Thursday, November 13, 2008

How Does Your ATM Uplink? Or "Physical Security Humor As An Installation Art Form"

A recent trip to the ATM resulted in an interesting receipt as the ATM crashed. Note the debugging information providing connectivity details for the ATM. In and of itself, this wasn't a real issue, but it was interesting to see, as the ATM appeared to be working properly.

Once this three foot long error receipt printed however, we noticed something more interesting about the ATM.

That deep dark space to the left of the ATM contained networking devices, including the network uplink. Since this is a third party ATM on private property, it was not connected to the building's network.

The devices appear to include some form of serial or parallel device, an ethernet to PCMCIA bridge with an AT&T wireless cell card, and an antenna with a magnet to provide reception from the top of the ATM. Sadly, the strongest physical security control here is the sheer amount of dirt present. Nothing would prevent a malicious (or curious) person from placing a hub between the bridge device and the ATM's link to capture traffic. The cell network card could even be taken and used quite easily. Best of all, the ATM has no coverage with a camera system, and is in an area that is open at all hours of the day.

A number of very simple actions could be taken to greatly improve the security of this ATM and its operations.

  • Secure the connectivity devices and network connections.
  • Install a security camera, either in the ATM or, better, with a vantage point to watch the ATM itself.
  • Prevent the device from providing debugging or error messages without entry of an administrative code or key.

No comments: