Re: Modern hw-killing virus feasible

[Ian Kayne <Ian.Kayne () SOFTLAB CO UK>]

This is an interesting point. AT&T provide a lot of those kind of
cash-machines here in the UK, and I have the following on good authority
(half our company came from AT&T a few years ago)

There has recently been a problem in the UK that has necessitated the
re-programming of a bunch of ATM's. I'll take the NatWest bank, as I know
this is a valid example. NatWest recently impleted full colour LCD screens,
all kinds of "order a new cheque book", "get a mini statement" etc etc
features. However, in their infinite wisdom, no-one bothered to check the
compatability of all these extra features in the "real world". When these
machines were deployed, it was discovered that if you go in and out of some
menus, ask for a ministatement printout (a bit of paper showing the last 15
transactions), then some cash, it would work fine. However, the next person
that came along, as soon as they put their card in the machine and entered
their pin number, the ATM would automatically give them the same amount of
cash as the previous person recieved, without being prompted to.

Ie: Bob goes to cash machine, puts card & pin number in, gets a
ministatement, and withdraws £20 cash. Jon then goes to the machine, puts
card & pin number in, and instantly the ATM gives him £20.

Now, this is nothing as juicy as Jon not being debited for the £20 quid, but
something else of interest. Apparently, when Bob returns to a cash machine,
his last actions are stored either on his card or on the ATM network, and
the machine instantly spits out £20 again. Once it has done this, everything
returns to normal.

To my interpretation, this sounds like a buffer overflow - the ATM can't
handle the amount of data it has to store, therefore something has to give.

Which is why any NatWest customers here in the UK will suddenly notice that
their mini-statements only give the last 6 entries instead of the usual 10
or 15. This change was rolled out under the guise of "customer demand".
Hmmmm.

So, seeing as data is stored on your cash card & read by the ATM, would it
be possible to create some kind of overrun attack?

Just a thought...

Ian Kayne
Technical Specialist - IT Solutions
Softlab Ltd - A BMW Company


> -----Original Message-----
> From: Jon O. [mailto:jono () MICROSHAFT ORG]
> Sent: 07 March 2001 05:13
> To: VULN-DEV () SECURITYFOCUS COM
> Subject: Re: Modern hw-killing virus feasible
>
>
> A flash/bios virus may not be new or feasible right now 
> (delivery issues)
> but it brings up a good point.
>
> There hasn't been a lot of thought given to protecting digital assets
> other than what we consider the internet or networks. 
> However, once you
> become dependent on a thing, you can be controlled by that 
> thing. We are
> very dependent on POS (Point-Of-Sale) devices and networks, 
> ATM machines,
> etc. which provide a much better form of delivery. These devices are
> networked and allow media transfers from untrusted parties.
>
> This may sound impossible or not feasible, but I'm sure most 
> of you read
> about Direct TV sending a couple bytes to blow hacked systems 
> up (needless
> to say, they have 'fixed' the DTV countermeasures). People 
> (you know who
> you are) are always finding ways to hack Palm Pilots, Benz door locks,
> etc. and it's just a matter of time before someone goes after 
> POS network
> interfaces.
>
> For example, some free standing ATM machines actually dial-up 
> (yes, you
> can hear the modem dial and the connection hiss) connections to the
> network. An ATM technician even told me that the line from 
> the wall to the
> ATM, which is usually protected, was a T-1. When asked if 
> someone could
> just pull it and hook back in, he stated that it would send 
> an alarm to
> the CO, but a bridge would work fine.
>
> Does anyone have more information about these devices and what kind of
> risk we may actually be exposed to?
>
>
> Thanks,
> Jon
>
>
> http://www.securityreports.com
>
>
> On Tue, 6 Mar 2001, Bart wrote:
>
> > Hi,
> >
> > Doesn't seem anything really new. The CIH Virus
> >  http://vil.mcafee.com/dispVirus.asp?virus_k=10300&; ) 
> written in 1998 did
> > something like what you are describing. On a set date it 
> tried to flash the
> > bios with garbage, making the infected pc unable to boot.
> >
> > Alot of hardware can probably be killed this way, as a lot 
> of hardware these
> > days have flashable eeprom's. The only problem is is that 
> they have various
> > ways of flashing the eeprom, thus making it (virtually) 
> impossible for a
> > virus to have a generic (flash-)payload for a lot of hardware.
> >
> > Kind Regards,
> >
> > Bart
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]Namens Pavel
> > > Machek
> > > Verzonden: maandag 5 maart 2001 23:34
> > > Aan: VULN-DEV () SECURITYFOCUS COM
> > > Onderwerp: Modern hw-killing virus feasible
> > >
> > >
> > >  Hi!
> > >
> > >  Current DVD-regioning system provides *very* easy possibility for
> > >  virus to render hardware unusable. Current DVD-roms allow setting
> > >  DVD region for limited number of times.
> > >
> > >  Imagine virus, that switches DVD between japan-region 
> and asia-region
> > >  as many times as it can. It would leave DVD locked 
> either to japan or
> > >  asia, effectively making it unusable for european/us citizen.
> > >
> > >  Long time ago, rumors went that it is possible to kill 
> harddrive by
> > >  software. Then, old monitors could be damaged by software by
> > >  missprograming them (but damage would take lot of time). Now DVDs
> > >  provide effective way for software making them unusable. 
> Pretty sad.
> > >                                                           
>      Pavel
> > > --
> > > I'm pavel () ucw cz. "In my country we have almost anarchy 
> and I don't care."
> > > Panos Katsaloulis describing me w.r.t. patents at 
> discuss () linmodems org
> > >


******************************************************************** 
This email and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom 
they are addressed. 

If you are not the intended recipient or the person responsible for 
delivering to the intended recipient, be advised that you have received 
this email in error and that any use of the information contained within 
this email or attachments is strictly prohibited. 

Internet communications are not secure and Softlab does not accept 
any legal responsibility for the content of this message. Any opinions 
expressed in the email are those of the individual and not necessarily 
those of the Company. 

If you have received this email in error, or if you are concerned with 
the content of this email please notify the IT helpdesk by telephone 
on +44 (0)121 788 5480. 

********************************************************************