Black-box ATM assault

Yet another example of an attack against an ATM: This time the cash machine itself is emulated.

The cash dispenser will obey commands from any devices it is connected to

As we have been reporting lately, ATM security leaves a lot of room for improvement, in terms of both the information machines transmit and the physical setup of the machines. In previous posts we showed how criminals can access money using a flash drive with specific malware or with a device mimicking a processing center. Here’s yet another variation: In this case, criminals emulate the ATM itself.

As you probably remember, every ATM houses a rather common PC, but instead of standard peripherals it has specialized ones — such as the automatic cash dispenser.

Of course, you can’t simply pry an ATM open; they have some physical security. But there are still ways to force the cash out of one. Here’s how it can be done using a so-called black box:

As with the other methods we’ve already shown, a criminal opens the machine using the key, which is easy to buy on the black market. The next steps are to switch the ATM into service mode, unplug the right USB cable, and hook it to a black box, which is a remotely controlled mini-PC. The black box issues commands to the ATM to dispense cash.

The operation is repeated until the cash tray is empty. The thief then simply removes the black box, leaving no traces of the attack.

This kind of attack is possible because the critically important hardware of an ATM doesn’t check the authenticity of its networking environment and applications (in this case, the ATM’s main application).

The cash dispenser will obey commands from any devices it is connected to.