25th - 26th SEPTEMBER 2019  |  OLYMPIA

How Safecrackers Can Unlock an ATM in Minutes—Without Leaving a Trace

Wired 09 Aug 2019 11:00

Many banks, for instance, enable a setting on the Cencon locks that requires anyone who wants to open an ATM safe to first insert a so-called iButton device into the port on the lock's side, a kind of two-factor authentication token. But Davis says his attack can read the code that the CPU uses to check that device just as easily as the combination itself. He can still obtain all the information he needs to unlock the safe.

A second generation of the Cencon locks, released in 2009, at first presented a far more serious challenge. That version uses AES encryption to protect the lock's combination in memory, Davis says, so that it can't be read when it's transferred to the CPU. He found that it was possible to use a different form of power analysis to extract the AES key and decrypt the combination, but only after several readings and days of analysis, which wouldn't be a very realistic attack. But Davis says he found a shortcut just two months ago that allows him to extract the lock's data despite its encryption in just a few minutes. He declined to share details of that discovery in his talk or to WIRED, since he says he hasn't yet disclosed the attack to Dormakaba.

Finally, Davis examined a third family of Kaba Mas locks known as the X-0 series, intended for government customers. According to Dormakaba marketing materials, the company has sold nearly 1 million units of the X-0 series, and it's been used in settings as sensitive as the Pentagon, the National Security Agency, the Central Intelligence Agency, Air Force One, and even to protect launch codes on US nuclear submarines. Davis found that his attack didn't work on the oldest lock in that X-0 family due to a different internal architecture. He wasn't able to obtain the most recent lock in the series, the X-10, due to restrictions on its sale, so didn't test it.

"I don’t think I’m giving anyone a loaded gun."

Mike Davis, safe hacker

But for the X-08 and X-09 locks released in 1999 and 2002, Davis found that his voltage leaking attack worked. Thankfully, the process was significantly more difficult than in the Cencon or Auditcon models. Since the X-0 series have no physically accessible ports, Davis had to remove the LCD screen, attach his probes to wires that connected to that display, and then use some extra electrical engineering tricks to cancel out the "noise" of the electrical signals sent to that screen before he was able to read the underlying voltage leakage that reveals the combination. Davis estimates the full process takes an hour, and it leaves behind a far more obvious mess of wires than his stealthy Cencon and Auditcon cracking techniques.

When WIRED reached out to Dormakaba, the company responded in a statement that it's been working with ATM manufacturers for seven months to address IOActive's findings, and found no evidence that Davis' cracking techniques had been used in any actual break-ins. "Our investigations and customer communications have addressed both current and prior year models," reads the statement from Jim Mills, Dormakaba's senior vice president for product development access solutions for the Americas. "Additionally, there have been no reported events in the field to suggest that current or previous models have presented security issues in real-world environments." The company didn't respond to follow-up questions about how it's fixing the flaws, or whether it has notified all of its customers.

The General Services Administration, which handles the acquisition of technology like Dormakaba's locks for government agencies, wrote in a statement to WIRED that it's also worked to address Davis' findings after he told the GSA about them—but similarly without details. "We are aware of this security issue as it relates to the US government and have developed and deployed mitigation techniques in the federal environment," the statement reads. "The federal government uses multiple layers of security as a physical security best practice. We routinely test these layers of security to identify potential vulnerabilities and take appropriate actions as warranted."

Continue reading original article...