Blackboxing Wincor dispensers
Despite the fact that the most popular attacks on ATMs are still Malware/Logical attacks, another popular vector is cash-dispenser Blackbox attacks, which is not slowing down. This vector implies a direct connection to these devices through a drilled hole in the ATM case. Trying to resist cybercryminals, large ATM vendors are introducing cryptographic methods of protection, while telling banks: buy our new ATMs, now they are definitely protected from Blackbox! However, is everything really as rosy as the vendor describes?
In an attempt to defend against any ATM-attacks, vendors for the most part still use the same old method: security through obscurity. They think: if an attacker does not have access to the ATM documentation, if we encrypt the firmware, then he will never be able to hack our products. On the one hand, this is how it should work. But, on the other hand… Insiders, “buddies” in the service center, cash-dispensers on eBay – and that’s it, the attacker has everything to carry out his plans. Let’s take the path of an attacker but for good purposes!
In our presentation, we will go through the same interesting path that cybercriminals take when preparing Blackbox attacks: we’ll buy a Wincor dispenser (the main board) on eBay, find a 0-day vulnerability, use it in laboratory conditions, and withdraw banknotes. In addition, we will also be very lucky to find another vendor’s cash dispenser with the same vulnerability!
I'm a reverse-engineer. Finding vulnerabilities in different hardware - at work, romhacking - at home.
I'm an active romhacking community member. I like to do a reverse-engineering of old-school tv-games, to create compression and decompression tools, and to help other people in translating games into different languages.
Also, my job is to find vulnerabilities to help vendors protect their devices. This is what I like to do the most.