Hackers use Samsung Galaxy S4 to rob ATMs
Hackers have discovered a way to hack certain types of ATMs using a fresh-out of-the-box Samsung Galaxy S4, according to Hackread. It just requires a simple set of commands, the right type of ATM, and a chip physically inserted into the machine.
The new hack is an evolution of a “black box” attack, which is a type of ATM fraud where the perpetrators physically break into the top of the ATM. Once the ATM is open, the crooks then disconnect the ATM’s cash dispenser from the machine’s central computer and connect their own device. From there, the thieves can issue their own commands, including the order to dispense cash.
A new type of attack takes the black box attacks one step further.
No honor among thieves
A recent attack outlined by the site Krebs on Security found that these particular black box attacks added a USB-based circuit board, connected to the ATM’s internal processor. Krebs is still investigating, but he believes that the circuit board was meant to fool the ATM’s core into thinking it was still connected to the processor, overriding possible alarms, which would trigger a lockdown of the system and alert the ATM’s owners.
“They didn’t have to do this [to get away with the money] but our guess is they thought this component would buy them some time,” Charlie Harrow, solutions manager for global security at NCR, the manufacturer of the ATMs in question said.
The crooks then used a virgin smartphone, specifically a Samsung Galaxy S4, although presumably other devices could be used as well as long as they have comparable processing power. The smartphone was then attached to the ATM and used as a conduit to send commands to the ATM to dispense cash.
The ATM could then be hacked remotely at almost any time by the person with the smartphone. Given that the crooks would need to be nearby to grab the dispensed cash, the reason for this may come down to control.
“There is no honor among thieves, and these guys will delegate responsibility,” Harrow stated. “That way, you have the Mr. Big back at the hideout who’s sending the commands, and the mules are the ones at the ATMs. So the mule who has the black box is unable to activate the attack unless he gets the command from the Mr. Big, and the mobile phone is the best way to do that.”
Increased ATM security is needed
There are, multiple ways to hack and ATM. The phone itself is just a device that can issue the commands to an ATM that fool it into dispensing cash. A few months back, a hacker in Tennessee discovered a specific set of key commands that makes the ATM think it is dispensing $1 bills, when it is actually releasing $20s.
That hack specifically targeted machines manufactured by Trident and Tranx Technologies. The new attacks with a smartphone targeted machines built by NCR.
To its credit, NCR is warning customers that plan to deploy ATMs in unmonitored areas to consider wall mounting the units as opposed to stand alone machines. NCR also issued a recent patch that improves the encryption of its ATM cores.
The improvements will help, but there will always be hackers and thieves out there that find a way around the safeguards.
“All things considered, this is a pretty cheap attack,” Harrow said. “If you know the right commands to send, it’s relatively simple to do. That’s why better authentication needs to be there.”