0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/698 Thanks! 1 00:00:16,540 --> 00:00:18,759 So for the very last talk of this 2 00:00:18,760 --> 00:00:19,760 evening, 3 00:00:21,040 --> 00:00:23,079 after learning how to break into 4 00:00:23,080 --> 00:00:25,929 intercoms, we're going to learn 5 00:00:25,930 --> 00:00:27,999 a huge number of ways in 6 00:00:28,000 --> 00:00:31,149 which you can break into ATMs. 7 00:00:31,150 --> 00:00:33,729 We go to Olga and Aleksi. 8 00:00:33,730 --> 00:00:35,499 They are part of the penetration testing 9 00:00:35,500 --> 00:00:37,689 team at Kaspersky Lab and 10 00:00:37,690 --> 00:00:39,279 they will tell us more about this. 11 00:00:39,280 --> 00:00:40,280 Thank you. 12 00:00:49,380 --> 00:00:51,569 So most of you use the 13 00:00:51,570 --> 00:00:53,969 bankers to buy something in shops 14 00:00:53,970 --> 00:00:56,129 and malls and other places, 15 00:00:56,130 --> 00:00:58,199 but sometimes you need cash, for 16 00:00:58,200 --> 00:01:01,529 example, when you go to the 17 00:01:01,530 --> 00:01:03,599 lounge and want to buy 18 00:01:03,600 --> 00:01:06,599 some junk and 19 00:01:06,600 --> 00:01:09,359 you need to go to the ATM and 20 00:01:09,360 --> 00:01:11,999 you look around and search for Schamus, 21 00:01:12,000 --> 00:01:14,579 for hidden cameras, for 22 00:01:14,580 --> 00:01:16,829 some fake pin pads or some other 23 00:01:16,830 --> 00:01:18,779 stuff from bad guys. 24 00:01:18,780 --> 00:01:21,599 And the if is everything okay, 25 00:01:21,600 --> 00:01:23,999 you insert one 26 00:01:24,000 --> 00:01:26,219 card into it, enter 27 00:01:26,220 --> 00:01:28,289 your pin, enter amount of 28 00:01:28,290 --> 00:01:30,419 money and 29 00:01:30,420 --> 00:01:31,519 what you can see them 30 00:01:32,550 --> 00:01:34,619 ATM say that there is no money 31 00:01:34,620 --> 00:01:36,779 for a long time from 32 00:01:36,780 --> 00:01:39,239 bank site. It is this ATM 33 00:01:39,240 --> 00:01:41,039 is full of money. 34 00:01:41,040 --> 00:01:43,979 That's because some like you hacker 35 00:01:43,980 --> 00:01:46,859 maybe right now ject 36 00:01:46,860 --> 00:01:48,840 all money from this ATM. 37 00:01:50,530 --> 00:01:53,289 And if he was really like you, 38 00:01:53,290 --> 00:01:56,139 he obtained quarter quarter million 39 00:01:56,140 --> 00:01:58,239 euros, and that's 40 00:01:58,240 --> 00:02:00,879 because ETM, 41 00:02:00,880 --> 00:02:02,920 this is not ideal. 42 00:02:04,090 --> 00:02:07,119 So today we would like to 43 00:02:07,120 --> 00:02:09,939 tell you about the ideal situation 44 00:02:09,940 --> 00:02:12,369 when A.T.M is 45 00:02:12,370 --> 00:02:14,739 secure with several 46 00:02:14,740 --> 00:02:16,029 level of protection. 47 00:02:19,130 --> 00:02:21,979 And the phone to say hello, 48 00:02:21,980 --> 00:02:24,569 I am and he is my colleague 49 00:02:24,570 --> 00:02:26,689 Elizabeth, we are from Kaspersky 50 00:02:26,690 --> 00:02:27,690 Lab. 51 00:02:28,820 --> 00:02:31,289 We get our knowledge from Eckmann 52 00:02:31,290 --> 00:02:33,839 security assessment, penetration testing, 53 00:02:33,840 --> 00:02:36,619 forensic investigation and the other 54 00:02:36,620 --> 00:02:38,989 fornia activities. 55 00:02:38,990 --> 00:02:41,089 But first of all, let me give 56 00:02:41,090 --> 00:02:42,889 you several words about the German 57 00:02:42,890 --> 00:02:44,329 general just for you. 58 00:02:44,330 --> 00:02:45,330 The stage 59 00:02:46,580 --> 00:02:48,739 you might be familiar with various types 60 00:02:48,740 --> 00:02:51,409 of items, for example, Cash-in 61 00:02:51,410 --> 00:02:53,599 or Cash-Out, ATMs 62 00:02:53,600 --> 00:02:55,909 or even recycling systems. 63 00:02:55,910 --> 00:02:58,039 It might be a standalone items 64 00:02:58,040 --> 00:03:00,469 or through the whole items, but 65 00:03:00,470 --> 00:03:02,749 it should be noticed that there 66 00:03:02,750 --> 00:03:05,629 are several 67 00:03:05,630 --> 00:03:07,550 ATM vendors around the world. 68 00:03:09,340 --> 00:03:12,259 They just take 69 00:03:12,260 --> 00:03:14,659 small parts, small hardware units 70 00:03:14,660 --> 00:03:17,029 produced by various manufacturers and 71 00:03:17,030 --> 00:03:19,069 put it together into the box and call the 72 00:03:19,070 --> 00:03:21,559 data. So just telegrapher 73 00:03:21,560 --> 00:03:22,999 big vendors for Big 74 00:03:24,410 --> 00:03:25,410 Macs. 75 00:03:26,550 --> 00:03:29,339 So the box of 76 00:03:29,340 --> 00:03:31,799 gold is on our cabinet, 77 00:03:31,800 --> 00:03:34,889 there are PCM, just the usual PCM 78 00:03:34,890 --> 00:03:37,919 card, reader pot and so on, 79 00:03:37,920 --> 00:03:41,159 the bottom box of a.T.M, 80 00:03:41,160 --> 00:03:42,160 gold safe. 81 00:03:43,410 --> 00:03:45,479 There are some financial devices such as 82 00:03:45,480 --> 00:03:47,579 Dispenser to eject marnia 83 00:03:47,580 --> 00:03:50,249 or not accept or to insert Monya 84 00:03:50,250 --> 00:03:51,250 and so on. 85 00:03:51,990 --> 00:03:54,119 All hardware units connected to 86 00:03:54,120 --> 00:03:56,520 PC through or USB port. 87 00:03:58,020 --> 00:03:59,309 The main main 88 00:04:00,450 --> 00:04:03,209 software is the Microsoft 89 00:04:03,210 --> 00:04:05,849 Windows operating system and 90 00:04:05,850 --> 00:04:08,759 the most case when 91 00:04:08,760 --> 00:04:10,479 it ran on Windows XP, 92 00:04:11,520 --> 00:04:13,679 despite the fact that Microsoft stopped 93 00:04:13,680 --> 00:04:15,629 to support this operating system almost 94 00:04:15,630 --> 00:04:16,630 three years ago. 95 00:04:18,029 --> 00:04:19,029 There are also 96 00:04:20,220 --> 00:04:22,469 a.T.M software, which provides 97 00:04:22,470 --> 00:04:24,519 graphical user interface to interact with 98 00:04:24,520 --> 00:04:26,849 the customers or will serve 99 00:04:26,850 --> 00:04:28,159 service engineers. 100 00:04:28,160 --> 00:04:30,659 Other part of the software 101 00:04:30,660 --> 00:04:32,849 is a piece of software to 102 00:04:32,850 --> 00:04:34,649 communicate with, processing center 103 00:04:35,880 --> 00:04:37,560 to interact with bank networks. 104 00:04:38,640 --> 00:04:41,159 And the last one part is 105 00:04:41,160 --> 00:04:43,079 device control systems. 106 00:04:43,080 --> 00:04:45,329 There are also some security 107 00:04:45,330 --> 00:04:47,759 software, such as antivirus integrity 108 00:04:47,760 --> 00:04:50,639 control systems or video surveillance. 109 00:04:50,640 --> 00:04:53,069 But there are also and 110 00:04:53,070 --> 00:04:55,229 often some 111 00:04:55,230 --> 00:04:57,659 very creepy software and very 112 00:04:57,660 --> 00:04:59,729 new software in the 113 00:04:59,730 --> 00:05:01,949 sometimes the software 114 00:05:01,950 --> 00:05:04,049 gives attacker unlimited control to the 115 00:05:04,050 --> 00:05:05,050 idea. 116 00:05:06,180 --> 00:05:07,349 What about devices? 117 00:05:07,350 --> 00:05:08,999 Devices are unclear. 118 00:05:09,000 --> 00:05:11,009 There are some strange microcontrollers 119 00:05:11,010 --> 00:05:13,229 of realtime operating system 120 00:05:13,230 --> 00:05:15,299 and usually 121 00:05:15,300 --> 00:05:17,489 guys who offer the broad very sad 122 00:05:17,490 --> 00:05:18,490 about it. 123 00:05:20,240 --> 00:05:22,429 On the flight, you can see a small schema 124 00:05:22,430 --> 00:05:24,499 of a.T.M and it is 125 00:05:24,500 --> 00:05:26,869 not complex and very lainer, 126 00:05:28,160 --> 00:05:30,109 it should be easy to implement secure 127 00:05:30,110 --> 00:05:31,639 communication. 128 00:05:31,640 --> 00:05:33,829 Generally, no data from hardware 129 00:05:33,830 --> 00:05:35,920 units needed inside data 130 00:05:37,130 --> 00:05:39,439 and requested by so-called 131 00:05:39,440 --> 00:05:41,659 processing center that 132 00:05:41,660 --> 00:05:43,759 make decision to give or 133 00:05:43,760 --> 00:05:44,779 not give money, 134 00:05:45,950 --> 00:05:47,809 other components. 135 00:05:47,810 --> 00:05:49,999 So just really data rubbing 136 00:05:50,000 --> 00:05:51,470 it in additional 137 00:05:52,670 --> 00:05:55,909 security layers like onion 138 00:05:55,910 --> 00:05:57,140 and that networks 139 00:05:59,540 --> 00:06:01,789 to get to the data or monium. 140 00:06:01,790 --> 00:06:03,979 One should uncover all 141 00:06:03,980 --> 00:06:06,319 layers or be 142 00:06:06,320 --> 00:06:08,779 very near to monium in 143 00:06:08,780 --> 00:06:11,209 Wonderland. All ATMs are secure. 144 00:06:11,210 --> 00:06:12,559 And let's see how. 145 00:06:17,110 --> 00:06:19,349 The lowest level is closest to minyon 146 00:06:19,350 --> 00:06:21,029 and very important to protect. 147 00:06:23,290 --> 00:06:25,599 Money contained in the cassettes 148 00:06:25,600 --> 00:06:27,759 and the length cassettes are 149 00:06:27,760 --> 00:06:29,169 themselves secure. 150 00:06:29,170 --> 00:06:31,179 No one can get money from them without 151 00:06:31,180 --> 00:06:33,129 any special permissions. 152 00:06:33,130 --> 00:06:35,319 There are not only physical, secure, but 153 00:06:35,320 --> 00:06:37,149 also logically secure. 154 00:06:37,150 --> 00:06:39,699 If someone will try to eject Monya, 155 00:06:39,700 --> 00:06:41,790 it will be evident and very hard 156 00:06:43,630 --> 00:06:46,299 nonetheless. If someone will steal 157 00:06:46,300 --> 00:06:48,369 the cassettes, it will be 158 00:06:48,370 --> 00:06:49,540 easy to trace them 159 00:06:50,620 --> 00:06:53,019 and if someone 160 00:06:53,020 --> 00:06:55,209 will try to open the cassette, 161 00:06:55,210 --> 00:06:57,159 the money will be destroyed. 162 00:06:57,160 --> 00:06:58,899 For example, on the light you can see 163 00:06:58,900 --> 00:07:00,079 money destroyed. This could go 164 00:07:01,600 --> 00:07:03,819 in extreme case, even if cassettes is 165 00:07:03,820 --> 00:07:06,459 open and the money are not destroyed. 166 00:07:06,460 --> 00:07:08,769 Bin can trace banknotes by different 167 00:07:08,770 --> 00:07:10,959 means, for example, by using 168 00:07:10,960 --> 00:07:13,149 sequential numbers on 169 00:07:13,150 --> 00:07:15,369 the banknotes and they 170 00:07:15,370 --> 00:07:17,889 can be traced the like in the movies. 171 00:07:17,890 --> 00:07:20,379 And not only cash 172 00:07:20,380 --> 00:07:22,029 is the goal for criminals, 173 00:07:23,170 --> 00:07:26,019 they also hunt for card data. 174 00:07:26,020 --> 00:07:28,209 But in an ideal world, card data 175 00:07:28,210 --> 00:07:29,829 can't be stolen. 176 00:07:29,830 --> 00:07:32,469 There is no data to be copied 177 00:07:32,470 --> 00:07:35,229 and that is what they Namik data. 178 00:07:35,230 --> 00:07:37,749 It uses challenge response schema 179 00:07:37,750 --> 00:07:40,119 that protects against attacks 180 00:07:40,120 --> 00:07:42,519 and in this case, that data 181 00:07:42,520 --> 00:07:43,520 cannot be stolen. 182 00:07:45,030 --> 00:07:47,339 But it was only in Wonderland 183 00:07:47,340 --> 00:07:49,739 because since Beancurd contains 184 00:07:49,740 --> 00:07:52,379 mixed tripe, it can be intercepted 185 00:07:52,380 --> 00:07:54,899 in the movie is not a panacea 186 00:07:54,900 --> 00:07:57,209 until there are places and even 187 00:07:57,210 --> 00:07:59,439 countries that don't use 188 00:07:59,440 --> 00:08:00,539 the tubes. 189 00:08:00,540 --> 00:08:02,609 There is always a possibility to withdraw 190 00:08:02,610 --> 00:08:04,679 money. You know, it only makes tripe. 191 00:08:06,300 --> 00:08:08,609 Even then, there is a possibility for 192 00:08:08,610 --> 00:08:10,589 online relay attack. 193 00:08:10,590 --> 00:08:13,619 You insert the card in some ATMs, 194 00:08:13,620 --> 00:08:15,959 but money is dispensed from another 195 00:08:15,960 --> 00:08:16,960 ATMs. 196 00:08:17,580 --> 00:08:19,319 As for cassettes, there are not so 197 00:08:19,320 --> 00:08:20,699 secure. 198 00:08:20,700 --> 00:08:23,159 Most of cassettes have 199 00:08:23,160 --> 00:08:25,379 all the mechanics to check notes 200 00:08:25,380 --> 00:08:27,349 outside of cassettes. 201 00:08:27,350 --> 00:08:30,289 So it is possible for attackers to get 202 00:08:30,290 --> 00:08:32,619 cash by using only 203 00:08:32,620 --> 00:08:34,849 a screwdriver and 204 00:08:34,850 --> 00:08:36,918 if money was stolen, it is hard to 205 00:08:36,919 --> 00:08:39,288 trace them because it is still 206 00:08:39,289 --> 00:08:41,509 hard to mark them 207 00:08:41,510 --> 00:08:43,669 and to know where they are used. 208 00:08:45,700 --> 00:08:47,979 So let's up to level one, it's 209 00:08:47,980 --> 00:08:49,329 a hardware unit level. 210 00:08:51,130 --> 00:08:53,379 And as I already mentioned, 211 00:08:53,380 --> 00:08:55,959 attacker can get 212 00:08:55,960 --> 00:08:58,209 a quarter million euros from 213 00:08:58,210 --> 00:08:59,499 each ATM. 214 00:08:59,500 --> 00:09:02,649 I think it's enough for 215 00:09:02,650 --> 00:09:04,749 this amount of money is 216 00:09:04,750 --> 00:09:07,029 enough for a couple of junk 217 00:09:07,030 --> 00:09:08,529 for everyone. 218 00:09:08,530 --> 00:09:10,689 And the typical 219 00:09:10,690 --> 00:09:12,969 dispenser consist of four 220 00:09:12,970 --> 00:09:15,159 cash cassettes and the one cassette for 221 00:09:15,160 --> 00:09:16,479 rejected notes. 222 00:09:16,480 --> 00:09:18,729 There are also 223 00:09:18,730 --> 00:09:21,249 many sensors, slates and mechanisms, 224 00:09:21,250 --> 00:09:23,679 which was Dromana, some of them 225 00:09:23,680 --> 00:09:25,929 just from cassettes, other ones 226 00:09:25,930 --> 00:09:27,759 presented to the customer, 227 00:09:29,140 --> 00:09:31,239 other ones circumciser of banknotes and 228 00:09:31,240 --> 00:09:32,389 so on. 229 00:09:32,390 --> 00:09:34,509 So we looked like where 230 00:09:34,510 --> 00:09:35,620 should be very complex. 231 00:09:37,660 --> 00:09:39,729 There are other interesting 232 00:09:39,730 --> 00:09:41,859 devices, country there, which 233 00:09:41,860 --> 00:09:44,589 used to read mag stripe 234 00:09:44,590 --> 00:09:46,689 and also used to communicate is 235 00:09:46,690 --> 00:09:50,049 cheap to conduct financial transactions 236 00:09:50,050 --> 00:09:52,539 and to check biometric data contained 237 00:09:52,540 --> 00:09:54,699 on the on chip regarding car 238 00:09:54,700 --> 00:09:56,349 technologies. 239 00:09:56,350 --> 00:09:58,389 This device also should communicate with 240 00:09:58,390 --> 00:10:00,639 other units, such as being 241 00:10:00,640 --> 00:10:02,769 paid for offline notification and 242 00:10:02,770 --> 00:10:04,619 biometric devices for biometric 243 00:10:04,620 --> 00:10:05,620 litigation. 244 00:10:07,340 --> 00:10:08,950 Pinkerton's used together with 245 00:10:10,060 --> 00:10:12,609 data for clients of education, 246 00:10:12,610 --> 00:10:14,979 it is the most secure element 247 00:10:14,980 --> 00:10:17,169 because of different standards, 248 00:10:17,170 --> 00:10:19,599 BMV and other standards provide 249 00:10:19,600 --> 00:10:22,149 the bottom line that 250 00:10:22,150 --> 00:10:23,150 should comply to. 251 00:10:24,100 --> 00:10:26,169 But not everyone knows that 252 00:10:26,170 --> 00:10:28,689 there are two modes of operation. 253 00:10:28,690 --> 00:10:30,639 Secure and open. 254 00:10:30,640 --> 00:10:32,979 Secure, secure, remote is used 255 00:10:32,980 --> 00:10:35,139 for encode and open what 256 00:10:35,140 --> 00:10:36,489 is used for other inputs. 257 00:10:36,490 --> 00:10:38,829 For example, when you enter amount 258 00:10:38,830 --> 00:10:40,989 of money by 259 00:10:40,990 --> 00:10:42,879 a medical education gains popularity 260 00:10:42,880 --> 00:10:45,039 because of increased security, 261 00:10:45,040 --> 00:10:46,839 there are different kinds of recognition, 262 00:10:46,840 --> 00:10:49,329 such as iris, fingerprint space 263 00:10:49,330 --> 00:10:50,499 and so on. 264 00:10:50,500 --> 00:10:52,779 Such features uniquely identify 265 00:10:52,780 --> 00:10:54,999 a. So it is considered if 266 00:10:55,000 --> 00:10:57,279 they are presented to NATO, 267 00:10:57,280 --> 00:10:58,659 such users consider good 268 00:10:59,830 --> 00:11:02,279 such features can be revoked or changed. 269 00:11:03,520 --> 00:11:05,009 Our only processing center 270 00:11:06,020 --> 00:11:08,259 can send comments to hardware units 271 00:11:08,260 --> 00:11:10,569 and hardware units and the ticket 272 00:11:10,570 --> 00:11:13,029 processing center, but sometimes 273 00:11:13,030 --> 00:11:15,189 under guarantees, integrity 274 00:11:15,190 --> 00:11:17,499 of comments, but data 275 00:11:17,500 --> 00:11:19,419 should be also protected with encryption. 276 00:11:20,860 --> 00:11:23,019 An ideal situation, this data is 277 00:11:23,020 --> 00:11:25,929 only needed in processing center 278 00:11:25,930 --> 00:11:28,389 because firmware controls hardware units, 279 00:11:28,390 --> 00:11:31,359 it should not be easy, modifiable, 280 00:11:31,360 --> 00:11:32,719 but it was another lie. 281 00:11:33,730 --> 00:11:36,279 Unfortunately, only so-called sensitive 282 00:11:36,280 --> 00:11:38,589 moments are dedicated. 283 00:11:38,590 --> 00:11:40,749 For example, dispense but not present. 284 00:11:40,750 --> 00:11:42,129 If you speak about dispenser. 285 00:11:43,630 --> 00:11:45,789 Rumor has it that bad encrypts 286 00:11:45,790 --> 00:11:48,129 all data that comes from it, 287 00:11:48,130 --> 00:11:50,349 but it encrypts 288 00:11:50,350 --> 00:11:52,749 only pin code but not data 289 00:11:52,750 --> 00:11:54,939 and active mechanism that can change. 290 00:11:54,940 --> 00:11:56,199 One common theme is another 291 00:11:57,340 --> 00:11:59,229 good thing is that the PIN code is 292 00:11:59,230 --> 00:12:02,649 encrypted in such a way that data 293 00:12:02,650 --> 00:12:04,689 can be decrypted only in processing 294 00:12:04,690 --> 00:12:05,779 center. 295 00:12:05,780 --> 00:12:07,659 Why it is not done for other hardware 296 00:12:07,660 --> 00:12:08,769 units. 297 00:12:08,770 --> 00:12:10,209 It's a question I don't know 298 00:12:11,500 --> 00:12:13,449 is for firmware modification. 299 00:12:13,450 --> 00:12:15,879 Firmware is often stored 300 00:12:15,880 --> 00:12:17,949 on the a.T.M. Hard drive is 301 00:12:17,950 --> 00:12:20,019 a hex file and actually 302 00:12:20,020 --> 00:12:22,239 it's not that hard to add some piece 303 00:12:22,240 --> 00:12:24,429 of code to existing firmware to 304 00:12:24,430 --> 00:12:26,529 create a hidden backdoor. 305 00:12:26,530 --> 00:12:29,019 It will direct on sequence of 306 00:12:29,020 --> 00:12:31,359 the money dispense if you are speaking 307 00:12:31,360 --> 00:12:32,360 about dispenser. 308 00:12:34,520 --> 00:12:36,729 Standards create a baseline for 309 00:12:36,730 --> 00:12:39,199 data security, but the standards 310 00:12:39,200 --> 00:12:41,299 are not enforced and easily bypassed by 311 00:12:41,300 --> 00:12:42,499 banks. 312 00:12:42,500 --> 00:12:44,419 Also, there are no such standards for 313 00:12:44,420 --> 00:12:45,979 biometric devices. 314 00:12:45,980 --> 00:12:48,289 And I think it's strange because 315 00:12:48,290 --> 00:12:50,389 you can easily change your PIN code or 316 00:12:50,390 --> 00:12:52,459 you your bank cards, but 317 00:12:52,460 --> 00:12:54,829 you cannot change your iris 318 00:12:54,830 --> 00:12:55,830 or your finger. 319 00:12:56,990 --> 00:12:59,209 And additionally, there are many systems 320 00:12:59,210 --> 00:13:01,579 which use biometric litigation such 321 00:13:01,580 --> 00:13:04,339 as passports, visas and so on. 322 00:13:04,340 --> 00:13:06,469 It means that if you lost the 323 00:13:06,470 --> 00:13:08,539 biometric data, you might as 324 00:13:08,540 --> 00:13:10,369 well lost your identity. 325 00:13:10,370 --> 00:13:12,649 And thank you so much this 326 00:13:12,650 --> 00:13:14,389 guys who built this wall. 327 00:13:16,670 --> 00:13:19,069 OK, we have spoken about hardware units, 328 00:13:19,070 --> 00:13:21,049 but all this hardware units should be 329 00:13:21,050 --> 00:13:23,269 somehow connected to the computer, 330 00:13:23,270 --> 00:13:24,710 to the processing center, and so 331 00:13:25,790 --> 00:13:28,489 often is just ordinary components 332 00:13:28,490 --> 00:13:30,179 or USB devices. 333 00:13:30,180 --> 00:13:32,509 But it's often forgotten that USB 334 00:13:32,510 --> 00:13:33,739 is also boss. 335 00:13:33,740 --> 00:13:35,959 And there are different more 336 00:13:35,960 --> 00:13:38,779 searches that you can easily Google 337 00:13:38,780 --> 00:13:40,849 that connect some device to 338 00:13:40,850 --> 00:13:43,339 some part of the USB 339 00:13:43,340 --> 00:13:45,499 USB hub and obtain all the data 340 00:13:45,500 --> 00:13:48,199 that is transmitted over the other lines. 341 00:13:48,200 --> 00:13:50,359 And often banks unfortunately 342 00:13:50,360 --> 00:13:52,849 say, OK, we have USB connections, 343 00:13:52,850 --> 00:13:55,069 no one ever can sniff this 344 00:13:55,070 --> 00:13:57,379 data transmitted and so on. 345 00:13:57,380 --> 00:13:59,749 But unfortunately, that's not the case. 346 00:13:59,750 --> 00:14:01,999 Some older ATMs use 347 00:14:02,000 --> 00:14:04,459 so-called indice, but 348 00:14:04,460 --> 00:14:07,339 it's Araz four eight five 349 00:14:07,340 --> 00:14:09,739 with a common line and 350 00:14:09,740 --> 00:14:11,839 every device on this bus can 351 00:14:11,840 --> 00:14:14,299 send comment to another device. 352 00:14:14,300 --> 00:14:17,029 And often it is used by malicious guys 353 00:14:17,030 --> 00:14:19,129 who understand how it works. 354 00:14:19,130 --> 00:14:20,990 And unfortunately, 355 00:14:22,130 --> 00:14:24,589 ATM vendors and banks weren't prepared 356 00:14:24,590 --> 00:14:25,759 for this breach. 357 00:14:28,310 --> 00:14:30,679 This communication lines are 358 00:14:30,680 --> 00:14:32,179 also should be considered 359 00:14:33,800 --> 00:14:36,719 vulnerable and also should be encrypted 360 00:14:36,720 --> 00:14:39,509 and in ideal situation in Wonderland, 361 00:14:39,510 --> 00:14:41,089 these communications are encrypted. 362 00:14:41,090 --> 00:14:42,649 The data that is transmitted is 363 00:14:42,650 --> 00:14:45,289 encrypted, is actually easier to 364 00:14:45,290 --> 00:14:46,249 know to create. 365 00:14:46,250 --> 00:14:48,589 And there are even some 366 00:14:48,590 --> 00:14:50,839 start ups which protect these 367 00:14:50,840 --> 00:14:53,119 boxes from hardware 368 00:14:53,120 --> 00:14:55,459 attacks that protect communication 369 00:14:55,460 --> 00:14:56,389 between them. 370 00:14:56,390 --> 00:14:58,849 But unfortunately, unfortunately, 371 00:14:58,850 --> 00:15:01,519 they also don't understand how 372 00:15:01,520 --> 00:15:02,509 these devices work. 373 00:15:02,510 --> 00:15:05,119 And sometimes it's 374 00:15:05,120 --> 00:15:07,549 only a security by obscurity 375 00:15:07,550 --> 00:15:09,769 and doesn't create any new 376 00:15:09,770 --> 00:15:12,139 protections and new security to 377 00:15:12,140 --> 00:15:14,249 protect the devices that are connected 378 00:15:14,250 --> 00:15:15,830 to USB bus and so on. 379 00:15:17,750 --> 00:15:20,509 We often heard that tampering with the 380 00:15:20,510 --> 00:15:22,669 cables with the virus is very 381 00:15:22,670 --> 00:15:25,519 hard and no one can do it. 382 00:15:25,520 --> 00:15:28,489 And you will see in the 383 00:15:28,490 --> 00:15:30,619 future slides that the 384 00:15:30,620 --> 00:15:33,049 bad guys are already there. 385 00:15:33,050 --> 00:15:35,269 And here's a small presentation of 386 00:15:35,270 --> 00:15:37,399 what can do, some device 387 00:15:37,400 --> 00:15:39,739 that is connected to the USB 388 00:15:39,740 --> 00:15:41,870 of the dispenser. 389 00:15:43,340 --> 00:15:45,589 So here is our 390 00:15:45,590 --> 00:15:47,569 first bet, our ATMs love. 391 00:15:47,570 --> 00:15:49,999 And here's our attacker, 392 00:15:50,000 --> 00:15:52,459 who might be Motoki 393 00:15:52,460 --> 00:15:54,529 from the Internet or from 394 00:15:54,530 --> 00:15:55,530 from an insider 395 00:15:57,230 --> 00:15:59,539 attack can bypass the first level of 396 00:15:59,540 --> 00:16:01,340 security is a physical level 397 00:16:02,960 --> 00:16:03,960 and 398 00:16:05,120 --> 00:16:07,309 disconnect the USB, cable, 399 00:16:07,310 --> 00:16:09,499 USB dispensers, cable from 400 00:16:09,500 --> 00:16:11,569 the ATM computer and 401 00:16:11,570 --> 00:16:13,969 connect it to specially crafted device. 402 00:16:13,970 --> 00:16:15,649 In our case, it's transmitted by this 403 00:16:15,650 --> 00:16:17,929 piece of code and the Wi-Fi don't go into 404 00:16:17,930 --> 00:16:18,930 the battery. 405 00:16:19,370 --> 00:16:21,979 Now we can see that dispenser 406 00:16:21,980 --> 00:16:23,839 is in the red box and 407 00:16:24,860 --> 00:16:27,079 it's offline, but 408 00:16:27,080 --> 00:16:28,080 it still works. 409 00:16:31,360 --> 00:16:33,489 I take your son to dispense 410 00:16:33,490 --> 00:16:35,649 comments just using their 411 00:16:35,650 --> 00:16:38,139 smartphone to Raspberry 412 00:16:38,140 --> 00:16:40,209 Pi through Wi-Fi and 413 00:16:40,210 --> 00:16:42,279 the Wi-Fi I 414 00:16:42,280 --> 00:16:44,349 send to these comments to 415 00:16:44,350 --> 00:16:47,079 dispenser directly and 416 00:16:47,080 --> 00:16:49,359 it means that bypassed 417 00:16:49,360 --> 00:16:51,789 all security measures which implemented 418 00:16:51,790 --> 00:16:54,190 on the ETM computer. 419 00:17:00,070 --> 00:17:02,199 So only a couple of minutes, 420 00:17:02,200 --> 00:17:04,659 an hour, Thacker gets a portion 421 00:17:04,660 --> 00:17:05,660 of the. 422 00:17:13,150 --> 00:17:15,368 As I can understand, this attack might 423 00:17:15,369 --> 00:17:17,200 be a repeat for many, many times 424 00:17:18,369 --> 00:17:20,919 until it became clear, OK. 425 00:17:20,920 --> 00:17:23,078 We spoke about these devices 426 00:17:23,079 --> 00:17:25,809 and the connections, but obviously 427 00:17:25,810 --> 00:17:28,568 there are operating system that controls 428 00:17:28,569 --> 00:17:30,879 such devices with 429 00:17:30,880 --> 00:17:31,899 different software. 430 00:17:31,900 --> 00:17:34,329 Different software means, as already 431 00:17:34,330 --> 00:17:36,699 mentioned, there are some 432 00:17:36,700 --> 00:17:39,189 Windows based operating system, 433 00:17:39,190 --> 00:17:40,629 often its Windows XP. 434 00:17:40,630 --> 00:17:43,269 And we often heard from the bank that 435 00:17:43,270 --> 00:17:45,639 the I think half 436 00:17:45,640 --> 00:17:47,829 of the year ago, some bank told us 437 00:17:47,830 --> 00:17:50,319 we finally, finally managed to 438 00:17:50,320 --> 00:17:52,569 move from Windows XP to Windows seven. 439 00:17:52,570 --> 00:17:54,699 Come on, guys, it's windows already. 440 00:17:54,700 --> 00:17:56,769 And and you're a bit 441 00:17:56,770 --> 00:17:57,770 late. And 442 00:17:59,290 --> 00:18:01,179 there are service providers that are 443 00:18:01,180 --> 00:18:03,069 generally represent communication with 444 00:18:03,070 --> 00:18:05,569 the devices in the atmosphere. 445 00:18:06,680 --> 00:18:09,159 They are not the drivers. 446 00:18:09,160 --> 00:18:10,419 They're space. 447 00:18:10,420 --> 00:18:13,089 And communication is done by 448 00:18:13,090 --> 00:18:15,639 Lipinsky Library. 449 00:18:15,640 --> 00:18:18,129 And actually, if you connect it, 450 00:18:18,130 --> 00:18:20,739 if you install on the ATM 451 00:18:20,740 --> 00:18:23,139 Linux operating system, all the devices 452 00:18:23,140 --> 00:18:24,969 will be presented as 453 00:18:26,470 --> 00:18:28,839 USB devices with 454 00:18:28,840 --> 00:18:30,539 their their names. 455 00:18:30,540 --> 00:18:32,949 So with what they do and 456 00:18:32,950 --> 00:18:35,289 actually you can send any comments, as 457 00:18:35,290 --> 00:18:38,349 you already seen in the previous 458 00:18:38,350 --> 00:18:40,509 video, and 459 00:18:40,510 --> 00:18:42,249 these service providers are created by 460 00:18:42,250 --> 00:18:43,250 manufacturers. 461 00:18:44,290 --> 00:18:46,479 And it's 462 00:18:46,480 --> 00:18:48,519 illegal that they combine different 463 00:18:48,520 --> 00:18:50,919 devices from different vendors, so 464 00:18:50,920 --> 00:18:53,349 there is some middleware that 465 00:18:53,350 --> 00:18:54,640 communicates from 466 00:18:55,780 --> 00:18:58,299 application that actually 467 00:18:58,300 --> 00:19:00,519 displays information about the 468 00:19:00,520 --> 00:19:03,789 amount of money, this creepy 469 00:19:03,790 --> 00:19:05,679 spam, which is the difference, your 470 00:19:05,680 --> 00:19:07,809 credit cards and so on, on the ATM 471 00:19:07,810 --> 00:19:08,799 machine. 472 00:19:08,800 --> 00:19:10,989 It communicates with its manager. 473 00:19:10,990 --> 00:19:13,569 It provides interpreter. 474 00:19:13,570 --> 00:19:15,339 It provides communication between the 475 00:19:15,340 --> 00:19:17,349 software and the service providers. 476 00:19:17,350 --> 00:19:18,640 So any 477 00:19:20,550 --> 00:19:22,779 any person can create their own 478 00:19:22,780 --> 00:19:24,999 software that doesn't 479 00:19:25,000 --> 00:19:27,819 know anything about ATM machine 480 00:19:27,820 --> 00:19:30,369 but knows the interface of communication. 481 00:19:31,930 --> 00:19:34,569 And Windows applications, just 482 00:19:34,570 --> 00:19:36,459 a graphical user interface, it doesn't do 483 00:19:36,460 --> 00:19:38,829 anything, it just 484 00:19:38,830 --> 00:19:41,109 gathers information from the 485 00:19:41,110 --> 00:19:43,549 user, from the devices and center 486 00:19:45,280 --> 00:19:46,989 and send the processing center. 487 00:19:46,990 --> 00:19:49,449 But unfortunately, it's an ideal station, 488 00:19:49,450 --> 00:19:50,680 an ideal station. 489 00:19:51,790 --> 00:19:54,069 There is are only proxies. 490 00:19:54,070 --> 00:19:56,439 They don't do anything. 491 00:19:56,440 --> 00:19:58,689 They don't understand what is going on. 492 00:19:58,690 --> 00:20:00,729 They just doing what they told from the 493 00:20:00,730 --> 00:20:03,249 processing center, the 494 00:20:03,250 --> 00:20:04,449 secure communication. 495 00:20:04,450 --> 00:20:07,089 But as you have seen in the video, 496 00:20:07,090 --> 00:20:09,159 there is no secure communication with 497 00:20:09,160 --> 00:20:11,399 some devices like Dispenser and and 498 00:20:11,400 --> 00:20:13,869 know of this 499 00:20:13,870 --> 00:20:16,029 application has no interface. 500 00:20:16,030 --> 00:20:18,339 It doesn't provide any 501 00:20:18,340 --> 00:20:19,450 features, any 502 00:20:21,070 --> 00:20:23,469 additional technical information about 503 00:20:23,470 --> 00:20:26,559 the machine, about the communications. 504 00:20:26,560 --> 00:20:27,609 But unfortunately, 505 00:20:28,630 --> 00:20:30,969 all its inventors, all banks 506 00:20:30,970 --> 00:20:32,079 are lazy. 507 00:20:32,080 --> 00:20:34,809 They don't want to spend money to 508 00:20:34,810 --> 00:20:35,859 create different 509 00:20:37,210 --> 00:20:39,309 images of operating system, different 510 00:20:39,310 --> 00:20:41,469 software to use only in 511 00:20:41,470 --> 00:20:42,609 technical means. 512 00:20:42,610 --> 00:20:44,649 They implement everything into one 513 00:20:44,650 --> 00:20:47,079 application and say, OK, 514 00:20:47,080 --> 00:20:49,389 we are now secure on the right 515 00:20:49,390 --> 00:20:51,519 side of the on 516 00:20:51,520 --> 00:20:52,839 the right side of the slide. 517 00:20:52,840 --> 00:20:55,509 You can see to begin that is 518 00:20:55,510 --> 00:20:57,729 with us for many, many years 519 00:20:57,730 --> 00:20:59,919 it was based on offers and 520 00:20:59,920 --> 00:21:02,349 banks or you say, OK, we know 521 00:21:02,350 --> 00:21:03,789 everything about malware. 522 00:21:03,790 --> 00:21:06,099 If we will shift 523 00:21:06,100 --> 00:21:08,409 from the office manager, from the 524 00:21:08,410 --> 00:21:10,659 communication, we will be 100 525 00:21:10,660 --> 00:21:11,799 percent safe. 526 00:21:11,800 --> 00:21:13,959 But unfortunately, on the left hand side, 527 00:21:13,960 --> 00:21:16,239 you can see another malware 528 00:21:16,240 --> 00:21:18,009 that intercepts communication from 529 00:21:18,010 --> 00:21:20,589 service providers that just gathers 530 00:21:20,590 --> 00:21:23,169 all information that are already there 531 00:21:23,170 --> 00:21:25,479 without any communication with the first 532 00:21:25,480 --> 00:21:26,480 manager. 533 00:21:27,160 --> 00:21:29,589 And unfortunately, in Wonderland 534 00:21:29,590 --> 00:21:30,849 terms of secure. 535 00:21:30,850 --> 00:21:33,159 But in real situation, ATMs 536 00:21:33,160 --> 00:21:35,409 are very vulnerable because 537 00:21:35,410 --> 00:21:37,929 every piece of software 538 00:21:37,930 --> 00:21:39,999 in the slide of Windows application 539 00:21:40,000 --> 00:21:42,259 system or express manager 540 00:21:42,260 --> 00:21:44,679 service providers can issue one comment 541 00:21:44,680 --> 00:21:45,680 to 542 00:21:46,810 --> 00:21:48,939 inject money to get the 543 00:21:48,940 --> 00:21:51,009 information about your credit card 544 00:21:51,010 --> 00:21:53,409 to get PIN code by 545 00:21:53,410 --> 00:21:55,569 limiting access to the PIN 546 00:21:55,570 --> 00:21:56,859 pad and so on. 547 00:21:56,860 --> 00:21:58,929 And unfortunately, we have seen such 548 00:21:58,930 --> 00:21:59,930 cases. 549 00:22:00,550 --> 00:22:02,689 There are different bad guys. 550 00:22:02,690 --> 00:22:06,189 Creditex are different banks 551 00:22:06,190 --> 00:22:08,619 of with such target 552 00:22:08,620 --> 00:22:11,319 they install sniffer like Wireshark 553 00:22:11,320 --> 00:22:14,199 or USB picked up, 554 00:22:14,200 --> 00:22:16,179 they intercept all the data that is 555 00:22:16,180 --> 00:22:18,319 transmitted between host computer 556 00:22:18,320 --> 00:22:20,499 and they get get 557 00:22:20,500 --> 00:22:23,529 all information about your credit card, 558 00:22:23,530 --> 00:22:25,599 the very same information that is used 559 00:22:25,600 --> 00:22:28,479 for your transaction into your text 560 00:22:28,480 --> 00:22:30,549 and send it to a 561 00:22:30,550 --> 00:22:32,889 server in the Internet because ATMs 562 00:22:32,890 --> 00:22:34,989 are generally connected to Internet 563 00:22:34,990 --> 00:22:37,000 and unfortunately, it's a problem. 564 00:22:38,300 --> 00:22:40,639 And if you even go to the ATM 565 00:22:40,640 --> 00:22:42,889 machine, watch 566 00:22:42,890 --> 00:22:44,989 for different skimmers, different cameras 567 00:22:44,990 --> 00:22:47,179 and so on, it won't help you 568 00:22:47,180 --> 00:22:49,339 because your data is 569 00:22:49,340 --> 00:22:51,109 transmitted internally in the 570 00:22:52,940 --> 00:22:55,159 trading system to the processing center 571 00:22:55,160 --> 00:22:57,349 and so on. Unfortunately, we've seen 572 00:22:57,350 --> 00:22:59,869 such malware that don't use general 573 00:22:59,870 --> 00:23:02,359 utilities. They use 574 00:23:02,360 --> 00:23:04,099 access to service providers. 575 00:23:04,100 --> 00:23:06,389 And also we'll show you example of such 576 00:23:06,390 --> 00:23:07,390 a malware. 577 00:23:08,840 --> 00:23:10,499 So here is our video again. 578 00:23:11,780 --> 00:23:13,969 This is a backdoor 579 00:23:13,970 --> 00:23:16,789 skimmer which we instigated 580 00:23:16,790 --> 00:23:19,429 with our colleagues from great department 581 00:23:19,430 --> 00:23:21,049 several months ago. 582 00:23:21,050 --> 00:23:23,269 This mother activated by 583 00:23:23,270 --> 00:23:26,139 using our special cards. 584 00:23:26,140 --> 00:23:28,249 Now we can see 585 00:23:28,250 --> 00:23:30,409 the window to 586 00:23:30,410 --> 00:23:32,029 enter the special password. 587 00:23:33,050 --> 00:23:34,609 Also, attacker can 588 00:23:35,690 --> 00:23:38,629 enter a number of 589 00:23:38,630 --> 00:23:40,879 commands, for example, to dispense 590 00:23:40,880 --> 00:23:41,880 manual. 591 00:23:46,780 --> 00:23:49,449 And also, attacker can 592 00:23:49,450 --> 00:23:51,609 enter the number of cashier to dispense 593 00:23:51,610 --> 00:23:52,610 money from. 594 00:24:02,330 --> 00:24:03,330 One more. 595 00:24:20,420 --> 00:24:22,609 It was a real mother, 596 00:24:22,610 --> 00:24:23,610 which is 597 00:24:24,740 --> 00:24:27,139 widely spread around the world, 598 00:24:27,140 --> 00:24:29,629 and every 599 00:24:29,630 --> 00:24:31,549 example was targeted for 600 00:24:32,750 --> 00:24:33,750 various countries. 601 00:24:35,230 --> 00:24:37,519 And if you were 602 00:24:37,520 --> 00:24:39,829 attentive enough that 603 00:24:39,830 --> 00:24:42,769 when I inserted 604 00:24:42,770 --> 00:24:44,629 the cards inside The Fighter, it was 605 00:24:44,630 --> 00:24:46,189 returned immediately. 606 00:24:46,190 --> 00:24:48,949 No data was saved on the 607 00:24:48,950 --> 00:24:51,289 computer. It was intercepted just 608 00:24:51,290 --> 00:24:53,369 before the logging system even 609 00:24:53,370 --> 00:24:55,459 understand that something happened to 610 00:24:55,460 --> 00:24:57,919 the card reader, then intercept 611 00:24:57,920 --> 00:25:00,469 it, intercept all the data that is 612 00:25:00,470 --> 00:25:01,489 inserted in the 613 00:25:02,990 --> 00:25:03,949 pin pad. 614 00:25:03,950 --> 00:25:06,259 And there is no 615 00:25:06,260 --> 00:25:08,329 evidence, no, no 616 00:25:08,330 --> 00:25:11,119 nothing for us to investigate. 617 00:25:11,120 --> 00:25:12,120 And often banks 618 00:25:14,180 --> 00:25:16,549 won't want to understand how 619 00:25:16,550 --> 00:25:18,259 it actually happened. 620 00:25:18,260 --> 00:25:21,109 And unfortunately, in many cases 621 00:25:21,110 --> 00:25:23,239 there's not even video surveillance 622 00:25:23,240 --> 00:25:25,399 to understand what 623 00:25:25,400 --> 00:25:27,439 they did and how it is done. 624 00:25:31,750 --> 00:25:34,119 OK, but we were speaking 625 00:25:34,120 --> 00:25:36,729 about Windows operating system, about 626 00:25:36,730 --> 00:25:38,859 Katrina, about these 627 00:25:38,860 --> 00:25:41,559 devices, but actually 628 00:25:41,560 --> 00:25:43,689 how hard to get into 629 00:25:43,690 --> 00:25:46,269 the ATM machine to access these 630 00:25:46,270 --> 00:25:49,209 interface devices, to 631 00:25:49,210 --> 00:25:52,029 send comments and so on. 632 00:25:52,030 --> 00:25:54,219 Sometimes banks 633 00:25:54,220 --> 00:25:56,679 are very, very protective. 634 00:25:56,680 --> 00:25:58,929 There are even some ATMs inside the 635 00:25:58,930 --> 00:26:00,309 trucks with the 636 00:26:01,450 --> 00:26:04,479 policeman's nearby. 637 00:26:04,480 --> 00:26:07,059 We often hear that in Europe, it's 638 00:26:07,060 --> 00:26:09,249 not the case because all ATMs are through 639 00:26:09,250 --> 00:26:11,379 the wallet, arms and they're physically 640 00:26:11,380 --> 00:26:12,380 secure. 641 00:26:13,570 --> 00:26:15,759 We often hear that they are stealing 642 00:26:15,760 --> 00:26:17,739 concrete sandwich with different 643 00:26:17,740 --> 00:26:19,909 protections against a physical 644 00:26:19,910 --> 00:26:21,519 attacks. There are different alarm 645 00:26:21,520 --> 00:26:24,069 systems and no one can do anything 646 00:26:24,070 --> 00:26:26,349 in five minutes and get 647 00:26:26,350 --> 00:26:27,350 all the money. 648 00:26:29,660 --> 00:26:32,239 Operating systems is just a platform. 649 00:26:32,240 --> 00:26:33,769 It doesn't do anything. 650 00:26:33,770 --> 00:26:36,049 There is always protected by 651 00:26:36,050 --> 00:26:38,179 Windows XP with zero 652 00:26:38,180 --> 00:26:39,180 eight zero six seven 653 00:26:40,400 --> 00:26:42,619 that can be attacked from 654 00:26:42,620 --> 00:26:44,099 anywhere in the network. 655 00:26:45,290 --> 00:26:46,519 It has robust updates 656 00:26:48,830 --> 00:26:51,299 and different security controls. 657 00:26:51,300 --> 00:26:53,239 The last measure to protect the 658 00:26:54,650 --> 00:26:57,079 software on the ATM machine. 659 00:26:57,080 --> 00:26:59,719 To protect that, there's nothing, 660 00:26:59,720 --> 00:27:01,789 nothing more than already 661 00:27:01,790 --> 00:27:02,790 on ATM. 662 00:27:04,360 --> 00:27:06,619 But ATMs are 663 00:27:06,620 --> 00:27:08,859 interconnected with at least processing 664 00:27:08,860 --> 00:27:11,049 center and its management system. 665 00:27:12,520 --> 00:27:14,829 Often it is very easy to 666 00:27:14,830 --> 00:27:16,899 for security, especially for 667 00:27:16,900 --> 00:27:19,269 network specialists, to 668 00:27:19,270 --> 00:27:22,119 connect all ATMs in the single network. 669 00:27:22,120 --> 00:27:23,319 What why not? 670 00:27:23,320 --> 00:27:25,269 They are all in the same broadcast 671 00:27:25,270 --> 00:27:26,379 domain. 672 00:27:26,380 --> 00:27:28,479 They see each other, but 673 00:27:28,480 --> 00:27:29,599 it's completely safe. 674 00:27:29,600 --> 00:27:30,839 Nothing will happen. 675 00:27:32,140 --> 00:27:34,209 They're just sending 676 00:27:34,210 --> 00:27:36,759 customization data to the 677 00:27:36,760 --> 00:27:39,879 processing center and 678 00:27:39,880 --> 00:27:41,439 nothing will happen. 679 00:27:41,440 --> 00:27:44,339 But unfortunately, physical access is 680 00:27:44,340 --> 00:27:46,569 much, much more easier than they 681 00:27:46,570 --> 00:27:47,949 suspect. 682 00:27:47,950 --> 00:27:48,950 This guy with 683 00:27:50,080 --> 00:27:52,359 our drill went to the ATM 684 00:27:52,360 --> 00:27:54,489 machine, made 685 00:27:54,490 --> 00:27:56,649 the word and get 686 00:27:56,650 --> 00:27:58,809 access to the interface cables. 687 00:27:58,810 --> 00:28:00,999 It's surreal footage and 688 00:28:01,000 --> 00:28:03,399 all the money in this ATM was lost 689 00:28:03,400 --> 00:28:04,749 by the bank. 690 00:28:04,750 --> 00:28:07,029 And unfortunately, there is 691 00:28:07,030 --> 00:28:09,279 no alarm because no one actually 692 00:28:09,280 --> 00:28:11,469 opens a machine and they 693 00:28:11,470 --> 00:28:12,470 say, okay, 694 00:28:13,720 --> 00:28:14,859 no one opened it all out, 695 00:28:16,000 --> 00:28:17,000 that's fine. 696 00:28:17,590 --> 00:28:19,809 But in many cases there are even 697 00:28:19,810 --> 00:28:20,919 lazier. 698 00:28:20,920 --> 00:28:23,679 We have modems 699 00:28:23,680 --> 00:28:25,599 near the ATM machines. 700 00:28:25,600 --> 00:28:27,759 We have, for example, on the 701 00:28:27,760 --> 00:28:30,369 left bottom side of the screen, 702 00:28:30,370 --> 00:28:33,159 open ATMs because of 703 00:28:33,160 --> 00:28:34,450 the duct tape is like. 704 00:28:38,360 --> 00:28:40,459 We have we see through the 705 00:28:40,460 --> 00:28:42,589 wall with all the communications 706 00:28:42,590 --> 00:28:44,839 outside of it and easy access 707 00:28:44,840 --> 00:28:47,449 to the inside of the 708 00:28:47,450 --> 00:28:49,729 building was created 709 00:28:49,730 --> 00:28:52,279 and sold USB devices and 710 00:28:52,280 --> 00:28:53,720 all the other stuff because 711 00:28:54,770 --> 00:28:57,019 open ATMs going inside 712 00:28:57,020 --> 00:28:59,919 of it with the keyboards and something 713 00:28:59,920 --> 00:29:02,059 else, it's actually very hard to 714 00:29:02,060 --> 00:29:03,060 do. 715 00:29:05,300 --> 00:29:07,099 On the level five, we have. 716 00:29:08,780 --> 00:29:11,599 People, because 717 00:29:11,600 --> 00:29:13,879 every system is actually communicating 718 00:29:13,880 --> 00:29:16,369 with people and some engineers 719 00:29:16,370 --> 00:29:18,479 should do different stuff with it, 720 00:29:18,480 --> 00:29:20,809 and when we showed you the schema 721 00:29:20,810 --> 00:29:23,269 of ETM, it's actually was élite 722 00:29:23,270 --> 00:29:25,489 because schema is much 723 00:29:25,490 --> 00:29:26,839 bigger. 724 00:29:26,840 --> 00:29:29,239 We have different computers. 725 00:29:29,240 --> 00:29:31,939 We have administrators, we have 726 00:29:31,940 --> 00:29:33,469 different online banking. 727 00:29:33,470 --> 00:29:36,049 We have our processing center. 728 00:29:36,050 --> 00:29:38,329 We have different databases 729 00:29:38,330 --> 00:29:40,039 from the point of view of contests. 730 00:29:40,040 --> 00:29:42,259 It's a huge system that 731 00:29:42,260 --> 00:29:44,569 can be affected on many, 732 00:29:44,570 --> 00:29:45,829 many levels. 733 00:29:45,830 --> 00:29:47,959 For example, ordinary fishing, we 734 00:29:47,960 --> 00:29:49,400 have administrator accounts 735 00:29:50,420 --> 00:29:53,359 and often these administrators 736 00:29:53,360 --> 00:29:54,360 are not 737 00:29:55,550 --> 00:29:58,339 trusted for managing office computers. 738 00:29:58,340 --> 00:30:00,529 And there are different departments, 739 00:30:00,530 --> 00:30:02,659 for example, for idem machines, for 740 00:30:02,660 --> 00:30:04,609 office computers and so on. 741 00:30:04,610 --> 00:30:06,769 And in this case, 742 00:30:06,770 --> 00:30:08,959 ETM administrators are often 743 00:30:08,960 --> 00:30:10,999 not so competent and don't know 744 00:30:11,000 --> 00:30:12,819 everything about their systems. 745 00:30:14,870 --> 00:30:16,939 As I already said, that there 746 00:30:16,940 --> 00:30:19,219 are different ATMs in different 747 00:30:19,220 --> 00:30:21,619 locations, sometimes they're connected 748 00:30:21,620 --> 00:30:23,779 with 2G network because it's 749 00:30:23,780 --> 00:30:26,089 very cheap and very secure, 750 00:30:26,090 --> 00:30:28,489 because when 751 00:30:28,490 --> 00:30:30,859 some security specialist in bank 752 00:30:30,860 --> 00:30:33,109 opened the specification 753 00:30:33,110 --> 00:30:35,299 on on the GSM network, they 754 00:30:35,300 --> 00:30:38,329 see, OK, there is encryption 755 00:30:38,330 --> 00:30:41,119 in all communications are safe. 756 00:30:41,120 --> 00:30:43,249 But unfortunately, as you 757 00:30:43,250 --> 00:30:46,399 have seen in your mobile phones on the 758 00:30:46,400 --> 00:30:49,609 Congress, you see the network, 759 00:30:49,610 --> 00:30:51,829 the network that you can you can 760 00:30:51,830 --> 00:30:53,930 connect with your device and 761 00:30:55,160 --> 00:30:57,559 send data and goals 762 00:30:57,560 --> 00:30:58,999 and so on. 763 00:30:59,000 --> 00:31:01,219 Actually, your connections 764 00:31:01,220 --> 00:31:03,619 with 2G networks can be intercepted. 765 00:31:03,620 --> 00:31:05,749 And what we've seen 766 00:31:05,750 --> 00:31:08,059 much, much 767 00:31:08,060 --> 00:31:10,429 more often that ATMs are connected 768 00:31:10,430 --> 00:31:12,739 to the small network, that there are all 769 00:31:12,740 --> 00:31:14,659 ATMs are seeing each other. 770 00:31:14,660 --> 00:31:16,159 There are different. 771 00:31:16,160 --> 00:31:18,019 There is the controller for this 772 00:31:18,020 --> 00:31:20,569 particular ATMs that can send updates 773 00:31:20,570 --> 00:31:22,639 to different to 774 00:31:22,640 --> 00:31:24,709 all ATMs in the network. 775 00:31:24,710 --> 00:31:26,869 And it's not a square thing that 776 00:31:26,870 --> 00:31:28,999 when you speak about a couple of 777 00:31:29,000 --> 00:31:30,589 ATMs and so on. 778 00:31:30,590 --> 00:31:33,109 But unfortunately, there are hundreds 779 00:31:33,110 --> 00:31:35,839 of ATMs in some banks 780 00:31:35,840 --> 00:31:37,999 that can be attacked 781 00:31:38,000 --> 00:31:40,309 with just one button, installing 782 00:31:40,310 --> 00:31:43,099 the group policy 783 00:31:43,100 --> 00:31:45,289 to install, for example, malware and 784 00:31:45,290 --> 00:31:46,639 disable antivirus. 785 00:31:46,640 --> 00:31:48,919 And and 786 00:31:48,920 --> 00:31:50,869 it's often forgotten that actually 787 00:31:52,260 --> 00:31:54,649 it's not a box, it's 788 00:31:54,650 --> 00:31:56,539 often an entry point. 789 00:31:56,540 --> 00:31:58,759 And a Tykerb can affect only 790 00:31:58,760 --> 00:32:00,919 one ATM to 791 00:32:00,920 --> 00:32:03,349 get the data inside of the network. 792 00:32:03,350 --> 00:32:05,479 And for example, spoofing, I 793 00:32:05,480 --> 00:32:06,480 don't know. 794 00:32:07,820 --> 00:32:09,959 And the last point from out there, 795 00:32:09,960 --> 00:32:12,379 but I think, ah, discovered 796 00:32:12,380 --> 00:32:14,660 some ATM network with the wrong settings 797 00:32:16,340 --> 00:32:18,409 and got physical 798 00:32:18,410 --> 00:32:19,940 access to Internet cable. 799 00:32:23,360 --> 00:32:25,909 I he connects 800 00:32:25,910 --> 00:32:27,589 is not cable from ATMs 801 00:32:28,640 --> 00:32:31,099 and the connects 802 00:32:31,100 --> 00:32:33,200 Bigham to 803 00:32:34,640 --> 00:32:36,410 ATM Networks network. 804 00:32:41,970 --> 00:32:44,199 This Raspberry Pi consists of 805 00:32:44,200 --> 00:32:46,319 a piece of code with a 806 00:32:46,320 --> 00:32:48,569 local processing center which simulate 807 00:32:48,570 --> 00:32:49,570 the real one. 808 00:32:51,640 --> 00:32:53,759 Now all ATMs in this 809 00:32:53,760 --> 00:32:56,189 network are under control of attackers. 810 00:33:04,430 --> 00:33:05,430 And 811 00:33:06,620 --> 00:33:08,899 friends of this attacker 812 00:33:08,900 --> 00:33:11,029 can come to ATM, to 813 00:33:11,030 --> 00:33:13,259 all ATMs and do something 814 00:33:13,260 --> 00:33:14,219 OK. 815 00:33:14,220 --> 00:33:16,369 It looks like urgent transactions 816 00:33:16,370 --> 00:33:17,370 and 817 00:33:19,220 --> 00:33:21,559 they can use any pins, any 818 00:33:21,560 --> 00:33:23,809 cards, and they 819 00:33:23,810 --> 00:33:25,879 can change 820 00:33:25,880 --> 00:33:27,949 the cashier to withdraw money from. 821 00:33:27,950 --> 00:33:30,199 And, of course, they get 822 00:33:30,200 --> 00:33:31,200 Monya. 823 00:33:51,500 --> 00:33:53,959 And the now attacker 824 00:33:53,960 --> 00:33:56,449 returns to ATMs 825 00:33:56,450 --> 00:33:58,040 to remove this 826 00:33:59,570 --> 00:34:02,719 very important device 827 00:34:02,720 --> 00:34:04,849 and leaves no physical evidence of this 828 00:34:04,850 --> 00:34:05,850 attack. 829 00:34:12,550 --> 00:34:15,399 But please don't use this race 830 00:34:15,400 --> 00:34:17,379 to get money to talk 831 00:34:20,030 --> 00:34:21,030 for other reason, 832 00:34:22,120 --> 00:34:24,189 and actually what you have seen in 833 00:34:24,190 --> 00:34:26,259 this video is it's a 834 00:34:26,260 --> 00:34:28,749 real problem because when we hear, 835 00:34:28,750 --> 00:34:30,999 OK, five minutes and the security 836 00:34:31,000 --> 00:34:33,279 guys will get to a.T.M with 837 00:34:33,280 --> 00:34:34,448 alarm system. 838 00:34:34,449 --> 00:34:36,218 But unfortunately, all those videos are 839 00:34:36,219 --> 00:34:39,099 less than two minutes to install the 840 00:34:39,100 --> 00:34:41,408 hardware, to install software 841 00:34:41,409 --> 00:34:43,479 and to get to ATMs and to 842 00:34:43,480 --> 00:34:44,480 withdraw money. 843 00:34:45,670 --> 00:34:48,488 It's often forgotten that, unfortunately, 844 00:34:48,489 --> 00:34:51,549 computers are real fast and 845 00:34:51,550 --> 00:34:52,550 people are not. 846 00:34:55,630 --> 00:34:57,699 Well, there's 847 00:34:57,700 --> 00:34:59,949 no conclusion from our 848 00:34:59,950 --> 00:35:02,139 presentation because current 849 00:35:02,140 --> 00:35:04,449 security of the items 850 00:35:04,450 --> 00:35:06,819 like this guy, they are trying 851 00:35:06,820 --> 00:35:08,949 to protect some pieces 852 00:35:08,950 --> 00:35:12,249 of the network of 853 00:35:12,250 --> 00:35:13,600 ATMs. They 854 00:35:14,740 --> 00:35:17,449 shift from ATMs to 855 00:35:17,450 --> 00:35:19,689 their items to some third party 856 00:35:19,690 --> 00:35:21,849 and only release 857 00:35:21,850 --> 00:35:23,649 them and so on. 858 00:35:23,650 --> 00:35:25,719 And they hear from the Internet, 859 00:35:25,720 --> 00:35:28,089 a key there is to can then 860 00:35:28,090 --> 00:35:30,399 we'll install the antivirus 861 00:35:30,400 --> 00:35:32,199 on the on the ATMs. 862 00:35:32,200 --> 00:35:33,429 There are black box attacks. 863 00:35:33,430 --> 00:35:35,499 Then we install the hardware inside 864 00:35:35,500 --> 00:35:36,789 of our ATMs. 865 00:35:36,790 --> 00:35:38,889 OK, there are something else and they 866 00:35:38,890 --> 00:35:41,049 install something else actually 867 00:35:41,050 --> 00:35:42,099 to get the mouse game. 868 00:35:42,100 --> 00:35:45,009 And what we shown you, it's 869 00:35:45,010 --> 00:35:47,139 low hanging fruit that 870 00:35:47,140 --> 00:35:50,259 can be easily accessed by 871 00:35:50,260 --> 00:35:51,999 criminals and already accessed by 872 00:35:52,000 --> 00:35:53,049 criminals. 873 00:35:53,050 --> 00:35:55,479 And often we don't hear about 874 00:35:55,480 --> 00:35:58,119 such cases because 875 00:35:58,120 --> 00:36:00,339 banks are very discreet about their 876 00:36:00,340 --> 00:36:02,529 problems and they don't even share 877 00:36:02,530 --> 00:36:04,110 these problems with other banks. 878 00:36:05,990 --> 00:36:08,329 It's often a problem because 879 00:36:08,330 --> 00:36:10,549 in many countries, some bank 880 00:36:10,550 --> 00:36:12,799 is affected, for example, with black 881 00:36:12,800 --> 00:36:14,929 box attacks, it 882 00:36:14,930 --> 00:36:17,539 will say we have no problems 883 00:36:17,540 --> 00:36:19,609 and another bank in 884 00:36:19,610 --> 00:36:21,349 the same country will affect with the 885 00:36:21,350 --> 00:36:23,719 very same attacks. 886 00:36:23,720 --> 00:36:26,119 And they are not prepared for this. 887 00:36:27,380 --> 00:36:28,879 Atim vendors often 888 00:36:30,110 --> 00:36:32,659 not so fast to implement security 889 00:36:32,660 --> 00:36:35,089 mechanisms to implement their their 890 00:36:35,090 --> 00:36:37,669 hardware to protect the banks. 891 00:36:37,670 --> 00:36:40,219 And often they say 892 00:36:40,220 --> 00:36:41,209 we do not have a problem. 893 00:36:41,210 --> 00:36:43,669 We already sold you your 894 00:36:43,670 --> 00:36:45,889 ATM and they 895 00:36:45,890 --> 00:36:47,840 don't want to invest any money 896 00:36:48,860 --> 00:36:49,909 into protection. 897 00:36:49,910 --> 00:36:51,679 And we understand them. 898 00:36:51,680 --> 00:36:53,749 But unfortunately, in many cases, 899 00:36:53,750 --> 00:36:56,059 architecture is bad and you should feel 900 00:36:56,060 --> 00:36:57,670 bad about it. 901 00:36:59,680 --> 00:37:00,680 We know that 902 00:37:01,960 --> 00:37:04,059 many vendors, I think all 903 00:37:04,060 --> 00:37:06,369 of them already tried to 904 00:37:06,370 --> 00:37:08,469 create new versions of the 905 00:37:08,470 --> 00:37:10,839 attempt win with newer 906 00:37:10,840 --> 00:37:13,329 operating system, with newer hardware. 907 00:37:13,330 --> 00:37:16,059 We want to ask them, 908 00:37:16,060 --> 00:37:18,129 please do it 909 00:37:18,130 --> 00:37:20,739 more open, not open source, 910 00:37:20,740 --> 00:37:23,379 do it more open to security specialists, 911 00:37:23,380 --> 00:37:24,380 to banks, 912 00:37:25,990 --> 00:37:28,179 because many times 913 00:37:28,180 --> 00:37:30,849 the vendor create problem. 914 00:37:30,850 --> 00:37:32,949 But often, very often, 915 00:37:32,950 --> 00:37:35,259 banks also create a problem 916 00:37:35,260 --> 00:37:37,809 because they don't want to 917 00:37:37,810 --> 00:37:40,119 implement all features that are already 918 00:37:40,120 --> 00:37:42,459 there. And often there are some 919 00:37:42,460 --> 00:37:44,679 problems can be managed 920 00:37:44,680 --> 00:37:47,079 with updates, with configuration 921 00:37:47,080 --> 00:37:49,389 options, with passwords. 922 00:37:49,390 --> 00:37:50,390 Come on. 923 00:37:51,340 --> 00:37:53,709 And there is smallest, 924 00:37:54,820 --> 00:37:57,969 very easy to understand if 925 00:37:57,970 --> 00:38:00,069 it's just common or thought common 926 00:38:00,070 --> 00:38:02,529 to return anything about 927 00:38:02,530 --> 00:38:05,319 your ATM machine, you're screwed. 928 00:38:05,320 --> 00:38:08,259 If your second comment returns, 929 00:38:08,260 --> 00:38:10,359 anything that looks like 930 00:38:10,360 --> 00:38:12,429 an admin, computer and 931 00:38:12,430 --> 00:38:14,349 other software that you don't know what 932 00:38:14,350 --> 00:38:16,669 what is doing, you are screwed. 933 00:38:16,670 --> 00:38:18,819 Use Wireshark and you pick up 934 00:38:18,820 --> 00:38:20,319 on the ATM machine. 935 00:38:20,320 --> 00:38:22,779 Just install it, press the button, 936 00:38:22,780 --> 00:38:25,299 intercept all the traffic and see 937 00:38:25,300 --> 00:38:27,519 ah. Do you see the card 938 00:38:27,520 --> 00:38:29,049 data in the traffic? 939 00:38:29,050 --> 00:38:30,699 Because it's a real problem. 940 00:38:30,700 --> 00:38:33,159 It's not that hard to 941 00:38:33,160 --> 00:38:35,559 intercept communications, 942 00:38:35,560 --> 00:38:38,799 not only with software on the computer, 943 00:38:38,800 --> 00:38:40,210 but also with hardware means, 944 00:38:41,530 --> 00:38:43,209 for example, biegel 945 00:38:44,500 --> 00:38:47,329 their hardware to intercept data on the 946 00:38:47,330 --> 00:38:49,389 bus costs only 947 00:38:49,390 --> 00:38:50,589 of five hundred euros. 948 00:38:50,590 --> 00:38:52,999 I think dollars and 949 00:38:53,000 --> 00:38:55,539 a quarter million 950 00:38:55,540 --> 00:38:57,789 is in 951 00:38:57,790 --> 00:38:58,790 one ATM machine. 952 00:39:00,930 --> 00:39:03,289 What we want to see it or 953 00:39:03,290 --> 00:39:05,939 not for, obviously, 954 00:39:05,940 --> 00:39:07,979 but only on protection for different 955 00:39:07,980 --> 00:39:10,079 levels of communication, 956 00:39:10,080 --> 00:39:12,509 we have chain of failure 957 00:39:12,510 --> 00:39:14,909 with any 958 00:39:14,910 --> 00:39:17,789 part of the infrastructure 959 00:39:17,790 --> 00:39:19,979 that can send one command to a time 960 00:39:19,980 --> 00:39:22,199 machine and get money 961 00:39:22,200 --> 00:39:25,409 from it to get that, get 962 00:39:25,410 --> 00:39:27,239 the data from it and so on. 963 00:39:28,570 --> 00:39:30,789 We understand that, unfortunately, 964 00:39:30,790 --> 00:39:32,979 security is a process and there is 965 00:39:32,980 --> 00:39:35,139 always a lot of us who 966 00:39:35,140 --> 00:39:37,509 created the security in the 967 00:39:37,510 --> 00:39:40,089 ERTMS or any other device. 968 00:39:40,090 --> 00:39:42,370 We know that you have different 969 00:39:44,680 --> 00:39:46,839 means to create money, 970 00:39:46,840 --> 00:39:48,909 but you always have means to 971 00:39:48,910 --> 00:39:51,219 lose money by allowing the lowest 972 00:39:51,220 --> 00:39:53,280 bidder to create your security. 973 00:39:55,820 --> 00:39:57,949 Actually be excellent to each 974 00:39:57,950 --> 00:40:00,859 other, vendors 975 00:40:00,860 --> 00:40:02,049 should spoke to banks. 976 00:40:02,050 --> 00:40:03,919 Banks should spoke to vendors, 977 00:40:03,920 --> 00:40:06,109 unfortunately for their ordinary 978 00:40:06,110 --> 00:40:07,279 customers. 979 00:40:07,280 --> 00:40:09,889 Are all screwed because 980 00:40:09,890 --> 00:40:11,869 software sniffer is completely 981 00:40:11,870 --> 00:40:14,089 unacceptable from our point 982 00:40:14,090 --> 00:40:17,029 of view. And if you go to an ATM machine, 983 00:40:17,030 --> 00:40:19,429 be aware that your credit card data 984 00:40:19,430 --> 00:40:21,529 can be stolen with all the 985 00:40:21,530 --> 00:40:23,689 security measures and security 986 00:40:23,690 --> 00:40:26,149 mechanisms that you 987 00:40:26,150 --> 00:40:27,679 can do it by yourself. 988 00:40:27,680 --> 00:40:30,049 So it's actually a problem of the bank. 989 00:40:30,050 --> 00:40:32,119 And if you have a problem, for 990 00:40:32,120 --> 00:40:34,069 example, with skimming and some 991 00:40:34,070 --> 00:40:36,769 transaction was get 992 00:40:36,770 --> 00:40:39,049 with your credit card, it's not 993 00:40:39,050 --> 00:40:40,459 always your problem. 994 00:40:40,460 --> 00:40:42,110 This may be a problem with the bank. 995 00:40:44,240 --> 00:40:46,759 We want to thank all different guys, 996 00:40:46,760 --> 00:40:48,539 some of them here, some of them 997 00:40:48,540 --> 00:40:50,839 unfortunately not here, and 998 00:40:50,840 --> 00:40:52,639 helped us with our research, with reverse 999 00:40:52,640 --> 00:40:54,919 engineering, with, I 1000 00:40:54,920 --> 00:40:56,539 think, dispenser, for example. 1001 00:40:56,540 --> 00:40:58,999 It's a real pain in the ass. 1002 00:40:59,000 --> 00:41:00,859 And have fun. 1003 00:41:00,860 --> 00:41:02,059 Stay safe. 1004 00:41:02,060 --> 00:41:03,060 Thank you. 1005 00:41:25,060 --> 00:41:26,949 Questions were raised this signal a few 1006 00:41:29,110 --> 00:41:30,110 year ago, 1007 00:41:31,780 --> 00:41:33,789 we got that question from the Internet. 1008 00:41:33,790 --> 00:41:36,399 Yeah, there are, but it's 1009 00:41:36,400 --> 00:41:37,989 quite not quite in your. 1010 00:41:39,070 --> 00:41:41,199 Yeah. Can you just go out 1011 00:41:41,200 --> 00:41:42,969 quietly? 1012 00:41:42,970 --> 00:41:43,929 Thanks. 1013 00:41:43,930 --> 00:41:46,089 So first question from 1014 00:41:46,090 --> 00:41:48,550 the Internet is you quietly 1015 00:41:51,940 --> 00:41:53,799 the Internet wants to know that. 1016 00:41:53,800 --> 00:41:55,599 Well, you've said there are some 1017 00:41:55,600 --> 00:41:58,269 different open ports on the ATMs. 1018 00:41:58,270 --> 00:41:59,590 Which ones would that be? 1019 00:42:01,480 --> 00:42:02,480 We don't know yet. 1020 00:42:03,810 --> 00:42:06,039 We can't disclose information because 1021 00:42:06,040 --> 00:42:08,109 unfortunately, we see 1022 00:42:08,110 --> 00:42:09,849 the ATMs in Qadam. 1023 00:42:09,850 --> 00:42:12,459 We see ATMs with 1024 00:42:12,460 --> 00:42:13,659 mouse scans. 1025 00:42:13,660 --> 00:42:15,839 And this information can lead to 1026 00:42:15,840 --> 00:42:17,989 a large amount of fraud against 1027 00:42:17,990 --> 00:42:20,589 the ATMs. So we can call them 1028 00:42:20,590 --> 00:42:21,590 sort of. 1029 00:42:28,010 --> 00:42:30,439 So I just 1030 00:42:30,440 --> 00:42:32,539 I want to add one note 1031 00:42:32,540 --> 00:42:34,699 that it's not 1032 00:42:34,700 --> 00:42:36,979 always the problem of the bank 1033 00:42:36,980 --> 00:42:39,199 itself, it's more 1034 00:42:39,200 --> 00:42:41,389 sometimes it's more really the problem 1035 00:42:41,390 --> 00:42:43,489 of the vendor of the ATMs 1036 00:42:43,490 --> 00:42:46,039 and the part of like like 1037 00:42:46,040 --> 00:42:49,159 as you said it, it's a normal 1038 00:42:49,160 --> 00:42:49,819 PC. 1039 00:42:49,820 --> 00:42:52,729 What's inside the ATMs? 1040 00:42:52,730 --> 00:42:53,730 And 1041 00:42:55,220 --> 00:42:57,319 if the bank want to have to upgrade 1042 00:42:57,320 --> 00:42:59,179 to Windows seven or Windows 10 or 1043 00:42:59,180 --> 00:43:01,160 whatever, that 1044 00:43:02,570 --> 00:43:04,339 the hardware does not support it. 1045 00:43:04,340 --> 00:43:06,649 So you can 1046 00:43:06,650 --> 00:43:08,749 physically change it to off 1047 00:43:08,750 --> 00:43:10,939 the shelf PC. But the vendor says 1048 00:43:10,940 --> 00:43:13,459 we will no will 1049 00:43:13,460 --> 00:43:15,589 don't support that or 1050 00:43:15,590 --> 00:43:17,929 would give no warranty if you change it 1051 00:43:17,930 --> 00:43:20,309 yourself. And they asked for just 1052 00:43:20,310 --> 00:43:22,609 normal PC a lot, a lot of money. 1053 00:43:22,610 --> 00:43:24,049 And the bank, of course, will say, no, 1054 00:43:24,050 --> 00:43:26,209 it's too much for me and we keep it at 1055 00:43:26,210 --> 00:43:26,879 XP. 1056 00:43:26,880 --> 00:43:28,609 Yes, unfortunately, we know about this 1057 00:43:28,610 --> 00:43:31,039 situation, but 1058 00:43:31,040 --> 00:43:33,289 we also understand that 1059 00:43:33,290 --> 00:43:35,839 there is 10 years 1060 00:43:35,840 --> 00:43:38,209 or 15 years or 12, 20 1061 00:43:38,210 --> 00:43:40,369 years that a.T.M was working 1062 00:43:40,370 --> 00:43:42,019 and it was working fine. 1063 00:43:42,020 --> 00:43:44,089 And banks say, OK, I want 1064 00:43:44,090 --> 00:43:46,489 to make it secure without any 1065 00:43:46,490 --> 00:43:47,689 additional investment. 1066 00:43:47,690 --> 00:43:50,059 Unfortunately, it won't help. 1067 00:43:50,060 --> 00:43:52,759 Yes, we know that there are different 1068 00:43:52,760 --> 00:43:54,709 problems in the operating system, but 1069 00:43:54,710 --> 00:43:56,929 there are also different problems 1070 00:43:56,930 --> 00:43:58,699 in the software that is run on this 1071 00:43:58,700 --> 00:43:59,869 operating system. 1072 00:43:59,870 --> 00:44:02,329 So it's actually a very 1073 00:44:02,330 --> 00:44:03,349 fuzzy situation. 1074 00:44:03,350 --> 00:44:05,899 And we can say that 1075 00:44:05,900 --> 00:44:07,969 someone is more wrong or 1076 00:44:07,970 --> 00:44:09,829 more right in this situation. 1077 00:44:09,830 --> 00:44:12,199 We should all combine our 1078 00:44:12,200 --> 00:44:14,689 expertize, our money actually, 1079 00:44:14,690 --> 00:44:16,789 and create much better 1080 00:44:16,790 --> 00:44:18,949 ATMs in 1081 00:44:18,950 --> 00:44:21,029 course of many, many years 1082 00:44:21,030 --> 00:44:22,400 maybe. But I think 1083 00:44:23,990 --> 00:44:24,990 the sooner the better. 1084 00:44:25,980 --> 00:44:26,980 I 1085 00:44:29,000 --> 00:44:31,369 have a question here 1086 00:44:31,370 --> 00:44:32,329 on the road. 1087 00:44:32,330 --> 00:44:34,489 Why do you think the ATM vendors don't 1088 00:44:34,490 --> 00:44:36,799 invest more into Linux based 1089 00:44:36,800 --> 00:44:37,800 ATMs? 1090 00:44:38,810 --> 00:44:40,699 I mean, they could they could do that. 1091 00:44:41,770 --> 00:44:43,189 Yes, they can do that. 1092 00:44:43,190 --> 00:44:45,889 But the answer 1093 00:44:45,890 --> 00:44:47,399 is legacy code. 1094 00:44:47,400 --> 00:44:49,619 They already invest 1095 00:44:49,620 --> 00:44:51,999 a large amount of money into the 1096 00:44:52,000 --> 00:44:54,199 express because it's not as 1097 00:44:54,200 --> 00:44:56,729 if Microsoft is 1098 00:44:56,730 --> 00:44:58,369 extension for financial services. 1099 00:44:58,370 --> 00:45:00,739 So it actually very 1100 00:45:02,450 --> 00:45:04,429 tied to Windows. 1101 00:45:04,430 --> 00:45:06,649 But we already know that some 1102 00:45:06,650 --> 00:45:09,289 vendors are already shifting from the 1103 00:45:09,290 --> 00:45:11,509 Windows to Linux based 1104 00:45:11,510 --> 00:45:14,149 operating system. But and 1105 00:45:14,150 --> 00:45:16,159 we want to see it. 1106 00:45:16,160 --> 00:45:17,509 We will see it in the near future. 1107 00:45:17,510 --> 00:45:19,579 So I think the situation 1108 00:45:19,580 --> 00:45:21,919 will change sometimes, 1109 00:45:23,300 --> 00:45:26,689 maybe because your research is amazing 1110 00:45:26,690 --> 00:45:28,009 and I really appreciate the work you're 1111 00:45:28,010 --> 00:45:30,109 doing. I would like to know, given 1112 00:45:30,110 --> 00:45:32,539 the prevalence of all the rise 1113 00:45:32,540 --> 00:45:34,669 in Bitcoin ATMs and the fact that most 1114 00:45:34,670 --> 00:45:36,499 of the software for some of the software 1115 00:45:36,500 --> 00:45:38,629 for Bitcoin ATMs is open source, have 1116 00:45:38,630 --> 00:45:40,759 you done any research on that or 1117 00:45:40,760 --> 00:45:42,469 are you planning on doing any research on 1118 00:45:42,470 --> 00:45:43,459 them? 1119 00:45:43,460 --> 00:45:45,709 Unfortunately, we haven't seen 1120 00:45:45,710 --> 00:45:48,229 this with our hands, so 1121 00:45:48,230 --> 00:45:50,569 unfortunately, no, we haven't managed 1122 00:45:50,570 --> 00:45:52,969 to see them and 1123 00:45:52,970 --> 00:45:55,189 we would like to get 1124 00:45:55,190 --> 00:45:57,079 in touch with Bitcoin ATMs, but 1125 00:45:57,080 --> 00:45:59,329 unfortunately, they're so rare 1126 00:45:59,330 --> 00:46:01,769 and are 1127 00:46:01,770 --> 00:46:03,959 so not worth it, 1128 00:46:03,960 --> 00:46:05,389 unfortunately for now. 1129 00:46:05,390 --> 00:46:06,390 Thank you. 1130 00:46:07,520 --> 00:46:09,799 Thank you for the 1131 00:46:09,800 --> 00:46:11,689 interesting presentation. 1132 00:46:11,690 --> 00:46:13,819 Some of the attacks 1133 00:46:13,820 --> 00:46:15,919 that you presented require 1134 00:46:15,920 --> 00:46:18,739 a lot of internal 1135 00:46:18,740 --> 00:46:19,729 knowledge. 1136 00:46:19,730 --> 00:46:21,199 For example, the one 1137 00:46:22,220 --> 00:46:23,220 where the attack 1138 00:46:24,740 --> 00:46:26,599 includes on the network. 1139 00:46:26,600 --> 00:46:28,879 Where do the attackers get 1140 00:46:28,880 --> 00:46:31,579 all this knowledge about the 1141 00:46:31,580 --> 00:46:33,519 architecture and infrastructure? 1142 00:46:35,330 --> 00:46:38,209 Unfortunately, it's not that hard 1143 00:46:38,210 --> 00:46:40,789 because there are all 1144 00:46:40,790 --> 00:46:42,349 windows based again. 1145 00:46:42,350 --> 00:46:44,959 And general penetration test 1146 00:46:44,960 --> 00:46:47,239 is accessing the domain 1147 00:46:47,240 --> 00:46:48,949 controller with the highest privileges 1148 00:46:48,950 --> 00:46:51,259 and is actually not the very, 1149 00:46:51,260 --> 00:46:53,929 very different from where I take 1150 00:46:53,930 --> 00:46:55,039 it in machines. 1151 00:46:55,040 --> 00:46:56,749 And obviously there are different 1152 00:46:56,750 --> 00:46:59,059 engineers in the bank who 1153 00:46:59,060 --> 00:47:01,249 have different technical information, 1154 00:47:01,250 --> 00:47:03,409 who have different 1155 00:47:03,410 --> 00:47:06,169 software, different test software 1156 00:47:06,170 --> 00:47:07,489 that can be stolen. 1157 00:47:07,490 --> 00:47:09,799 And sometimes they 1158 00:47:09,800 --> 00:47:12,019 even share this information 1159 00:47:12,020 --> 00:47:14,089 to the large amount of 1160 00:47:14,090 --> 00:47:16,459 people, for example, by 1161 00:47:16,460 --> 00:47:18,859 uploading the project onto GitHub. 1162 00:47:18,860 --> 00:47:21,459 And you can download software from the. 1163 00:47:21,460 --> 00:47:23,650 Just like source and so 1164 00:47:26,240 --> 00:47:28,769 I look, yes, 1165 00:47:28,770 --> 00:47:31,119 so in terms of the ATM management 1166 00:47:31,120 --> 00:47:33,249 systems, I like to ask if you have 1167 00:47:33,250 --> 00:47:35,679 a look at like if I serve and 1168 00:47:35,680 --> 00:47:37,779 software, that's like big vendors used to 1169 00:47:37,780 --> 00:47:39,939 manage, like big ATM 1170 00:47:39,940 --> 00:47:42,249 networks if I serve 1171 00:47:42,250 --> 00:47:43,659 or even like a trend. 1172 00:47:43,660 --> 00:47:46,179 That's some ATM networks you've seen 1173 00:47:46,180 --> 00:47:48,489 even in Europe, they start having systems 1174 00:47:48,490 --> 00:47:50,619 to manage the advertisements 1175 00:47:50,620 --> 00:47:52,689 in the loading screens and so on to 1176 00:47:52,690 --> 00:47:54,310 do any sort of research on that as well. 1177 00:47:55,750 --> 00:47:57,429 Unfortunately, no, because 1178 00:47:58,960 --> 00:48:01,329 there are different systems to 1179 00:48:01,330 --> 00:48:03,399 manage ATM machines, but there 1180 00:48:03,400 --> 00:48:05,899 are always lazy 1181 00:48:05,900 --> 00:48:08,199 people, lazy administrators who install 1182 00:48:08,200 --> 00:48:11,139 additional remote control systems 1183 00:48:11,140 --> 00:48:14,169 for different devices and even devices. 1184 00:48:14,170 --> 00:48:16,210 So I'm fortunate enough 1185 00:48:17,700 --> 00:48:18,549 to find Eric. 1186 00:48:18,550 --> 00:48:19,550 Thank you. 1187 00:48:20,320 --> 00:48:21,939 Thanks again for the amazing 1188 00:48:21,940 --> 00:48:23,349 presentation. 1189 00:48:23,350 --> 00:48:25,749 I was wondering if you had cases 1190 00:48:25,750 --> 00:48:27,939 where the security was better 1191 00:48:27,940 --> 00:48:30,009 than what you presented, and 1192 00:48:30,010 --> 00:48:32,289 especially when the serial 1193 00:48:32,290 --> 00:48:34,809 PCs communication had any 1194 00:48:34,810 --> 00:48:36,429 any encryption at all? 1195 00:48:38,120 --> 00:48:41,019 Yes, obviously there are 1196 00:48:41,020 --> 00:48:43,029 different items and different vendors, 1197 00:48:43,030 --> 00:48:44,199 different banks. 1198 00:48:44,200 --> 00:48:46,539 And we showed you 1199 00:48:46,540 --> 00:48:49,239 extreme cases and 1200 00:48:49,240 --> 00:48:51,549 how we can say that any 1201 00:48:51,550 --> 00:48:53,619 time actually vulnerable to at 1202 00:48:53,620 --> 00:48:55,269 least one vulnerability that we have 1203 00:48:55,270 --> 00:48:57,159 shown you from the management system, 1204 00:48:57,160 --> 00:48:58,869 from the network, just network without 1205 00:48:58,870 --> 00:49:00,939 any internal knowledge, from the physical 1206 00:49:00,940 --> 00:49:03,069 access, from the USB 1207 00:49:03,070 --> 00:49:05,229 access. But there is no 1208 00:49:05,230 --> 00:49:07,329 ETM that has all the vulnerabilities 1209 00:49:07,330 --> 00:49:09,429 in it. So we have seen 1210 00:49:10,630 --> 00:49:12,880 secure ATMs, but not very secure. 1211 00:49:16,130 --> 00:49:17,130 Thank you. 1212 00:49:20,540 --> 00:49:23,149 OK, the Internet wants to know 1213 00:49:23,150 --> 00:49:25,309 how easy would it be to get an ATM into 1214 00:49:25,310 --> 00:49:28,099 a kind of out of service mode 1215 00:49:28,100 --> 00:49:30,199 that is not really easy to 1216 00:49:30,200 --> 00:49:30,459 fix. 1217 00:49:30,460 --> 00:49:32,569 So basically, how hard is it to 1218 00:49:32,570 --> 00:49:34,389 just ATM 1219 00:49:35,390 --> 00:49:38,569 well, with a 1220 00:49:38,570 --> 00:49:40,699 razor or to cut the cable? 1221 00:49:40,700 --> 00:49:42,590 It's very easy, but 1222 00:49:43,670 --> 00:49:45,649 Denial-of-service, some ATMs, if I 1223 00:49:45,650 --> 00:49:47,939 understood the question correctly, it's 1224 00:49:47,940 --> 00:49:49,939 a bit out of scope of our presentation 1225 00:49:49,940 --> 00:49:52,339 because we we as the attacker, 1226 00:49:52,340 --> 00:49:54,829 as the merchant, 1227 00:49:54,830 --> 00:49:57,259 we want money from it, but not to 1228 00:49:57,260 --> 00:49:58,260 disable it. 1229 00:50:03,680 --> 00:50:05,839 Any more questions have 1230 00:50:05,840 --> 00:50:08,129 the Internet has another question and 1231 00:50:08,130 --> 00:50:11,269 the Internet wants to know how are 1232 00:50:11,270 --> 00:50:13,309 specifically connected to the network, if 1233 00:50:13,310 --> 00:50:15,889 not by 2G network, 1234 00:50:15,890 --> 00:50:18,079 like with VPN or what do they 1235 00:50:18,080 --> 00:50:20,239 do to that? Like people 1236 00:50:20,240 --> 00:50:22,699 are like IP, Pisek or something. 1237 00:50:22,700 --> 00:50:24,659 Do you know how they do this? 1238 00:50:24,660 --> 00:50:25,639 Oh yes. 1239 00:50:25,640 --> 00:50:27,889 We make presentations about 1240 00:50:27,890 --> 00:50:29,849 security here for quite a while. 1241 00:50:29,850 --> 00:50:32,089 And I think you can see 1242 00:50:32,090 --> 00:50:34,159 that this presentation in our 1243 00:50:34,160 --> 00:50:36,319 Twitters, there are different 1244 00:50:36,320 --> 00:50:38,509 possibilities like just 2G, 1245 00:50:38,510 --> 00:50:40,879 madam 3G and 4G modems 1246 00:50:40,880 --> 00:50:43,339 are ordinary ISMAT cables. 1247 00:50:43,340 --> 00:50:45,649 We have even seen 1248 00:50:45,650 --> 00:50:47,989 twenty five into the phone networks that 1249 00:50:47,990 --> 00:50:49,339 are communicating with the processing 1250 00:50:49,340 --> 00:50:51,979 center and for which purpose. 1251 00:50:51,980 --> 00:50:53,689 Yes, there are different additional 1252 00:50:53,690 --> 00:50:55,939 security mechanisms like VPN 1253 00:50:55,940 --> 00:50:58,009 clients, hardware, 1254 00:50:58,010 --> 00:51:00,259 hardware and software, 1255 00:51:00,260 --> 00:51:02,209 for example, some device installed inside 1256 00:51:02,210 --> 00:51:04,249 of each machine and connects 1257 00:51:05,330 --> 00:51:07,399 from the ATM VPN client 1258 00:51:07,400 --> 00:51:09,629 and we've been going to the alternate 1259 00:51:09,630 --> 00:51:10,729 alternator. 1260 00:51:10,730 --> 00:51:13,639 But the big problem is 1261 00:51:13,640 --> 00:51:15,259 this particular device, for example, 1262 00:51:15,260 --> 00:51:17,509 hardware device you have seen 1263 00:51:17,510 --> 00:51:19,789 in our presentation 1264 00:51:19,790 --> 00:51:22,369 that is outside of Ajam and 1265 00:51:22,370 --> 00:51:24,979 some hacker can disconnect is on a table 1266 00:51:24,980 --> 00:51:26,779 and accessed this ETM machine. 1267 00:51:26,780 --> 00:51:29,029 And more important by 1268 00:51:29,030 --> 00:51:30,619 this connect to the Internet cable and 1269 00:51:30,620 --> 00:51:32,809 connecting to the client, you can 1270 00:51:32,810 --> 00:51:34,909 connect to the network of intermissions. 1271 00:51:36,170 --> 00:51:38,539 So and many of you maybe 1272 00:51:38,540 --> 00:51:40,969 have seen it in machines with 1273 00:51:40,970 --> 00:51:44,239 ordinary windows window 1274 00:51:44,240 --> 00:51:46,399 that showed all I can 1275 00:51:46,400 --> 00:51:48,409 connect to the weapon server. 1276 00:51:48,410 --> 00:51:51,229 So they use everything and 1277 00:51:51,230 --> 00:51:52,739 there is no 1278 00:51:54,380 --> 00:51:56,629 not identical ATMs in different 1279 00:51:56,630 --> 00:51:57,630 banks. 1280 00:51:59,690 --> 00:52:00,690 OK. 1281 00:52:01,010 --> 00:52:03,169 And I have one final question from 1282 00:52:03,170 --> 00:52:05,299 the Internet, and that 1283 00:52:05,300 --> 00:52:07,460 is, would it be possible to 1284 00:52:08,660 --> 00:52:11,059 make the ATM, accept your own 1285 00:52:11,060 --> 00:52:13,460 cassette with, like, your cash? 1286 00:52:18,410 --> 00:52:20,509 Maybe the question was about 1287 00:52:20,510 --> 00:52:23,119 Cash-in device that except 1288 00:52:23,120 --> 00:52:24,590 the blanked out inside it. 1289 00:52:25,850 --> 00:52:27,359 That is not original. 1290 00:52:27,360 --> 00:52:28,899 It's not legitimate. 1291 00:52:28,900 --> 00:52:31,249 There are some there are several days. 1292 00:52:31,250 --> 00:52:33,959 And obviously you've 1293 00:52:33,960 --> 00:52:36,050 answered the question about the consent, 1294 00:52:37,700 --> 00:52:39,229 the responsibility to 1295 00:52:40,490 --> 00:52:42,889 deal with the security guys who exchanged 1296 00:52:42,890 --> 00:52:44,869 cassettes and install, for example, 1297 00:52:44,870 --> 00:52:47,509 cassette with just blank 1298 00:52:47,510 --> 00:52:48,559 paper. 1299 00:52:48,560 --> 00:52:51,199 But it's very rare 1300 00:52:51,200 --> 00:52:53,299 and they are 1301 00:52:53,300 --> 00:52:55,549 easily forgotten by policemen, 1302 00:52:55,550 --> 00:52:56,550 policemen. 1303 00:52:58,770 --> 00:53:01,769 Um, there is a question whether or 1304 00:53:01,770 --> 00:53:03,449 if there are any different operating 1305 00:53:03,450 --> 00:53:05,639 system in solving the Linux, for 1306 00:53:05,640 --> 00:53:07,859 example, I 1307 00:53:07,860 --> 00:53:08,860 yes, there is 1308 00:53:10,000 --> 00:53:12,299 a cost to operating system, for example, 1309 00:53:12,300 --> 00:53:13,469 in America 1310 00:53:15,000 --> 00:53:16,000 that 1311 00:53:17,430 --> 00:53:20,069 does based healthfulness. 1312 00:53:20,070 --> 00:53:22,229 I haven't seen any, but I think that 1313 00:53:22,230 --> 00:53:23,230 there are 1314 00:53:24,930 --> 00:53:26,070 but the most 1315 00:53:27,150 --> 00:53:29,219 often case, it's Windows XP, 1316 00:53:29,220 --> 00:53:30,739 still still alive. 1317 00:53:36,820 --> 00:53:38,259 OK, thank you very much. 1318 00:53:38,260 --> 00:53:39,260 Thank you for.