2020-11-21, 11:00–11:50, Hackfest - Track 1
10 years ago, Barnaby Jack famously showed the world that ATMs could be jackpotted. Has the ATM security landscape changed since? Is this type of attack still possible? How difficult is it really to perform? As it turns out, all that is required in 2020 to successfully jackpot an ATM is intermediate C programming and physical access to the cabinet, and the C programming part is about to become optional!
At the core of modern ATM attacks is a specification known as Extended Financial Services (XFS) which has been put together by industry experts as a solution to the multiple-vendor multiple-hardware interoperability woes. The documentation is freely available and provides an interface for financial software to interact uniformly across compatible hardware regardless of vendor and implementation details.
In this talk we give a quick overview of a realistic threat model for attacks against ATMs and focus on the software-hardware interface. We begin with a cursory introduction to the XFS protocol, how it works, and provide a security analysis of some of the features included in the foundational structure of the protocol. Some of the major risks that we have uncovered will be presented in detail and sample implementation code will be shown. We also open-source the tool that we developed to explore the XFS protocol and issue commands directly to ATM hardware, bypassing any business logic and software protections. We show that the XFS protocol has major security flaws which lead to any type of code execution achieved on an ATM being enough to perform various attacks, such as arbitrary unauthenticated withdrawals (jackpotting), in-software sniffing of card readers and PIN readers. We conclude by providing mitigation strategies that can be implemented immediately by operators and discuss the long-term changes that must happen to make XFS safer.