ATM virus post

    Guys, I could not stand it. We are now talking about the ATM virus detected more than a year ago in Diebold ATMs, and the basic principle of its operation. This topic is ancient, the peak of hysteria has long passed, but the public did not know what really happened, because of which even IT-specialists build a lot of guesses and tell myths. Many articles have been written about this virus, from technical descriptions to the political education of housewives , but the most important trick was never revealed to us. I will try to explain easier, because it is important for us to understand the essence, and not to delve into the details of a specific implementation of something.

    Picture to attract attention:




    Start over. A year ago, the panic rose in the media: “viruses are in the ATMs!”, As a result of which all self-respecting bank managers supported this panic and began to try to do something. The panic arose for a reason: many lovers of freebies roam in the world, the so-called carders, the purpose of which is to get your bank card details, including a PIN code, in order to then duplicate it and withdraw all money or buy something. For this, various methods of deception are invented, but before the virus appeared, all of them were physical in nature. But the virus is very interesting, because it brought the technology to a fundamentally new level - PIN codes began to wipe at the software level. It should be noted that the virus still knows how to give out cash in an unlimited amount on a special card, but we, as customers, do not care about it, here the bank gets money, not us.

    Now let's take a superficial excursion into the ATM itself, and see where the viruses can come from. I’ll tell you a secret: the vast majority of ATMs work under Windows XP. The pessimistic reader will understand that in this case there is a threat, and we must begin to be afraid. But not everything is as bad as it seems. Firstly, bona fide vendors of ATM software cut this Windows down a lot, disabling everything that is possible in it, protect ports, block access and so on. And secondly, the ATM never looks directly at the Internet - it is either on a dedicated segment of the corporate network, or connected through some kind of encryption, such as Cisco or Checkpoint, and the virus can get there, to put it mildly, without options. Accordingly, the solution here is only insider, because it is problematic to palm off something from the outside.

    And what is a typical ATM software? And here is what. The architecture of this software is similar to client-server. The server in this case is able to work with a specific hardware (which is in bulk in an ATM) and publishes outward software interfaces common to each type of hardware (dispenser, card reader, printer, keyboard, etc.). The client, i.e. the business application itself, in turn, using these interfaces shows us advertisements, gives out the long-awaited salary, prints checks and blinks joyfully. This whole farm is called the CEN / XFS standard. I’ll probably attach a picture.



    Upon learning this news, we immediately begin writing our ATM software with blackjack and whores , since there are no secrets here, and all emulators and specificationsnobody hides from us. We will read the magnetic strip from the card reader when the client inserts the card, and the PIN code from the PIN keyboard when the client dials it. Here it is, as they say, profit. And in appearance, sort of, everything is fine. But early to rejoice, a small bummer awaits us. The fact is that you cannot read the PIN code from the keyboard in its pure form. Only encrypted.



    Let's make a digression, for the general development of those interested. The pure PIN-code does not go anywhere except the keyboard itself and the special HSM device, which is being processed. The PIN entry process is as follows. The software transmits a card number and a command to enter a PIN code into the keyboard. Further, during the input process, the keyboard returns only the fact that the key was pressed, but does not indicate which one. Then the keyboard forms a design from the two-digit length of the PIN code, the PIN code itself, then finishes up to 16 characters with the number F and makes an “exclusive or” with the right 12 digits of the card number, except for the last check digit. For example, for PIN code 1234 and card 4987.6543.2109.8765, we take 04.1234.FFFFFFFFFF, make an XOR on this with 0000.765432109876 and get 0412.42AB.CDEF.6789. And then this last number is encrypted with a working key,

    Now we will deal with the encryption keys, since we have talked about them. These keys are located in the keyboard itself, and you cannot read them from there. As a rule, before the ATM starts operating, bank security officers manually enter the so-called master key (MK) into the keyboard. Then, from time to time, a special working key (WK) arrives at the ATM, encrypted with the same master key, which, apart from the keyboard and the special HSM device mentioned above, no one knows (the officers enter each component and do not know the full key) . In total, MK and MK (WK) are sitting in our keyboard.

    We begin to smoothly approach the climax. In fact, many different keys can be written to the keyboard. And you can feed her a PIN block, make it decrypt it with a working key, encrypt it with another key and return the result. That is, in its pure form we will never receive the key, and in the encrypted key - please. So why don't we write our own known master key there and not give the keyboard a command to encrypt the PIN block with it, and not with some other one? And then we will decrypt it, because the key is now known to us. This is exactly what our virus does.



    That's the whole trick guys. Nothing complicated, right?

    Finally, I’ll tell you what the catch is. It is no coincidence that the virus was operating precisely at Diebold ATMs. The fact is that in some Diebold ATMs old keyboards were installed that did not meet modern security requirements. And modern security requirements say that keyboards in ATMs should provide a key hierarchy. This means that if we instruct the keyboard to decrypt the PIN block with a working key, then we can encrypt it only with the master key with which the worker was encrypted. This is logical, because if we managed to download the working key, then we know this master key (we encrypted the working one) and we can be trusted. But if we ask to encrypt the PIN block with some key from a neighboring branch, then they won’t give us - there are signs of malicious intent.



    That's all. It turned out a bit long, it was not necessary to write about PIN blocks, but oh well. I hope I clarified the situation a little, and different myths and interpretations in famous circles will begin to go less. This is especially true for large bank managers who want to install antiviruses on ATMs, not realizing that they will receive hemorrhoids many times more than good. Normal guys have been using Solidcore solutions for a long time and live in peace.

    Also popular now: