Saturday, December 12, 2009

Hacking thoughts - Insecure ATM port

Warning:  These are just random thoughts and with lot of presumptions; readers are advised that trying/doing similar activity would be a serious criminal offense and finally I am not a native speaker of English and may have used colloquial words hence no arguments on English usage.

I used an ATM today; this machine of a major Indian private bank was located on the premise of its branch. As I finished and turned to exit I noticed network patch cords connected to the ATM NIC were exposed; it shouldn’t be like this … someone could

a) Take a picture (like I did) and shout at the bank about the lack of cable security
b) Yank out the cord and get the ATM out of order temporarily
c) Rig the I/O (network socket) by connecting a HUB & AP (power socket was inches away) and hack into the bank network

Third is serious stuff, I wondered how one could accomplish this task? here is a possible way...

Requirements:

Steps:

1) Select a Sunday night
a) Not much of traffic b) Detection may happen only well into business hours on Monday. 

2) Get into the ATM with a companion on crutches
He needs help and this takes care of the security guard.

3) Let the companion use the ATM (just fiddling around like operating) meanwhile do something like dropping papers on the floor and under the pretext of gathering them up; quickly connect the equipment (HUB, AP & power) move something inconspicuous like wastepaper bin (there is usually one) to hide them from normal view.
This takes care of the camera (you are out of the view and just picking up some papers) and the casual glance of anyone (wastepaper bin blocks the gear)

4) Sit in a parked car within range of the AP (I saw a good quiet lane across the road), and…

4a) Check for vulnerable hosts online, PWN and get data, plant back-doors, c&c,…

4b) Or simply capture packets from the ATM interface to check for valuable information


Idea of this post is just to look at the possibility hence kept simple; but this requires lot of skill (which I don’t have :-) ) and may turn out to be taken as FUD phenomenon.

I plan to inform the bank about this weakness let me see how they view it.

Posted via email from Ramki's posterous

No comments:

Post a Comment