Automated Teller Machines (ATMs) are an obvious target for criminals since a successful compromise results in immediate monetary gain for them and a loss of public trust in the machine's manufacturer. Once the domain of banking institutions, the growth of third-party ATM development has led to the appearance of these machines everywhere from public libraries to nightclubs. In addition to heightened demand, the need for improved usability and additional functionality also have increased. As ATMs become more sophisticated, the attack surface widens.
Building on its first-hand research in this exciting market, IOActive is uniquely experienced to assess the security of various ATM types, ranging from hole-in-the-wall banking machines to stand-alone retail models. IOActive combines its collective expertise in software, firmware, and hardware security assessments to provide a breadth and depth of skill that few other services firms can offer. We employ custom-built tools and elite techniques that we developed specifically for performing audits and penetration tests on ATMs, enabling us to deliver accurate and stable results to our clients.
Beyond Physical Security - The New Software Threat
Up to this point, ATM security has been focused on preventing physical-based attacks—skimmer, ram-raids, and physical theft are the threats we hear most about. Countermeasures such as increased surveillance and physical hardening of the ATM's construction have gone a long way toward better security. However, a new class of threats has arisen. IOActive Labs is a leader in discovering software-based attack vectors that cannot be mitigated by existing countermeasures alone: software-based attacks require a whole new level of security solutions at the software level.
IOActive Labs ATM Research:
Barnaby Jack, Director of Security Research at IOActive Labs, is an ATM security research pioneer and works proactively with financial institutions to strengthen the overall security posture of these machines. IOActive Labs has conducted research on many new ATM models, uncovering previously unknown weaknesses—weaknesses that were unveiled at Black Hat 2010 and demonstrated both local and remote attacks that resulted in full compromise. During that demonstration, IOActive Labs uploaded a root-kit designed specifically for ATMs that gives an attacker the ability to dispense cash from the machine, retrieve ATM passwords and settings, and capture and retrieve tracking data remotely.
Black-Box Penetration Testing:
During an ATM black-box penetration test, IOActive assesses the firmware and software's security by simulating an attack without any source code access. Conducting this type of penetration test enables IOActive to identify weaknesses, vulnerabilities, and what type of attack vectors could be exploited during a real-world compromise. IOActive performs local penetration tests (walk-up attacks), remote penetration tests (auditing networks and dialup-based services), and management infrastructure penetration tests.
The recent disclosure of ATM-based malware in Eastern Europe highlights the severity and reality of this infection type. To help our clients mitigate and avoid escalating malware problems, IOActive offers malware analysis services during which we utilizes tools we designed specifically to facilitate both the detection and reversal of ATM-based malware. We also can ensure the integrity of ATMs and assert when they are free from malware infection.
Source Code Review:
IOActive consultants have years of code auditing experience, regularly assisting organizations with highly complex and advanced security challenges. Because our expert consultants often conduct source code reviews of ATM firmware and management software, they know how to identify and examine vulnerable design points to uncover flaws that may result in severe security compromise. We deliver detailed documentation about the location and nature of problems we find, and our consultants will advise your developers on how to address each problem immediately, mitigating the occurrence of repeat problems in the future.