATMs and other bank-related technology on his blog.

Topics: Security, Banking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Surely it's Windows

    They run something called hack.bat

    Drilling a hole and inserting a USB stick is about as secure a system as running Windows
    • I always prefer ATMs

      that are green screen terminals- that way I can be almost certain they do not run windows.

      Never understood the attitude of businesses that blindly run windows everywhere they can think of. No cost analysis, no use case analysis and security ? forget it- anyone who cares an iota about security and privacy would avoid windows like plague.
      • Haven't seen one of those in 15+ years...

        Pretty much every ATM I've seen since my teens has been full screen GUI. The last bank to have a green display was actually a 2-line LED. That bank branch closed in the 90s.
  • Windows NT...

    Shouldn't have been NT since it didn't have native USB support. Probably Windows 2000 or XP although I'd bet NT might still run a few gas pumps and ATMs. Banks used OS/2 for a time after it had vanished from the general public's memory so it shouldn't be a shock to anyone that they are still using really old operating systems in ATMs.

    While there is a lot of blame, first on my list is Microsoft for not providing better backward compatibility. The main reason folks still run these old operating systems started when they tried to run their software on the next generation OS, it didn't work and although their portfolio road map contained an "upgrade the OS" task, it was deferred year after year and eventually a decade passed. My understanding is Windows used to leave actual "bugs" in their APIs because fixing them would break legacy software since it had been developed to work around the bug. While this sucks, why not get rid of the bug and then provide a compatibility box in which ANY software can run perfectly? I know a lot of this preceded the power to create virtual machines but can we honestly accept that Microsoft couldn't have thrown a billion at this and made a perfectly backward compatible "box" to run this stuff?

    Second, hardware manufacturers continued to use legacy ports (serial, parallel, custom) well what makes sense to a normal person. Since PCs don't come with cash dispensers, pin pads and envelope feeders, these devices have to talk to the OS somehow. If a new driver isn't available for the next OS (XP, Vista, 7, Linux, OSX...whatever), the portfolio road map now needs an "upgrade cash hardware" task. This is even tougher to get accomplished. Tougher because it involves huge sums of money for hardware that is simply grin and bear it expensive. I'd guess the components in an ATM (printer, pin pad, cash dispenser, display, camera, envelope feeder) are each several thousand dollars. Either new drivers would have to be available for each or they would all have to be replaced. A smarter alternative would have been to decouple them legacy ports and make them IP-addressable with Ethernet ports. Today that's how I would go since the cost of giving each it's own Rasberry board is minimal.

    Third, (imagine a sweaty Balmer on the stage yelling these words and dancing) security, security, security! USB ports are handy for maintenance but why would AutoRun be left enabled? Why didn't they use a white list security software like Solidcore or alternatives? The ATM software image is very stable and such white-listing software is fantastic to keep the machine safe. Further, an ATM would probably use "auto logon" so that the desktop would come up and start running the ATM software but my guess is the auto run user is a local admin. Why not restrict that user so that it has no more rights than necessary to run the ATM software and restrict executing programs outside of that installed folder? Good many simple things that could be done to have avoided this issue.
    • autorun is a 2 second change in group policy

      even a junior admin knows this
    • Probably not windows autorun.

      Think about it. You plug in a drive. If it was autorun, it would AUTO RUN. Instead you have to punch in a sequence of numbers. Sounds more like you are giving a dedicated OS an instruction code to "load from USB". Then you load a hardware diagnosis/test program from the USB stick. You go into a test mode, spit out dollars to test the dispenser.
      • Please read the article again...

        [QUOTE]...With the malware running, the attackers needed to enter a special 12 digit code in order to bring up a user interface which displayed how many bills of each denomination were in the machine...[/QUOTE]

        My take on this:

        1) Insert USB
        2) Auto-run installs a custom program that compromises the ATM
        3) Remove USB
        4) Cover hole


        1) Approach ATM
        2) Enter 12 digit code to display denomination of bills in the machine
        3) If the machine is fully loaded with enough 100s, enter quantity to dispense
        4) Exit special screen and leave with the loot

        It makes sense to remove the USB drive after infection so that the unit looks normal when bank personnel maintain it by removing deposits and add more money.
        • Excellent summary (nt)

          • Forgot to add...

            The article mentions they had to review security video to determine what happened. If the attackers left the thumb drive behind, that should have been a big clue as to what happened since technicians would have plugged it in a desktop/laptop to figure out what was on it.
  • ATM Security....

    If they had fitted one of our EVD sensors to the ATM they would'nt have been able to cut a hole !

  • don't the ATMs run Linux?

    the Linux backers on the other threads tell me that Linux is the software that runs everything from refrigerators to mainframes.
    • From Wikipedia...

      [QUOTE]Today the vast majority of ATMs worldwide use a Microsoft Windows operating system, primarily Windows XP Professional or Windows XP Embedded.[citation needed] A small number of deployments may still be running older versions of Windows OS such as Windows NT, Windows CE, or Windows 2000.[/QUOTE]

      They certainly could use Linux but for whatever reason, they aren't. Wikipedia isn't always right but Windows is used in a lot of embedded devices and on that basis, the Wikipedia article is plausible.

      Linux could be the future but it won't be based on the cost of a Windows license. I'm sure ATMs are expensive and using Linux would only save $50 on a $10K or perhaps $20K unit which is much different than using Linux in a $39 router where a Windows license would be prohibitively expensive. Of course cost isn't everything. There could be other good reasons to move to Linux as well as other good reasons to stick with Windows.
  • windows

    The majority of the banks use windows xp. I used to be a deployment engineer for barclays and lloyds banking group. Most of the terminals and ATMs use windows. I suppose it was only a matter if time , despite raising my concerns over the years.
  • We lock down Windows tighter than a drum.

    Its a constant struggle balancing between security and usability.

    Through GP and security software we lock down Windows XP/7 so that it would not matter a wit what the contents of a thumb drive is. If a device is plugged in it wont auto install/run. To access it would require a user to authenticate into the console, have admin rights, and only then be able to mount and access the device.

    This is quite simple on Windows.

    Remember that drone that was brought down mostly intact in Iran?

    I don't claim to have inside knowledge, I don't. But, the speculation of 'experts' is fairly consistent with the belief that it was brought down by being tricked.

    Security exploits are generally due to laziness and plain ole stupidity.
    • Security vs. Usability...

      I agree on a desktop but on a kiosk-mode, single-task device like an ATM, the primary user (bank customers) don't feel inconvenienced because it's running in a security context that has minimal privileges.
  • santander atms are running xp pro in mexico

    my local atm in ensenada is frequently booted to the xp pro desktop, with no atm app running.
    in april 2014, they are going to get way easier to hack.
  • Drilling a hole seems like a lot of trouble...

    Around here in the good ol' US of A they just throw a chain around the ATM and drag it off with a pickup truck, who in hell would spend time drilling a hole?

    Because of the Russia sanctions Europeans are so poor now they can't even afford a piece of chain and an old truck.
    Makes Things