DEF CON 29 - Roy Davis - No Key No PIN No Combo No Problem Pwning ATMs For Fun and Profit

Рет қаралды 77,290

Күн бұрын

Since the late great Barnaby Jack gave us “Jack Potting” in the late 2000s, there have been several talks on ATM network attacks, USB port attacks, and digital locks attacks which apply to several brands of ATM safes. In this session, I’ll discuss and demonstrate how most of these known attack vectors have been remediated, while several fairly simple attacks against the machine and the safe still remain. We’ll dive into how ATMs work, the steps I went through to become a “licenced ATM operator” which enabled my research, and how I identified the vulnerabilities. I’ll show how, with very little technical expertise and 20 minutes, these attacks lead directly past “secure” and allow attackers to collect a lot more than $200.
REFERENCES
Barnaby Jack - “Jackpotting Automated Teller Machines” - (2010) from DEFCON - • DEF CON 18 - Barnaby J...
Weston Hecker - “Hacking Next-Gen ATM's From Capture to Cashout” - (2016) from DEFCON - • DEF CON 24 - Hacking N...
Trey Keown and Brenda So - “Applied Cash Eviction through ATM Exploitation” (2020) from DEFCON - • DEF CON Safe Mode - Tr...
Triton - “Terminal Communications Protocol And Message Format Specification” (2004) from Complete ATM Services - tinyurl.com/7nf2fdy5
Rocket ATM - “Hyosung ATM Setup Part 1 - Step by Step” (2018) from Rocket ATM - • Hyosung ATM Setup Part...
Rocket ATM - “Hyosung ATM Setup Part 2 - Step by Step” (2018) from Rocket ATM - • Hyosung ATM Setup Part...
Hyosung - “NH2600 Service Manual v1.0” (2013) From Prineta - tinyurl.com/c6jd4hd9
Hyosung - “NH2700 Operator Manual v1.2” (2010) From AtmEquipment.com - tinyurl.com/rp2cad8

Пікірлер: 160

@sideshow4417 Жыл бұрын

16:12 in the UK we had a spate of people filling the cash machines with propane and blowing them open that way, they started fitting gas sniffer devices (similar to those fitted to forklifts in enclosed spaces) that engage some sort of defence not sure what, be it the release of some sort of gas suppression like an inert gas, or just an alarm to a control centre.

@BradleySmith1985 2 жыл бұрын

the QR is for the teck/admin to pull up password records thats is your serial number of the system board. most BRINKS / money curriors will have a device that will scan a QR and provide them with there info the need to support the machine

@WhiteFedoraMN 2 жыл бұрын

Ahhhh. Thank you for filling that knowledge gap for me Bradley!!

@PhilXavierSierraJones Жыл бұрын

Did you know: Nautilus Hyosung ATMs have "Stop attacking immediately" screen. Supposedly it is activated when the shock sensor or tamper switches are being activated. Found this out through the update files.

@RicoCantrell 2 жыл бұрын

Love this. Been in payments and construction of payment gateways and protocols for 20+ years. Well done sir.

@WhiteFedoraMN 2 жыл бұрын

Thank you for watching and the kind works Rico !!

@nickwinn 2 жыл бұрын

I've seen these go for under $50 in bankruptcy auctions. Guess I will be buying one soon.

@WhiteFedoraMN 2 жыл бұрын

Do the ones you've seen in those auctions have network cards or only modem? I am avoiding the modem-only ATMs in my research at this point as they are quickly falling out of use.

@thomasmay2102 2 жыл бұрын

who else is looking for atm's to buy now that roy made profit? ^^

@rkan2 2 жыл бұрын

Too bad the country I live in only has two companies who have ATM - and they aren't getting foreclosed lol.

@janrowe4405 Жыл бұрын

,come to my there atm every where gas station banks supermarket s

@johnb4306 2 жыл бұрын

Silver cylinder you couldn’t identify is probably drill protection, I’m guessing it’s near the lynch pin? It also is probably lose and will rotate when pressure is applied. Ever dry to drill into a hard round surface thats free to rotate? My two cents from lock picking/destructive entry side

@William48151623 2 жыл бұрын

You know he knows his stuff because he never said 'ATM Machine'.

@WhiteFedoraMN 2 жыл бұрын

lol. Thanks for watching!!

@Gameboygenius 2 жыл бұрын

The auction listing did, however, which I'm sure you noticed.

@Proletariat-intifada 11 ай бұрын

I love chai tea

@itsme7570 9 ай бұрын

Automatic teller machine machine

@annyone3293 7 ай бұрын

11:44, did say “local LAN” though. :)

@leozendo3500 2 жыл бұрын

Summery: pick top lock, access safe close wires, false safe open signal, reboot to reset master password. And drill a hole behind keypad, see the lock to rev engineer, drill to access motor power wire, provide power to bypass lock. Not sure why both steps are needed

@robhulluk 2 жыл бұрын

I think only the second step was needed to get access to the money, but he wanted a fully functioning ATM so the first step was needed to get the software part running.

@WhiteFedoraMN 2 жыл бұрын

@@robhulluk Exactly !!

@WhiteFedoraMN 2 жыл бұрын

Thanks for watching and the great summary Leo !!

@maniacbg Жыл бұрын

Wow wow wow! What an out of the box type of thinking when approaching the problem. Bravo maestro!

@gerbenkleijn1796 2 жыл бұрын

Awesome talk, Roy! I had caught bits and pieces of this from you along the way and it was great to see the whole process end to end. Very clearly laid out too.

@WhiteFedoraMN 2 жыл бұрын

Thank you Gerben!

@aussiebob1315 Жыл бұрын

LOL this exact atm is being used in NZ at a local gas station of mine, i asked the owner if i could demonstrate something, enter clear cancel 1,2,3 should of seen him feak out , question is should i direct him to your video? as i use this atm twice a week (rural area) and they charge 3.50$ in fee for every withdrawl , someone is making ALOT of money here!

@deeglik 2 жыл бұрын

Great talk very insightful!

@logicawe 2 жыл бұрын

Thanks for sharing, great talk 👍

@Epinardscaramel 2 жыл бұрын

10:12 I like the confidence 😄

@orbitalalpha 2 жыл бұрын

Could you use a strong electromagnet to push/pull the linch pin? Or a rotating field to drive the motor externally?

@jon87386 2 жыл бұрын

I'm guessing no, as the lock body is likely steel or something else that would be susceptible to a magnetic field

@prodbydramatic 2 жыл бұрын

@@jon87386 bingo

@BrysenJacobsen 2 жыл бұрын

No. But I mean, all you need is a the lock pick tool, and the wire probe to break in. Seems pretty easy already. It's crazy

@hoofie2002 Жыл бұрын

Very interesting and great work.

@swilson42 7 ай бұрын

Always interesting to see how people find ways onto things, but these kinds of attacks aren’t practical enough to warrant any extra protections. That’s why the company didn’t respond. You can buy an upgraded safe that makes this even harder, but most don’t even do that. The level of protection here is to stop smash and grab and it’s successful at that. Hours of drilling and wire tapping isn’t going to go unnoticed, so it’s just not worth protecting against.

@TRD_Mike 2 жыл бұрын

Great informative video! Thanks for sharing.

@WhiteFedoraMN 2 жыл бұрын

Thanks Mike !

@M3PH11 2 жыл бұрын

3:34 The legend that is Barnaby Jack. The man how once hacked an atm in (i think it was) Dubai that dispensed gold bars and almost walked away with a million dollors. He is missed.

@mobiusbelts3607 2 жыл бұрын

Oh, he’s the guy that inspired me to find a slew of ATM machine manuals online. You used to be able to get into those machines using the default password listed in the manuals, potentially changing the value of certain bills so that the machine thought it was spitting out $5s when it was actually spitting out $20s...

@jayschafer1760 9 ай бұрын

The problem is that if you do anything like that in the Middle East, you'll be left for dead in the desert (after being tortured to the point that you wish you were already dead) if caught.

@outadahead 2 жыл бұрын

Great talk Roy - thanks for sharing the journey!

@WhiteFedoraMN 2 жыл бұрын

Thank you for the kind words and for watching!!

@jenniferremington4765 2 жыл бұрын

You are an incredible human.

@WhiteFedoraMN 2 жыл бұрын

hah, dunno about that, but thanks!

@andrewmiranda5115 2 жыл бұрын

That was so badass. I love smart people.

@DrTune 2 жыл бұрын

That was most excellent!

@garethjames8307 2 жыл бұрын

Haha ... "it takes around 40 minutes for a novice jackhammer user to get it unbolted from the floor" ... or something around that .... classic!

@vyperp888 2 жыл бұрын

Looks like about $3360 from here. That's quite a score!

@Cfomodz 4 ай бұрын

This is an interesting business model….. step 1. Buy ATMs (locked, obviously) Step 2. Make the tool.. step 3. ??? Step 4. Profit? Step 5. Sell the empty ATM as used, presumably with more information than the original auction, with the master password, unlocked doors and such meaning it will reasonably go for as much if not more than you paid for it.. so if there’s no cash, then you’re compensated for your time by the increase in sale price (assuming a $1,000-ish markup pre-fees), and if there is cash, then, well.. it just might be enough to pay for the research project, and the ATM, “and then some” - which I feel like means it was easily in the 4 figure amount more than the project and ATM, especially based on that photo - which I didn’t pause to count, but I know is more than 50 notes, so yeah.. Obviously there is no free lunch and this is a job that includes work, transportation, time, money, etc. just like any other reselling side hustle would, it’s just interesting that it comes with a ‘free’ lottery ticket built in.

@douro20 2 жыл бұрын

The vault lock still did the job it was designed to do.

@agenericaccount3935 2 жыл бұрын

Absolutely Capital. Nice to get your research paid for too 😋

@WhiteFedoraMN 2 жыл бұрын

Thanks Johnny!!

@kodiererg 2 жыл бұрын

I wonder if you could use electrical induction to power the DC motor from outside the safe without contacting any wires

@revenevan11 7 ай бұрын

Very interesting idea! I think that could potentially fry other electronics inside, but I can also imagine someone who doesn't *own* the ATM they're attacking may not care about that damage 😅

@98f5 2 жыл бұрын

So sad I've missed 3 years of defcon

@TheMatrixcube Жыл бұрын

loved the video ! thx

@tjsynkral 2 жыл бұрын

The people at the help desk always have a reset and recovery procedure. I feel like social engineering the help desk would be easier than all of this.

@WhiteFedoraMN 2 жыл бұрын

Unfortunately, my research and discussions with the lock and ATM manufacturers proved the opposite. The ATM CPU password reset procedure is as presented in this talk. The lock has no reset procedure, but there is a tool called a "Little Black Box" that in theory can deduce the lock combo. The device is only sold to law enforcement and certified locksmiths. If you are able to present evidence to support your theory, I would love to discuss it.

@mgzukows 2 жыл бұрын

What you saw was the reset procedure for the administrative password. Which won't give you any access to the money. Also the process of resetting the password wipes the encryption keys which are stored in the keypad. Other things that also wipe encryption keys are opening the keypad, tilting the ATM more than 30°, or changing the denomination of the bills in the cassette. Encryption keys are a 128-bit hexadecimal number. They are supposed to be destroyed after being entered into the ATM. You can test dispense the bills, however those bills go into the reject bin of the dispenser. Which is locked in the safe. As for the lock for the save there's no way to open it without brute forcing the lock itself. Which is what the little black box does. The ATM is also supposedly bolted to the ground with four bolts on the bottom of the safe.

@arsenicjones9125 2 жыл бұрын

Did you check the continuity between the black wire and the metal of the chassis? If one of those wires is a chassis ground then you only have to attach to the one wire inside the atm and anywhere on the exterior meaning you really won’t need to drill out that hole larger.

@WhiteFedoraMN 2 жыл бұрын

Interesting theory Chad. I have just acquired another ATM (this time for $185), same situation (No Key etc.) I am taking this opportunity to attempt this hack without making the hole larger. Stay tuned for chapter 2. :-)

@WhiteFedoraMN 2 жыл бұрын

As I replied in another similar comment, I just tried this. The DC motor is not grounded to the lock chasis.

@AndiPannell 2 жыл бұрын

Really awesome talk. Enjoyed it alot. My favourite talk of defcon 29

@WhiteFedoraMN 2 жыл бұрын

Thank you Andi. Were you able to make it to the live version in Vegas?

@AndiPannell 2 жыл бұрын

@@WhiteFedoraMN unfortunately not as I'm in the UK. But watched it online and recommended it to friends. 👏 Hopefully I'll be back next year

@WhiteFedoraMN 2 жыл бұрын

@@AndiPannell Awesome! I plan to have a talk with all new ATM research ready for DC30.

@Uneke 2 жыл бұрын

I’m at 17:20. Those safe pads are garbage and can be affected by a strong magnet. They had to replace the metal solenoids with plastic ones because of this… 9/10 times, they aren’t replaced because they went out before the flaw was discovered. If an operator isn’t changing windows xp or ce to something more secure, they’re not changing out a solenoid pin

@WhiteFedoraMN 2 жыл бұрын

Thanks for this comment!! I am intrigued by your theory. I tried placing the electromagnetic drill press in several locations around the vault door without success. Can you DM or email me with details of this attack vector? I'd like to research it more.

@Uneke 2 жыл бұрын

@@WhiteFedoraMN sorry for the late reply… haven’t been on here much. Here is a demo. Good luck kzfaq.info/get/bejne/d9Z6hJWoyL_OcqM.html

@WhiteFedoraMN Жыл бұрын

@@Uneke - Thanks! I just saw this and have ordered the same rare earth magnet shown in that video. I will try it out and let you know how it goes!

@Uneke Жыл бұрын

@@WhiteFedoraMN awesome! Thanks I would really like to know the outcome. Please remember, you have to put it over the solenoid area and twist it so that it moves the solenoid. If that doesn’t work, try moving it side to side. Depending on placement (slide to the left and try to open, slide to the right and try to open). The movement of the magnet is what moves the pin inside the solenoid.

@jayfowler4747 8 ай бұрын

So after you changed the pass code did the qr change and once you update the firmware and run diag mode I'm guessing you can 'test' the note dispenser... multiple times..??😊

@tmeredyk 2 жыл бұрын

is the lock cast aluminum? maybe gallium on the lock body?

@WhiteFedoraMN 2 жыл бұрын

Great question Tyler. I just measured the resistance across the lock body and it is negligible.

@eagerpuppy 2 жыл бұрын

As an ATM owner, I got more motivation to buy more machines from the first 2 minutes.

@haveaniceday7950 2 жыл бұрын

Is it a good business to be in? I've been curious about it a long time. What's the future though with digital currency?

@TylerSanborn 2 жыл бұрын

46:17 Money Shot

@carlswenson5403 Жыл бұрын

just like that scene in die hard

@MagicPlants 2 жыл бұрын

dude is so elite

@WhiteFedoraMN 2 жыл бұрын

heheh... just doing my thing !!

@dotedune0246 2 жыл бұрын

I’m thinking just from opening the top of the ATM exposing the card reader someone could easily install a skimmer am I right or am I right?! Never mind my name 😅🤣

@Qstyleonem Жыл бұрын

Very informative….. please get a flipper zero and rfid Wi-Fi fun

@ASAPLocksmith 3 ай бұрын

The "silver bar" is a hardened steel pin, it is there to deflect a drill attack on the known most vulnerable parts of the lock. This is an interesting video but, if you are dragging a 40 lb magnetic drill to open the door, why not just attack the physical mechanism? No wire probing is required.

@Thedude897 Жыл бұрын

Damn I kinda want to find ATMs from foreclosures now lmao

@BlackSoap361 2 жыл бұрын

The silver dowel - anti-drill, or anti-tilt?

@WhiteFedoraMN 2 жыл бұрын

I was thinking anti-drill, but when I put one of the locks under a drill press and set the bit directly next to the dowel, the bit tore through the dowel no problem. Hmmm...

@realcygnus 2 жыл бұрын

Nifty ! A talk with any service technician from an ATM vending co. could have probably saved you time. I thought about getting into ATMs after COCOT payphones died.

@HEREisTRACYY 5 ай бұрын

I manage to hack payphone back in the day wit a captain crunch cereal whistle.then I learn how the machine works .i use a dime a string n duck tape.u have to be precise on the mearsurement or it will not work..now theres 2 payphone style..1 change comes out the left n 2 change comes out the right..use the left one .right is lol fishy ..now we have free phones...

@Potrvlb 2 жыл бұрын

I saws all with long blade spud of cut those floor bolts. Just saying. The long blades bend like paper and would of gone right under it and cut them bolts 🤩👍

@akumabito2008 2 жыл бұрын

That seems surpisingly easy.

@EXTEZZEE Жыл бұрын

They're going cashless for the last 2 years. And about to go hot. Sept 31st in parts of the world, no more 10's and up, no bank tellers, etc.

@TheboysEpicshit 2 жыл бұрын

Pretty sure you don't need two pins you just need to go to hot. The motor should run to ground. I never run to - when troubleshooting I always go ground. But I'm also troubleshooting with power supplies not batteries.

@WhiteFedoraMN 2 жыл бұрын

I just tried this on my bench. I attached + to the white wire only and touched the - lead to the lock body. No go. The small DC motor that moves the lock pin isn't grounded to the lock body.

@danielsullivan87 2 жыл бұрын

@@WhiteFedoraMN One thing that could seriously improve the design is if both of those leads were shorted by a MOSFET when driving voltage isn't being applied. That would then necessitate physically cutting one of the wires which would vastly increase the chances of a irrevocable mistake.

@westonhecker 2 жыл бұрын

Love ATM talks lol

@WhiteFedoraMN 2 жыл бұрын

Thanks for watching Weston!

@westonhecker 2 жыл бұрын

@@WhiteFedoraMN Very welcome great job on research

@Tabbithakitten 2 жыл бұрын

Kinda disappointed that the solution was drill the lock + manipulate

@WhiteFedoraMN 2 жыл бұрын

Ya, what is really too bad is that I had to turn in this video 3 weeks before DEF CON. If you had been at the live talk you would have seen an additional attack that didn't require drilling etc. "Patch 'n Sniff" :-)

@Tabbithakitten 2 жыл бұрын

@@WhiteFedoraMN if you have an extra video I'll watch it!

@Wannabeblog Ай бұрын

Packet snnifignn

@yomajo 2 жыл бұрын

QR code starts with HY, probably manufacturers serial number.

@langeludo 2 жыл бұрын

Conclusion it's worth buying a second hand ATM.

@sergiol.3755 2 жыл бұрын

I think all the tools and equipment you have is worth more than the ATM

@niceguyjoe 2 жыл бұрын

I hear they're using this as the plot for Ocean's 14

@WhiteFedoraMN 2 жыл бұрын

hahahha, thanks Joe! If anyone ever wants to use this hack in a movie I will gladly consult :-)

@MrEndzo Жыл бұрын

Yeah but can it play Crysis?

@blissbyrne 2 жыл бұрын

But Soon ........... Bitcoin - the new bank heists are not of the cash grab sort as much now, nor into the future. 600 million - no here have it back i was only joking .

@dragade101 Жыл бұрын

Is this above the skillset of a common thief? I think so. Are the 'security' protocols around the two main bypass pins robust? Hardly. Like elevators, ATMs are meant to be opened up and operated by authorised personnel. Are there enough hurdles that the common thief will not find this? Likely (at least R&D limits this how easy the access is). A tangent: as an ATM owner, are you responsible for the cash or does the ATM manufacture take some liability? That they would pay out for up to X usd if this machine was covertly breached? (which I assume would be a hard legal fight). (My guess and concern almost is that these machines are all on the owner and the establishment would be fully liable. Kind of like how casinos had bad slot machines for decades - bad at not triggering the jack pot (if you knew how to trigger it)).

@miata350 Жыл бұрын

Play Doom on it

@mikeoliver4368 2 жыл бұрын

The screw hole is an 8/32 not 1/4”

@TRD_Mike 2 жыл бұрын

Nope, wrong. The true diameter is 16/64th. Precision is required.

@DJUNOS Жыл бұрын

I accept this videos are interesting but who else feels sleepy when watching , is it only me or others are there .

@Webhakr-ch2kr 8 ай бұрын

lol, lots of defcon talks are like that. It's about the learning, not the entertainment.

@ElectronicMarine Жыл бұрын

just surprised... a windows ce machine and you cannot fid the code :) then brute force arduino on the keypad generating codes... :( alot of other stuff to play with instead of drilling ...

@rubberonasphalt 2 жыл бұрын

Brb, looking for businesses selling their ATMs

@JustAllinOneResource 10 ай бұрын

This is similar to what the folks did to rip off slot machines years ago. Nothing really spectacular but all in all, anything a human being can create can be hacked. It's as simple as that.

@Webhakr-ch2kr 8 ай бұрын

Props to him for taking the time to do the research and share it though. He did this talk at DEFCON live and the room was packed. There was some content in the live preso that isn't in this pre-recorded version. I think DEFCON had all presenters do a video that year cuz of covid.

@Wannabeblog Ай бұрын

Yet loser make it all shady and scary and STUPID with all the videos around instead of something cool

@enc4p 2 жыл бұрын

10:48 gold moment

@WhiteFedoraMN 2 жыл бұрын

:-)

@thelockpickinglebowski633 Жыл бұрын

Why so needlessly coy about the dollar amount found inside the ATM?

@ralfmaximus4295 Жыл бұрын

Taxes.

@adam6806 2 жыл бұрын

I hate to admit this but I will say in my defense I was tired when I was watching this. At one point I thought to myself, why not just put your card in and withdraw the money the normal way to get it out? lmao

@amir3515 2 жыл бұрын

Especially when you can use any card, not just your own ;)

@TomJones-wi4nh 2 жыл бұрын

Occam's razor has entered the chat, but his way was a lot more fun to watch :-)

@WhiteFedoraMN 2 жыл бұрын

@@TomJones-wi4nh Thanks for watching!

@EdHayes3 2 жыл бұрын

Interesting talk. Work on your UMs ;-)

@50_Pence 2 жыл бұрын

Hi fbi

@WhiteFedoraMN 2 жыл бұрын

Maybe cops and/or the FBI can now be on the lookout for this type of exploit?? Maybe somewhere there is a "All the $$ disappeared from this ATM without damage" cold case file?

@Msantor1605 2 жыл бұрын

"in my opinion, cash is not going anywhere." *Laughs in one world government*

@Msantor1605 2 жыл бұрын

@David Reads Yes, but your comment is completely irrelevant when the context of both my comment and the comment I was replying to was on the subject of a machine that exchanges government issued currency....

@tebbenjo 2 жыл бұрын

Can't tell if dog whistle or just joke. Although that's the point of a good dog whistle I guess

@WhiteFedoraMN 2 жыл бұрын

I just meant that cash still provides anonymity for the user (to some degree).