Money for Nothing
The security of ATMs in Saudi Arabia is an important issue for major banks and their users. This case study will explore the security assessment of ATM machines for a major bank in Saudi Arabia, examining the challenges faced, solutions proposed, and outcomes achieved.
Introduction
The world’s first ATM machine was installed on 27th June 1967 at a branch of Barclays Bank in Enfield, United Kingdom. Given the maturity of such devices and their role in storing and dispensing cash, you might expect that no stone would have been left unturned when it comes to security but there is no room for complacency when it comes to the cyber security or the physical security of your organisation and its assets.
In this case study, we examine an ATM security assessment conducted for a major bank in Saudi Arabia. Our highly experienced consultants have discovered a wide range of vulnerabilities over the years, but their findings were a big surprise for our clients.
Scope and objectives
As part of a wider Red Team Engagement, our client asked us to review both the physical and digital security posture of their ATM machines. As a major bank, our client had undergone many regular security assessments and could be considered to have a strong security posture, however, they understood the need to continuously evaluate this as the threat landscape and possible attack vectors are continuously evolving. The primary goal of the client was to confirm their belief that there were no significant vulnerabilities existing for their ATM network. But the events that actually unfolded were shocking.
The consultants’ objectives were to evaluate the security posture of the ATM machines including physical security posture, software, and communication channels. This was not a capture the flag (CTF) type exercise and so there were no specific flags for this assessment but getting an ATM to dispense cash it was not supposed to is always a fun challenge and will of course be on the mind of every consultant performing this type of assessment.
Methodology
The assessment included the following elements:
Key findings
After conducting our testing, what were the main areas to raise to our client?
Poor physical security
The ATMs assessed were found to have serious physical security issues including the ATM front panel utilising a generic lock for which a key could be purchased online from several sources including AliExpress. This did not provide access to the cash contained within the safe, but it did provide access to components of the machine as well as some customer’s cards that had been retained and a paper-based audit record that contained highly sensitive information.
On further inspection of the cabinets which were housing the ATMs, consultants found insecure rear doors with broken locks, exposed cabling for alarm systems allowing the alarms to be easily bypassed, access to cabling and networking equipment either through insecure doors or the fact that cabinets had no top panels. Side panels of the cabinets were not welded and so could have been easily removed with simple tools.
All the ATMs assessed were production machines in a public environment and at no point were consultants challenged. Even after deliberately activating the tamper alarm nobody questioned what we were doing with this machine full of cash. This included security guards in a busy shopping centre.
Software vulnerabilities
The security posture of the software stack left much to be desired with multiple serious vulnerabilities including the fact the ATM application did not utilise any form of encryption for transaction data including PCI related data, instead relying on networking hardware to secure the traffic via a VPN. We will cover this in more detail when we discuss network security in a moment.
There was a clear lack of patch management with the operating system missing several security patches. Endpoint protection was completely inadequate and did not detect any of the malicious payloads we tested it against including the common EICAR test files which you would reasonably expect any antivirus engine to detect.
Business logic within the ATM was reasonably secure except for excessive logging containing personally identifiable information and other sensitive data.
Other configuration issues existed including no requirement for SMB signing which could result in several exploits including authentication bypass, replay attacks, and session hijacking.
Network
The ATM security assessment revealed a critical vulnerability stemming from poor physical security. Consultants easily tapped into the unencrypted network traffic, exposing sensitive information like card numbers and PINs. Despite an out-of-service sign, a member of the public unknowingly provided their details during the assessment.
The team performed various transactions, analysing traffic for offline exploitation. Over the weekend, they meticulously developed a Raspberry Pi-based device to manipulate ATM traffic in real time. Testing uncovered the potential to alter account balances and manipulate ATM receipts. Ethical considerations led the team to seek client permission before attempting a cash-dispensing exploit, which was denied.
The ethical stance was upheld, emphasising the importance of adherence to assessment scopes and seeking permission. Despite the temptation, the team prioritised ethical hacking principles over potential financial gains, underscoring the distinction between ethical hackers and malicious actors.
The episode concluded with collaboration between the security team and the client's technical staff, highlighting the ethical hacker's commitment to responsible practices.
Recommendations
Security assessments should take place regularly, ideally every six months but at least once every twelve months.
The design of the cabinets housing the ATM machines should be reviewed, adding additional security including secure locks and effective anti-tampering mechanisms.
Encryption should be enforced within the ATM application with no reliance on networking hardware to protect data in transit.
The ATM application should have a mechanism to validate data integrity to prevent tampering.
Applications should only log data specifically required for audit or diagnostic purposes and unnecessary sensitive data should be removed from logs.
The endpoint protection solution should be correctly configured and maintained to be effective.
The operating system should be hardened in line with CIS benchmarks and enforce the requirement for SMB signing.
An effective patch management procedure should be implemented. Devices such as ATMs, POS, and Kiosks are often overlooked.
Review the use of generic locks with the ATM vendor.
Conclusion
The security assessment of ATMs for a major bank in Saudi Arabia uncovered critical vulnerabilities that would lead many to challenge preconceived notions of ATM security. The findings demonstrate the need for ongoing assessment in the face of an ever-evolving threat landscape.
Physical security was proven to be alarmingly weak with poor cabinet design and insecure generic locks, coupled with the lack of an effective anti-tampering solution. Software vulnerabilities and misconfigurations including a complete lack of encryption compromised data integrity and privacy allowing effective exploitation.
The recommendations from this assessment should provide a clear path forward for the bank to remediate these issues and thus drastically improve the security posture of their ATM network.