XFS: The Protocol Behind ATM

Jackpotting
21/01/2020 - Alexandre Beaulieu
About Me
Alexandre Beaulieu

Technical Background Hobbies

• Software Developer • Running
• Reverse Engineer • Cycling
• Ethical Hacker • CTF
• Security Researcher
• Low-Level Addict

Input: Caffeine Contact

Output: Code Twitter: @alxbl_sec
Elsewhere: @alxbl
Disclaimer
Do not try at home!!

Neither me nor GoSecure condone criminal activity. The sole

purpose of this presentation is to inform the public about the risks
and attack surface of ATMs. Tampering with ATM cabinets that do
not belong to you can and likely will result in legal trouble.
Everything in this presentation is shared for informational purposes
only.
Contents

• ATM Threat Modelling

• Attacking the XFS Protocol
• Defending against Threats
ATM Threat Modelling
Basics - What’s in the Cabinet?
Unveiling the mystery

• Computer
• Safe
• Cash / Bill Cassettes
• Card Reader
• PIN Keypad
• Tactile Screen
• Cash Dispenser
• USB cables connecting everything
together
• Anti-tamper & anti-intrusion
mechanisms
• Auditing mechanisms
Basics - The Computer

• Typically Runs Standard Issue

Windows
• Win XP, Win 7, Win 10
• Administered by the Bank
• Sometimes by 3rd party consultants
• Usual Hardware
• USB Ports
• PCIe Ports
• Ethernet Ports
• …
Basics – Typical ATM Workflow

• User Inserts Card

• Authenticates PIN
• ATM Queries Bank Network
• Retrieve Account Details
• User Requests Operation
• ATM Forwards Request for
Processing
• Backend authorizes
• ATM Activates Hardware
Attacks – Network Interception
Spoof the Server and its Responses

• Spoof the ATM to connect to

malicious server
• Malicious server intercepts
business logic and API
requests
• Threat actor learns protocol
• Threat actor spoofs protocol
responses
• Yes, this account has that
much money.
Attacks – Network Interception in Action
Attacks – Direct Safe Access
Good Ol’ Dynamite Stick Should do the Trick

• Break into the safe

• Bypass all software and
hardware restrictions
• Take the money and walk
• Just like in the cowboy
movies

(This attack is impractical)

Attacks – Direct Computer Access
Circumvent Backend Logic by Executing Your Own

• Run your own malware on

the ATM computer
• Talk to the peripheral drivers
directly
• Activate cash dispenser on
demand
Attacks – Domain Compromise
If IT can Manage Remotely, so can You!

• Compromise the Bank

network
• Gain Access to the ATM
subnet
• Use Remote management
software and stolen
credentials
• Execute “maintenance”
programs on the ATM
• Remote Jackpot
Attacks – Domain Compromise: Carbanak (Circa 2015)
Attacks – Direct Peripheral Access
BYOA (Bring your Own ATM)

• Bypass Software Restrictions

• Control the Hardware
Directly
• Requires Knowledge of
ATMs
• Stealthy
• Quick
Attacks – A Side-Note about Physical Security

• Standard ATM pieces available online

• Including Stock Cabinet Keys
• Idea: Research on Physical Intrusion Sensor Bypasses
• Reality: In-and-out before alarms trigger or authorities show up.
Attacking the XFS Protocol
XFS – Design Goals
eXtended Financial Services Standard

• Open (CWA 13449)

• Free specification on the Internet
• High Level APIs
• Hardware Abstraction
• Multi-Vendor
• Multi-Platform
• Functionality Abstraction
• Common Operations
XFS – The Modular Approach

• Bank’s Software ATM Application

Communicates with XFS API
• XFS API communicates with User Interface
Service API
• Service API communicates Application Software
with vendor-specific
providers XFS Stack
• Providers communicate with API
hardware to perform actual SPI
operation Service Providers

Or: API controls hardware Hardware

XFS – High Level Implementation

• XFS only exercises the hardware

• Bank software implements the Business Logic
• Bank software validates requests and instructs XFS to perform
physical operations
• Bank software is the brain of the ATM
• XFS is the nervous system
• Together they combine all peripherals to offer the “ATM
experience”
• Card Reader, PIN keypad, Cash Dispenser, Bill Deposit, etc.
XFS – Example Cash Dispense Flow

• Point of View of Bank

software
• Some Error Checking
Omitted
• Blue Cells: Round-trip to
Bank Network’s Backend
• Red Cells: Interactions
through XFS
• White Cells: Business Logic
XFS – The Fabled Cash Dispenser Spec
Also Known as: Reading the Fine Manual
XFS – The Fabled Cash Dispenser Spec
Also Known as: Reading the Fine Manual
XFS – The Fabled Cash Dispenser Spec
Also Known as: Reading the Fine Manual
XFS – The Fabled Cash Dispenser Spec
Also Known as: Reading the Fine Manual
XFS – A simple “Jackpotting” request
XFSc – An XFS exploration Tool
Make it easier for Security Researchers to experiment with XFS

• Command-Line Driven
• Scriptable (Intrusion Testing
Engagements)
• Extendable (Easily add commands)
• Currently, only a fraction of XFS
• Cash Dispenser Modules
• Info Commands
• Will never include XFS SPIs and
drivers

• Link:
https://github.com/GoSecure/xfsc
XFS – The Raspberry Pi Attack
You might have heard of it in the News

• XFS drivers and SPIs pre-loaded on Pi

• Malicious cash dispense routine
• Battery Powered
• Plug-and-Loot approach

• Criminals drill or cut a hole near where the cash dispenser’s USB
cable/port is (Based on ATM model)
• Plug Pi
• Take bills
• Leave before any alarms trigger
XFS – The Remote Jackpotting Attack
Mr. Robot would be proud

• Threat Actor Compromises Bank Network

• Phishing
• Exploit
• …
• Reconnaissance and Lateral Movement
• Privilege Escalation
• Identify how ATMs are managed
• Gain Access to ATM management interface
• Domain Admin / RDP/ WinRM / etc.
• Identify ATM physical locations
• Use management interface to execute code
XFS – Other Attack Ideas
The potential of XFS

• In-Software Card & Pin Skimmer

• Intercept all card numbers and associated PINs
• Backdoored PIN
• Type a pre-determined PIN and amount to withdraw
• Remote Jackpotting (Already done by criminals)
• In and out without even touching the hardware

Bottom-Line: With XFS access, you have full control over the ATM
hardware
Defending Against Threats
Defense – Outgoing Tunnel

• Configure ATM to only connect to

management/backend network via
secure VPN or similar technology
• Use secure protocols to interact with
backend, even through VPN
• TLS certificate pinning
• Mutual Authentication
Defense – Change Cabinet Locks

• Standard cabinet locks are widely

deployed, keys are available cheaply
• Upgrade locks to less-generic models
• Makes initial access much more
difficult
Defense – Separation of Privileges

• Account that runs the ATM user

interface should not have direct
access to XFS drivers
• Go through a local service that runs
in highly protected context to
mitigate risks related to code
execution
Defense – Protect Computer Access

• Computer should be treated as the

equivalent of a cash dispenser
• Protect it accordingly by placing it in
the safe
• Avoid positioning computer near
easily cut or drilled surfaces (plastic
cabinet)
Defense – Protect Peripheral Access

• Having access to USB cables allows

full bypass of all other protections
• Critical peripherals such as the cash
dispenser and cassettes should not be
accessible directly when opening the
cabinet
Resources

• XFS Specification
• XFS Exploration Tool
• (Drivers not included)
• Use responsibly
• CEN/XFS Jackpotting (Blog)

Carbanak (2015) Coverage

• Kaspersky Report
• Darknet Diaries EP 35
• Surveillance Camera Footage

• Icons: https://draw.io
Questions / Comments ?