The talk of the 2010 Black Hat conference was security researcher Barnaby Jack’s presentation on “Jackpotting An ATM” using two little programs he developed called “Scrooge” and “Dillinger”. “Scrooge” is an ATM firmware rootkit (malicious software that conceals itself at the level of interface between software and hardware) that takes control of an ATM machine and causes it to spit all its money out. “Dillinger” is a program that gathers debit card numbers and passwords from the infected machine and sends it to a remote location for collection.
Since my main character is on the run from both the Police and the Federal Authorities, “Dillinger” is not much good to us. So it is “Scrooge” that we’ll be using. Time to plan a crime.
I got copies of “Scrooge” and “Dillinger” along with an ATM key (all ATM’s are keyed alike believe it or not!) as the beginning of my proof of concept. I was then ready to emulate emptying an ATM machine. Since most of the larger ATM’s, like the ones at the banks, had been patched I rejected them outright. That left me with the smaller ATM’s of the type found in convenience stores. The problem is, a lot of convenience stores are open 24 hours so I couldn’t just write in a staged after hours break in. Besides, this would have been such an inelegant solution and a betrayal of my readers.
No, I needed a brazen, broad daylight exploit. Time for a little social engineering. There’s a section of route 12 in Fitchburg, Ma. that has a half dozen convenience stores and gas stations within a short 1/4 mile, so this became my target. The first step was a scouting expedition to find the brand names of the ATM’s. Done early in the morning, it allowed for a shift change before I had to go back. Armed with a Macbook Pro, a portable USB printer and a small laminator, it’s an easy matter to take a picture with the built in camera and use Photoshop to combine it with the corporate logos of the manufacturers’ of the machines I’d scouted and then downloaded as jpg’s from their respective websites on the internet. Cutting the results down with a barcode thrown in and laminating them makes a fairly effective*ID badge. With darkness falling, its easy to wait until the clerk of the store is getting slammed. That’s when I begin the attack.
Entering the store, I ignore the line and go right up to the counter. I push my ID in the busy clerk’s face and tell him I’m from the corporate office of the ATM’s manufacturer and I’m here to update the firmware of their unit. 99% of the time, the reaction of the clerk will be: “Whatever. Go do it and stop bothering me!” Now I’m all set. I can open the ATM with my key and can then, if I want to, proceed to insert a small flash drive containing “Scrooge”, collect the bills, and say thanks on the way out.
This attack works so well because very few people know you can get (or used to be able to get) an ATM key quite easily on the internet. Opening the ATM with the key indicates that you are who you said you were, after all, you have a key. Waiting until the clerk is slammed, is an effective way to ensure he won’t be able to describe you later when the crime is discovered. An elegant “hacker” solution to the problem of raising cash when you are on the run from law enforcement. Part of the real fun involved in writing “Playing God”.
*Note – This was all done as a proof of concept and with the permission of a store owner who was grateful for the “heads up” about the need for a patch, and no money was taken.
…’till next time