Hackers Empty ATMs by Drilling One Small Hole

Share this…

Hackers are using a combination of low and high-tech attacks to make ATMS spit out cash, according to Kaspersky researcher Igor Soumenkov, who presented this novel attack at this year’s Security Analyst Summit, taking place in St. Maarten this week.

These attacks first started last year, when several banks in Europe and Russia discovered empty ATMs with a hole drilled in one of their sides.

Attackers drilled 4-cm hole in ATM’s side

After calling Kaspersky experts to investigate, it became apparent that no malware had been used in the attacks, yet no one could explain how the attackers forced the ATM to dispense all its bills.

Only when taking a closer look at the drilled hole did researchers understand what happened. The hole’s position was crucial to unraveling the attack.

ATM thieves had drilled a small hole, wide of about 4 centimeters (1.5 inches), on the side of the ATM’s PIN (numbers) pad. After dismantling a similar ATM in their laboratory, Kasperksy researchers realized this hole was right near a crucial ATM component, a 10-pin header.

Attackers connected and hijacked ATM’s main bus

This 10-pin header wasn’t just any connector, but the header for connecting straight to the ATM’s main bus, which interconnected all the other ATM’s components, from the screen to the PIN pad, and from the internal cash store to the ATM dispenser.

Kaspersky researchers say it took them very little time to put together a small board, slide in a connector through the 4-centimeter drilled hole, and connect to the ATM bus.

The rig cost researchers $15 and they used only off-the-selves electronics, no special components needed.

Attackers took complete control over ATMs

Even if ATMs run special software and use encryption for all operations, researchers said they found it very easy to break the ATM’s encryption scheme.

It also helped that the ATM operations were also very easy to understand, which allowed them to reverse engineer the ATM’s inner workings, and make the ATM bus do whatever they liked. Either way, even if crooks didn’t have the technical expertise to reverser-engineer an ATM’s protocols, there are plenty of ATM programming guides that have leaked online in the past.

The only downside of this attack was that crooks needed to carry a laptop with them in order to send commands to the ATM via their $15 board.

Seeing that other crooks had no problems using explosives or cars to destroy and break into ATM cases, drilling a hole and connecting a laptop is actually a piece of cake and helps crooks maintain a relatively low profile.

On Monday, at the same conference, Kaspersky researchers revealed ATMitch, a new attack on ATMs that relies on crooks hijacking a bank’s ATM backend network and installing self-deleting malware on ATMs via RDP connections.