PowerOn Protector System
Manages (and scales) security on devices for your network.
The BIOS (Basic Input / Output System) is the first part of the software that is loaded into memory during the startup of the operating system on any commercial computer and is physically located on the motherboard of the same. This software is responsible for connecting all the input and output devices to each other to subsequently start loading the operating system. As it is a item of very low level has full control over all devices, so that if compromised, an intruder or an attacker would control the system completely and without restrictions.
A BIOS infection is practically impossible to detect and disinfect, so the benefits this brings to an attacker are considerable, which has made the most recent attacks look for different ways to exploit and access this part of the system.
There are special software that protects the ATM cash machines by enforcing several restrictions in software, including whitelisting with application control to block unauthorized applications, restricting attempts to connect peripheral devices – such as a keyboard or mouse and limiting network connections with a firewall. The software is used in more than 80,000 cash machines worldwide. However the most important vulnerability is founded in the employers of the same bank.
These engineers or support people has complete access and “know how” about how to get access to the ATM and take advantage of this to robber the cash. Normally these attacks are performance on non business hours… however the credentials still being the same and that allows these people broke the security of the ATM.
The attackers don’t need to write an exploit or something so complicated, as they have access to the machine, they execute a more dangerous attack: BIOS ATTACK
There are so many ways to attack the BIOS, however when we are talking about ATM the time is a factor very important, an attacker has not enough time to execute all the available attacks. So the most common attack that is a boot loader attack: Boot Loader Corruption Attack or Device Boot Manager. This type of attacks are perpetrated through a physical slot in the attacked machine or through the Network. The most common are those that are sent via PXE network.
PXE is a network enabled boot environment that leverages a server running DHCP (to provide an IP address to the client), TFTP (to load the bootstrap configuration), and some sort of file share protocol such as NFS to serve up the operating system image files. The image below illustrates the sequence of events for a PXE boot.
BIOS Attack on an ATM
A PXE attack is executed when an attacker has access to the switch where an ATM, a safe or a high-security server is connected to, or accessing directly to the computer’s network port, (most common is the first case):
The attacker has a booteable ISO, which can be of 2 types:
- An ISO with Rainbow tables, once the system is started, the attacker starts the cracking process to get the OS passwords, making use of these tables. Then, a reboot is performanced on the attacked computer, using the credentials to logging into the system and finally, the resources and information of the computer are available.
- An attack ISO such as Kali Linux or some other Linux distribution intended for system hacking, with tis distribution the attacker can take control of the original File System of the computer and thus take control of the resources of the attacked system.
Once the attacker has access to the ATM, is able to get all the cash that is available in the machine.
How to protect the ATM from a BIOS Attack
Once the system is compromised, the probability of detecting the attack or leaving the system in its original state are extremely low. It is here that the different brands that manufacture or assemble motherboards have raised different methods of protection to the BIOS.
There are a different ways to secure the BIOS in order to avoid these attacks, password protection for the BIOS and boot loader can help prevent that unauthorized users with physical access to the system (ATM), execute the BIOS attack (boot from removable media, gain root access through single-user mode).
However the security measures available to protect an ATM against such attacks depend so much on the confidentiality of the information as on the location of the physical machine.
Therefore, the first method of protection relies in the BIOS PASSWORD.
There are platforms that use different programs to perform low-level tasks more or less similar to those of the BIOS on x86 systems. For example, Intel® Itanium ™ -based computers use the Extensible Firmware Interface (EFI), and with this EFI method, is possible to protect the BIOS.
Other protection methods available for the BIOS are those offered by the motherboard manufacturers and are based on the validation of the operating system image that will be loaded, always preceded by a password.
What is the problem with these methods?
The problem with these control methods is simple: the confidentiality of the password of the BIOS. When the intruder or attacker is an internal element or administrator of the equipment or a set of equipment (ATM), the confidentiality is lost, because he is the one who manages the password.
This is the main problem that banks have to face, 90% of ATM’s attacks of this type are made by support engineers who have all the know-how of the machine, including a possible start password to protect The BIOS, for that reason, the password for the BIOS is not a method of protection.
The most effective method to protect any BIOS is to make good use of the password of the same, however, when this password is known by the attacker, the confidentiality is compromised.
In this way, banks have this serious vulnerability in their ATMs. The result of this attack is the total loss of money that the ATM has stored which can reach 100,000 dlls.