Saturday, January 10, 2015

Security Theater: ATM Admin Panel Publicly Accessible

...SecuritySensesTinglingDroolingIntensifies...

During a stop at my local national chain gas station I found this inexplicable ATM configuration. I did my best to obfuscate a lot of the detail while preserving the details are "there". I also scratched out areas where the chain name is easily seen.

I would've gotten closer, but I didn't want to look like I was casing the place. There is little difference between security research and premeditation. Not to mention, I was not authorized to try and untangle this security rats nest. Observation is all I could really do.

What you see is the backside of the outside facing ATM. You can also see a touchscreen access panel that, at the time, was giving a number of interesting error codes. The top half seems to be a simple double wafer lock. Based on this talk the key could likely be purchased on the Internet for about $10. There are notes on the ATM regarding how and when to put it in supervisor mode, its ID, who to call for support, etc. The supervisor mode is activated by the rear touch screen.

Sure, there are cameras. Sure, there are people in the store. Sure, the cash is in the vault at the bottom and is better protected. However, I would bet if I walked in looking like an ATM repair guy and introduced myself they would be all too happy to let me go about my business. ATMs are not the bastion of security people think they are and they need to have better security than this. Recently two teenagers "hacked" ATMs using the manufacturer default passwords. At Defcon 18 there was a wonderful demo on remotely "jackpotting" ATMs to get them to spit out all their cash. All you needed in the demo was access to that top box and a little know how. Recently these attacks have shown up in Europe.

This is security theater. It makes you feel safe using the device while completely lacking in common sense security.

No comments:

Post a Comment