In search of riches, hackers plant 4G-enabled Raspberry Pi in bank network
Technology
31
Beiträge
25
Kommentatoren
4
Aufrufe
-
This post did not contain any content.
-
This post did not contain any content.
So they just plugged it directly into the same network switch the ATM is on? That sounds incredibly dumb. The only ATMs I've seen the inside of had the network switch locked inside with the vault.
Also our bank had some kind of port security so if it wasn't a recognized MAC address, the port just switched off.
-
So they just plugged it directly into the same network switch the ATM is on? That sounds incredibly dumb. The only ATMs I've seen the inside of had the network switch locked inside with the vault.
Also our bank had some kind of port security so if it wasn't a recognized MAC address, the port just switched off.
Also our bank had some kind of port security so if it wasn't a recognized MAC address, the port just switched off.
And serious company will have this as basic security. It's a fundamental function even available on your consumer grade router at home. While it's overkill for that use, it's basic security for a company.
That's why it's not surprising at all that a bank didn't bother to do that. Banks have some of the most egregious security issues.
-
Also our bank had some kind of port security so if it wasn't a recognized MAC address, the port just switched off.
And serious company will have this as basic security. It's a fundamental function even available on your consumer grade router at home. While it's overkill for that use, it's basic security for a company.
That's why it's not surprising at all that a bank didn't bother to do that. Banks have some of the most egregious security issues.
... Which financial company do you work for?
-
... Which financial company do you work for?
That’s why it’s not surprising at all that a bank didn’t bother to do that. Banks have some of the most egregious security issues.
-
This post did not contain any content.
Ah yes, the most devious of exploits, the bind mount.
-
So they just plugged it directly into the same network switch the ATM is on? That sounds incredibly dumb. The only ATMs I've seen the inside of had the network switch locked inside with the vault.
Also our bank had some kind of port security so if it wasn't a recognized MAC address, the port just switched off.
i’d have said that’s less important than TLS or something on your ATM, a VLAN for ATMs that can only access specific services, and all ports not on a VLAN just disabled
really you just want to stop traffic from being sniffed (stolen credentials) and spoofed (“correct - dispense $10000”), and then to make sure it and nothing adjacent to it can access less robust services… beyond that, you just have to assume nothing. the services that an ATM connects to should be robust enough that they do all the validation - the ATM is pretty dumb (kinda in the same way as your browser on your computer: it gets no decision making to access your bank; just is input and output)
MAC addresses are easy to spoof, and physical security is pretty difficult on something like an ATM that’s publicly accessible… plugging into a switch should honestly be a nothing burger… having it publicly accessible - even on the same VLAN as an ATM - shouldn’t be a problem other than defence in depth
-
Also our bank had some kind of port security so if it wasn't a recognized MAC address, the port just switched off.
And serious company will have this as basic security. It's a fundamental function even available on your consumer grade router at home. While it's overkill for that use, it's basic security for a company.
That's why it's not surprising at all that a bank didn't bother to do that. Banks have some of the most egregious security issues.
i’d argue that any serious company wouldn’t really bother with MAC identification… they’re so easy to spoof that it adds to operational overhead far more than the benefit it brings
more likely with these things you’d have a VLAN mapped to a physical port, and if that port were disconnected you’d instantly get a notification and send someone to check it out
-
i’d argue that any serious company wouldn’t really bother with MAC identification… they’re so easy to spoof that it adds to operational overhead far more than the benefit it brings
more likely with these things you’d have a VLAN mapped to a physical port, and if that port were disconnected you’d instantly get a notification and send someone to check it out
Spoofing a MAC is easy but it still requires knowing both what an existing valid address is, and ensuring that it's not already connected to the network. It's only operational overhead when a new device is onboarded, after that the impact is minimal.
A policy that requires sending a tech is fine, but if you have hundreds or thousands of individual locations then you aren't going to have a tech onsite at every one of them to quickly check and fix an issue, and you don't really want to have to trust an end user to verify and/or make physical changes on site if you can avoid it.
-
That’s why it’s not surprising at all that a bank didn’t bother to do that. Banks have some of the most egregious security issues.
Remember when John Stewart only had SOME grey hair?
Hey, no judgement. 2020 had my hair looking like santa claus.
-
Remember when John Stewart only had SOME grey hair?
Hey, no judgement. 2020 had my hair looking like santa claus.
Don't stress mate. We've all aged in the 20 years between 2019 and 2025.
-
So they just plugged it directly into the same network switch the ATM is on? That sounds incredibly dumb. The only ATMs I've seen the inside of had the network switch locked inside with the vault.
Also our bank had some kind of port security so if it wasn't a recognized MAC address, the port just switched off.
Yup, this is the way. Pretty crazy a bank doesn't have proper security lol
-
Spoofing a MAC is easy but it still requires knowing both what an existing valid address is, and ensuring that it's not already connected to the network. It's only operational overhead when a new device is onboarded, after that the impact is minimal.
A policy that requires sending a tech is fine, but if you have hundreds or thousands of individual locations then you aren't going to have a tech onsite at every one of them to quickly check and fix an issue, and you don't really want to have to trust an end user to verify and/or make physical changes on site if you can avoid it.
Don't really need to send a tech immediately. More efficient to get a gas station clerk (or whoever works where the ATM may be located) to verify nobody is trying to fuck with it on-site and they didn't lose power/internet at their location, before escalation.
-
Also our bank had some kind of port security so if it wasn't a recognized MAC address, the port just switched off.
And serious company will have this as basic security. It's a fundamental function even available on your consumer grade router at home. While it's overkill for that use, it's basic security for a company.
That's why it's not surprising at all that a bank didn't bother to do that. Banks have some of the most egregious security issues.
You would be surprised how many companies don't even have something fundamental like a custom SSID and password, or a backup, etc.
-
You would be surprised how many companies don't even have something fundamental like a custom SSID and password, or a backup, etc.
Oh I wouldn't be surprised at all, most businesses are pretty small. I would be surprised if a Bank was that irresponsible, although not very surprised.
-
Spoofing a MAC is easy but it still requires knowing both what an existing valid address is, and ensuring that it's not already connected to the network. It's only operational overhead when a new device is onboarded, after that the impact is minimal.
A policy that requires sending a tech is fine, but if you have hundreds or thousands of individual locations then you aren't going to have a tech onsite at every one of them to quickly check and fix an issue, and you don't really want to have to trust an end user to verify and/or make physical changes on site if you can avoid it.
This is still trivial. A Pi with 2 NICs and a Linux bridge. Using the 2 ports, effectively put the Pi in between the device you want to spoof and the rest of the network. Now you can see the traffic, the MAC addresses etc.
-
Don't stress mate. We've all aged in the 20 years between 2019 and 2025.
2019? Wow. That's in the before times.
-
i’d have said that’s less important than TLS or something on your ATM, a VLAN for ATMs that can only access specific services, and all ports not on a VLAN just disabled
really you just want to stop traffic from being sniffed (stolen credentials) and spoofed (“correct - dispense $10000”), and then to make sure it and nothing adjacent to it can access less robust services… beyond that, you just have to assume nothing. the services that an ATM connects to should be robust enough that they do all the validation - the ATM is pretty dumb (kinda in the same way as your browser on your computer: it gets no decision making to access your bank; just is input and output)
MAC addresses are easy to spoof, and physical security is pretty difficult on something like an ATM that’s publicly accessible… plugging into a switch should honestly be a nothing burger… having it publicly accessible - even on the same VLAN as an ATM - shouldn’t be a problem other than defence in depth
Ahh, i remember how my older brother locked down my internet access after midnight on behalf of my parents, boasting about having set up a MAC-address whitelist in the router some 15 years ago.
About a week later or so he proceeded to play Battlefield 3 on his early Samsung smartphone all night during summer holidays.
-
This post did not contain any content.
This is quite an awesome attack if you think about it.
-
This post did not contain any content.
Don't give hackers a bad name.
