My first job was being a field technician for a bank automation supplier.<p>We had a "test" card that could be insert on the eprom socket. This small card was almost the same size of the original chip but had a few buttons that allowed us to make the mechanism deliver notes in order to fine tune it.<p>In a particular ATM design used by major banks in Brazil, this location were accessible by removing a front panel, although you would have to be kind of a contortionist in order to plug it.<p>Why we can find whole ATMs at junkyards is beyond me: there are many easy to spot flaws. They should grind everything when decommissioning this kind of equipment.
> They found that the machine’s only encryption was a weak XOR cipher they were able to easily break, and that there was no real authentication between the machine’s modules.<p>This reminds me of many many years ago some guy in a bimmer forum figured out BMW's iDriver music file formats (BR3/BR4/BR5) were simply DRM'd via XOR.[1] I was able to verify it via a simple script. Kudos to the reverse engineering masters!<p>[1]: <a href="http://www.e90post.com/forums/showthread.php?t=279294#5" rel="nofollow">http://www.e90post.com/forums/showthread.php?t=279294#5</a>
I'm not terribly shocked.<p>Most communication happens either at serial, SPI, or i2c busses. If it's cars, CAN.<p>And if you can plug in a wire somewhere, you can damage or pwn it. Most things don't have security, other than software security and physical locks. And even when there is other types of security, like cryptokeys and such, physical wires can usually bypass even those.<p>If they wanted something that was secure, they could do that glass mesh thing the ORWL does, and have some sort of black dyepack on the money that explodes everywhere. Go for "we ruin so you cant have". But then again, I could see criminals pissed off and taking a hammer primarily to ruin their money, and cause customer consternation.
>Computer security experts have long warned that no computer should be considered secure if an attacker takes physical control of it.<p>I think the lack of physical security is more surprising than the lack of electronic security. A three-inch hole is pretty big, all things considered. I have to imagine that ATMs are designed to resist drilling three inch holes through to the money or the dispenser mechanism. Why isn't the computer protected to similar degree?
I am currently designing food machines, which have security concerns equal to financial machines in some senses (you don't want people to get poisoned through environmental contaminants, malicious reprogramming, etc.).<p>The article claims there is essentially no authentication between disparate modules, only simple XOR encryption. That seems a clear fail.<p>In my experience, ATM control boards (I was literally at a factory in China for these a few weeks ago) tend to be custom PCBs but there is a move towards genericization. Presumably because their designs tend to date from bygone eras, they do not use software-based approaches in favor of hardware and security through obscurity. Perhaps it is time for a software-oriented modular ATM redesign project with an emphasis on modern internal security? Anyone want to collaborate? Serious question. (I have an existing ATM component factory group potentially on side already.)<p>Second, to 'notice' the independent activity of any given module, power draw should be easy to detect. Again, the lack of such a feature probably harks back to a bygone-era hardware-oriented design psychology.
Ah brings backs sweet memories to Terminator, for real now! IIRC in the movie Connor used some portable Atari with a cable attached to a creditcard to hack an ATM to spit out money.
The Firefighters' Guild has been formed and dissolved repeatedly throughout the history of Ankh-Morpork. Usually formed in response to fires which cause significant damage to large parts of the city, the guild is usually dissolved in response to... er, fires which cause significant damage to large parts of the city. The Guild suffers from the undying capitalist spirit of Ankh-Morpork, as those men who are paid per-fire extinguished eventually begin to guarantee a regular supply of fires to be put out (see also Inn-Sewer-Ants). This has led to the frequent destruction of large portions of the city and ultimately to the Guild's being banned.<p>Seems we need lots of new ATMs, lots of them. And then prayer, for the fire-fighter-guild to not run out of money.
I see these kind of stories floating around from time to time, I wonder how much money is lifted each year from banks this way. It seems to not be significant enough for banks to be proactive about the issue.
Seems like an implementation of that XKCD comic on encryption security: <a href="https://xkcd.com/538/" rel="nofollow">https://xkcd.com/538/</a>
To be fair, drilling a 3 inch hole in a modern ATM is no easy task. We are talking about high-grade steel, a layer of fiberglass, etc. Hence "portable power drill" is a bit misleading.