Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security Bug The Almighty Buck

Hackers Break Currency Validator To Pass Any Paper As Valid Euro 162

Posted by Unknown Lamer
from the teeny-tiny-security-hole dept.
Trailrunner7 writes "If espionage is the world's second-oldest profession, counterfeiting may be in the running to be third on that list. People have been trying to forge currency for just about as long as currency has been circulating, and anti-counterfeiting methods have tried to keep pace with the state of the art. The anti-counterfeiting technology in use today of course relies on computers and software, and like all software, it has bugs, as researchers at IOActive discovered when they reverse-engineered the firmware in a popular Euro currency verifier and found that they could insert their own firmware and force the machine to verify any piece of paper as a valid Euro note. 'The impact is obvious. An attacker with temporary physical access to the device could install customized firmware and cause the device to accept counterfeit money. Taking into account the types of places where these devices are usually deployed (shops, mall, offices, etc.) this scenario is more than feasible.'"
This discussion has been archived. No new comments can be posted.

Hackers Break Currency Validator To Pass Any Paper As Valid Euro

Comments Filter:
  • by mveloso (325617) on Wednesday October 30, 2013 @12:26PM (#45282551)

    I doubt that you'd be able to hang around a cash register with a serial cable and update some device's firmware without someone noticing. At that point why not just update the cash register's firmware and have it give you money directly?

    • by Alsn (911813)

      Who says you need to do it in secret? All you would need to do is convince someone to let you do it, either through being in on it, or some other covert means.

      • by Qzukk (229616) on Wednesday October 30, 2013 @12:36PM (#45282705) Journal

        "Hello, I'm from the maintenance department and I'm here to update your firmware to protect you from the exploit that was recently published on 2013-10-13."

        • by Anonymous Coward

          as in the case of http://en.wikipedia.org/wiki/Ronald_Dale_Harris he worked as a slot tester for the Gaming Control Board and when he came to check the machine he also added his own code with an exploit

          • And how did that work out for him?

            • by Wycliffe (116160) on Wednesday October 30, 2013 @03:12PM (#45284721) Homepage

              And how did that work out for him?

              Don't be so smug. Crimes like these have a reverse survivorship bias. You usually
              only hear about the ones that get caught or at least leave evidence behind.

            • Ok, so let's not be proactive, since we can be reactive instead.
        • by nospam007 (722110) *

          "Hello, I'm from the maintenance department and I'm here to update your firmware to protect you from the exploit that was recently published on 2013-10-13."

          A faster way would be to just give him a 'new' tester and take the old one with you.

        • by Anonymous Coward

          Which is a vulnerability of your employees allowing access to some stranger, not the device itself. The attacker could equally have said he was replacing the device as well. You can't expect the thing to be a magic box that solves all security problems. Security is about everyone, not a silver bullet.

      • by sumdumass (711423)

        Obviously, this happens somewhat a lot. All we need to do is look at the credit card skimmers that get installed on gas pumps and ATM machines. They may not even need a knowing insider either. But it already happens

    • by Moryath (553296)

      Sneakier to modify the reader, because then the register doesn't give you any clues if it's on stock firmware (and someone running a register diagnostic, checking firmware checksum, maybe even checking the firmware flash increment counter will come up blank too).

      The attack here is going to be passing plausible-looking counterfeits to an unknowing person who trusts the reader/register in a "Garbage in, Gospel out" manner that most people approach computers with. Buy something or trick the cashier into making

      • In Euro land, you either pay with your debit card, or you pay cash. If you pay cash, the cashier usually either just puts the bills in the register, or they do a check in a standalone machine to see if the machine approves of the currency. Registers that count money and have a built in validator are rare and only now are starting to appear in bigger supermarkets.

        Crooks here in Europe are very good at firmware updates or hardware modification on POS type equipment. Until very recently our omnipresent debit c

    • by jandrese (485) <kensama@vt.edu> on Wednesday October 30, 2013 @12:39PM (#45282757) Homepage Journal
      Unless this attack is a buffer overflow or something when you put in a particularly formatted note, I don't see the issue. "Oh, you can bypass the bill checker if you break the machine open, pull the ROM chips, and put in new ROM chips!"

      According to TFA, the guy went and analyzed the firmware to discover how it worked, and then noted that you could bypass the check routines in it to always set the "good" pins high. About the only thing even mildly worrying is that there is apparently no crypto lock on the firmware, but a crypto lock on the firmware would be useless if you have physical access to the machine anyway, only slightly complicating the job of redesigning the internals, so that's not saying much. There's a reason these machines are secured with a lock and a sturdy metal case.
      • by sjames (1099)

        You just have to plug in a serial cable. No need to break anything open or swap any chips.

      • by mlts (1038732) * on Wednesday October 30, 2013 @03:02PM (#45284623)

        There are some fairly sane security measures a maker of a security device can do for fairly cheap to ensure that a tampered device isn't going to work without a lot of money and time put in:

        1: If it is something static like a bill checker, take the time to heavily QA the device, including throw prototypes in the field for a while. Then, just have the firmware burned into a ROM (a true ROM, not an EEPROM, EPROM, PROM, flash, or an OS on a HDD... it goes into silicon and is not modifiable, period.) Of course, a bill checker might need updates when the currency gets a facelift, so a bill checker likely would need some type of upgrade mechanism.

        2: If an update mechanism is needed, TPM chips are not expensive. In fact, some ARM CPUs have them built in. That solves 95% of the problem right there, because if the OS isn't signed, the OS won't be able to decrypt the last stage and boot.

        3: As a subset of #2, the code that allows flashing of ROM images should be in a non-alterable, signed image. This way, if the main OS image has to change, it has to go through the "gatekeeper" image to be written to the boot medium, or it doesn't get on there.

        4: Multiple images. This way, if a flash image is verified and copied to a temporary space and is being copied to the main storage, a power failure doesn't brick the device. The TPM boots, finds the signature of the first image fails, tries the backup, boots from that. The flash process updates both images, so only one would be inoperable during an update at a time.

        5: To prevent flashing to a less secure previous version, the OS image that does the image update work can be set to look at version IDs, or optionally, if the ID is signed with a certain flag, can allow earlier versions to overwrite newer ones, or have beta images be able to be downgraded if needed.

        6: The image flashing would have to be via a physical process, such as a USB connection. This way, devices can't be upgraded over the network, which shuts out a lot of potential exploits.

        I'm sure I've missed a few items, but it doesn't take a lot of engineering to have an update mechanism in place that is tamper resistant.

    • I used to do small subcontract jobs for extra cash. More than once, I was left alone in a bank branch with the vault open after the employees had left for the day. The only one still around was the manager, and he went outside for 10 minutes for a smoke and a phone call. Again, vault was wide open and less than 10 feet away... not to mentioned unfettered access to all of their PCs and other equipment behind the counter. The only ID check was to see that the name on my driver's license matched the guy they w

    • by mcrbids (148650) on Wednesday October 30, 2013 @12:58PM (#45283029) Journal

      All you have to do is get a technician costume. You know, a big, black bag with lots of tools in it, perhaps a utility belt, a button-up, short-sleeve shirt with a generic company logo on it. Walk up to the unit with a slightly bored expression, casually pull out your cable, and get to work. Pay no attention to anybody around you.

      Chances are, you just might get away with it.

      SOURCE: I watched Burn Notice a few times.

      • by SuperCharlie (1068072) on Wednesday October 30, 2013 @02:05PM (#45283867)
        When I was around 12 or so, my dad was in the army and worked on anti-aircraft systems. One Saturday he needed to get or do something at the shop so he drug me along for the ride. Both of us in our plain clothes. We walked up to the shop, 2 guards patrolling, he said hi, pulled out his keys and opened the door. I was in awe of what I saw inside.. 15 M163 Vulcan self-propelled anti-aircraft guns all in a line. We piddled with some things, he started one up and made sure to tell me repeatedly dont stand in front of this.. (the radar).. and after an hour or so we left.

        Almost to the car, he said.. "you remember those two guards?" "Yes.." I said "I didnt know them from Adam. You can get away with anything if you look like you know what you are doing."

        A lesson I have remembered all my life and used on more than one occasion.
    • by holmedog (1130941)

      I *think* the point would be to make the modification once and abuse it multiple times. Where accessing the register would work great once, getting this in and sending in multiple pawns with the counterfeited bills could net considerably more money over long term.

      • by Belial6 (794905)
        Until, part of logging into the register becomes running a test paper through the tester. This is one of those attacks that would be high risk, high skill, and low payoff.
    • by sjames (1099)

      Put on a jumpsuit and carry a toolbox. There's a fair chance you will be granted access. By the next week when your partners take advantage of it, nobody will remember what you looked like other than 'he was wearing a jumpsuit and had a toolbox".

    • by Ant2 (252143)

      Once the machine is open, just take the piles of cash sitting there.

  • Well duh (Score:5, Insightful)

    by PhilHibbs (4537) <snarks@gmail.com> on Wednesday October 30, 2013 @12:27PM (#45282567) Homepage Journal

    If you can physically access and modify a machine, you can change the way it behaves. Is this really news? Can they do it wirelessly? Over the internet?

    • by CastrTroy (595695)
      Of course, now that the vulnerability is known, owners of the machines should be regularly verifying that they work correction. They should verify that real notes are not flagged as counterfeits, and they should be able to verify that counterfeits do not get verified as legitimate. However, it might be hard to verify, depending on how the machines work. If you reprogrammed the firmware so that all valid notes are verified, but that only counterfeits with your unique ultraviolet ink pattern are legitimate
      • If you reprogrammed the firmware so that all valid notes are verified, but that only counterfeits with your unique ultraviolet ink pattern are legitimate

        but that makes it easier to pin you to other counterfeiting instances where they find those bills with your "signature" on them in a dozen different places. if you weren't using fancy counterfeit bills, then they might only be able to pin you to the place they caught you.

        you would have a similar issue with the bluetooth dongle when they catch you using it. "hey we found those fancy bluetooth things in 3 other stores i bet this guy is responsible for those too!"

        these people often are caught when they get gr

        • by pjt33 (739471)

          The cunning approach would be to make it check for only the easiest to forge markers. E.g. if you make it ignore ultraviolet and just look for the yellow Eurion rings it will accept valid notes and any note which is a reasonable copy.

      • by mjwalshe (1680392)
        or have each machine checked with a dud before as part of the store opening / shift change routine
        • by fatphil (181876)
          Heheh, but I modified the firmware so that the first check of the day returns "dud"!
    • Re:Well duh (Score:5, Insightful)

      by gstoddart (321705) on Wednesday October 30, 2013 @12:46PM (#45282867) Homepage

      f you can physically access and modify a machine, you can change the way it behaves. Is this really news?

      This part of the article is what struck me:

      After watching some videos from the vendor Inves on the machine's operations and reading through the machine's documentation, Santamarta came to the conclusions that some of the security claims the vendor makes were somewhat specious.

      "Unfortunately, some of these claims are not completely true and others are simply false. It is possible to understand how Secureuro works; we can access the firmware and EEPROM without even needing hardware hacking. Also, there is no encryption system protecting the firmware"

      So it sounds more like the company said "our stuff is secure, awesome, and hax0r proof", and someone essentially said "challenge accepted".

      That he could do the initial reverse engineering without ever even having had the device (he downloaded just the free firmware) tells me that this device was pretty ripe for the picking.

    • by tlhIngan (30335)

      If you can physically access and modify a machine, you can change the way it behaves. Is this really news? Can they do it wirelessly? Over the internet?

      Or in this case, when you're in front of the kiosk. Wirelessly is nice, over the internet is nice, but can I, when I'm about to insert my money, update the firmware from that side of the machine? If not, and I have to break into the kiosk to get at it, well, it's not a very interesting hack anymore.

  • by Joce640k (829181) on Wednesday October 30, 2013 @12:27PM (#45282569) Homepage

    Sure... if I'm allowed to take the machine away and modify it I can just replace the electronics with a 555 timer or something. All it has to do is light up a green LED when a piece of paper goes through it.

  • by Anonymous Coward on Wednesday October 30, 2013 @12:32PM (#45282659)

    Politics is the worlds second oldest profession, noted for it's uncanny likeness to the first.

    • by Chemisor (97276) on Wednesday October 30, 2013 @01:58PM (#45283791)

      You are absolutely right. Here are the top ten similarities between politics and programming:

      • Design is always better than the implementation.
      • Our number generators are random. Really.
      • Polling is a lousy way to gather information.
      • Codes always have bugs and loopholes. When they are found, lawyers are often involved.
      • Old codes never die and never fade away.
      • After failure, always blame the third party.
      • Paying for support is expensive.
      • DRM and vendor lock-in are the best means of increasing sales.
      • Never listen to your your customers when they say they want fewer features. They must be lying.
      • Power corrupts. That's why we have checksums and balancing.
  • This sounds like something they could use as the basis for Ocean's 14.
  • by c (8461)

    The next step in the attack process I'd like to see is a design for a counterfeit bill that'll trigger a bug in the firmware causing it to pass the bill. No need for pesky access to the machines in advance.

    • That has a very narrow window of opportunity - basically, from the time the machine is serviced (cash removed and added) until the next time it's serviced. As soon as the money counting room notices your counterfeit bill, countermeasures will begin to be developed. The machine will be replaced and sent for analysis, firmware will get reflashed, ports will get sealed up.

      This is a great hack if your intent is to hire a large number of people to pass counterfeit bills at many machines in the same day, as a o

      • by c (8461)

        This is a great hack if your intent is to hire a large number of people to pass counterfeit bills at many machines in the same day,

        This would be a great hack if your intent was to demonstrate the simplest and least detectable attack against an anti-counterfeiting device, which is a logical follow-through on the "need a few minutes alone with the machine" attack.

        I don't find the money-making angle particularly interesting, myself, nor (apparently) do the people who came up with the firmware hack.

  • Sure.
    You can also just open the box and let the green light blink when it senses a paper.
    Fix: test the machine first with real euros and plain paper.
  • by ugen (93902) on Wednesday October 30, 2013 @12:39PM (#45282749)

    I've got a better "hack" for them. Buy one of these devices (I am sure they are not hard to obtain). When it arrives, update firmware - or better yet, remove internal IC board, and replace with a battery hard-wired to "green light" (or whatever method they use to flag "good currency"). Then come to the store of your choice, and with a sleight of hand replace the device they already have. Presto! Will take a lot less time than "hacking" one at the store.

    Of course, if that's a "hack" - how about just taking a cash register and carrying it off?

  • by wiredlogic (135348) on Wednesday October 30, 2013 @12:40PM (#45282765)

    If you have physical access to the validator it would be easier to skim some bills from the machine and remain undetected rather than modify it to accept fake bills that will be noticed as soon as the owner brings them to a bank.

    • If you have physical access to the validator it would be easier to skim some bills from the machine and remain undetected rather than modify it to accept fake bills that will be noticed as soon as the owner brings them to a bank.

      Ever hear the phrase, "Her register was short"?

      • Bill validators are mostly used on vending and change machines. A typical operator just visits periodically to restock the product dispensed and take the money inside. The validator tracks how much it took in but many require additional hardware to read that information out which most people would be too lazy to bother with. Skimming from a compromised machine is likely to go undetected.

  • "Taking into account the types of places where these devices are usually deployed (shops, mall, offices, etc.) this scenario is more than feasible."

    Yes if they have a lock picking set and gain access to the inside of the device to do the modification first.

    Heck stealing all the gold in Fort Knox is easy as they have the gold bars just laying there, all you have to do is get inside!

  • If I have access to a machine, enough to say, open it up physically, remove the hard drive that runs the computer, and replace it a doctored one I created, then I can make it do what I want?

    Oh, you mean I don't have to trade the hard ware, just the software?

    And, the ski is BLUE, you say?

    I am shocked, SHOCKED to hear these disturbing facts. Someone should do something.

  • by Necron69 (35644) <jscott.farrow@NOspaM.gmail.com> on Wednesday October 30, 2013 @01:09PM (#45283163)

    Ok, dumb American here. Are 'currency validators' that common in Europe? The only thing that comes to mind here in the US is the 'dollar bill accepters' on vending or change machines. Other than those, I don't think I've ever seen a currency validator on a cash register anywhere. Occasionally, you get a sales clerk who will hold a $20 or $100 up to the light to look for the security strip (in American bills), but that's pretty much it over here.

    - Necron69

    • by freeze128 (544774)
      ...And if you read the summary thinking of a bill validator, you come away with a "DUH! No kidding dummy!" feeliing. In order to hack a bill validator, you would need to open the vending machine, remove the bill validator, disassemble the validator, update or replace the rom, then put everything back together again. If you're going to do that, you could just grab the money and a coke after the first step.
      • My first thought too. If the thing the machine sells is worth so much (maybe train tickets), then the money in there is probably still worth more than free tickets until the hack is patched.
    • by swb (14022)

      They sometimes use those pens that are supposed to either leave a mark or not leave a mark if the bill isn't legitimate. I've had that done the few times I've used $100 bills.

    • by Minwee (522556)

      They're pretty common anywhere that money is worth more than the US dollar.

      The simplest ones are little more than an ultraviolet light that you could pass the bill under. Not that much different in principle from holding it up to a light to see the security strip, but significantly more effective.

    • Short answer: Yes, but you'll never notice them.

      Long answer: Any large store (supermarket and up) has one of those things at every cashier station. Typically, low-denomination bills are simply accepted without any non-trivial checks. 50€ and up and you may start raising some flags (50€ banknotes are supposedly, by far, the most common counterfeit of all Euro banknotes) - mostly they'll go in the machine and that's it.

      The "fun" starts with 100€ banknotes - you don't see those much in your aver

    • by pspahn (1175617)

      Yeah, I was wondering about these devices as well. Clicking through a couple links on TFS, I found the Secureuro device that looks not all that different than one of those check (as in checking account) readers.

      I've never seen one of these being used, and the closest thing I could think of that might be the same is the insert cash slot thing on the grocery store self-service checkout kiosks. I doubt you're going to be able to hack those devices physically unless you have an insider to grant access after ho

    • by pjt33 (739471)

      One of the three supermarkets I regularly shop in in Spain uses them. The device is separate from the cash register, and they definitely test notes as low as 20€. I'm not sure whether they also test 10s.

  • We had to farm before we had civilization.

    We had to have civilization before we could have money, and charge to fuck.

    • by Laxori666 (748529)
      You are thinking too narrowly. Who says it has to be for currency? "I will fuck you if you give me food." Better if you imagine it conveyed with body language and grunts vs. english.
      • by metrix007 (200091)

        In that context, food is the currency.

        • by danlip (737336)

          We have observed chimps exchanging food for sex. No civilization, farming, or even language necessary for prostitution.

          • We have observed chimps exchanging food for sex. No civilization, farming, or even language necessary for prostitution.

            We still exchange food for sex, isn't that what date night is?

        • by Laxori666 (748529)
          Well, sort of. In any case, you need neither farming nor civilization to have food. Humans were hunter-gatherers before farmers. Thus YOUR INITIAL POST IS WRONG - YOU ARE DEFEATED - I HAVE WON AN ARGUMENT ON THE INTERNET! OH YES!
          • by metrix007 (200091)

            Hunting and gathering is not farming. Farming is a profession, and is older than prostitution.

            • by fatphil (181876)
              I would contend that he who makes the best spearheads, or makes them most efficiently, would probably be relied upon for making spearheads for many other hunters, and possibly not even have a hunting role himself. So perhaps flint-knapper is the oldest profession? (Wood equivalents too.)

              However, we really don't know how far back prostitution goes, so date comparisons are destined to be uncertain.

              Maybe shaman is the oldest profession?

              A *lot* (in fact everything) depends on how you define "profession", of cou
              • by metrix007 (200091)

                I think it's pretty simple.

                We know that civilization came from agriculture.

                Agriculture...is a job, not just a behaviour.

                Monitoring crops, watering them etc.

                How is that not the first profession?

                • by fatphil (181876)
                  The fact that we were doing a whole range of specialised tasks *before* embarking on agriculture takes the wind out of those sails.
                  • by metrix007 (200091)

                    What? Like what?

                    It is widely acknowledged that civilization stems from agriculture.

                    We really were not doing anything too advanced before agriculture besides fucking, eating and sleeping. Maybe drawing on a wall here and there.

                    • by fatphil (181876)
                      What are you eating? Food doesn't just land on your plate. We were accomplished hunters of animals in pre-agricultural times. And we didn't hunt with our bare hands - we were fashioning spears and other weapons to aid in hunting, and other knives for food preparation and clothing manufacture. We were making rope, and making sleds.

                      There were plenty of specialised tasks to do before we decided to settle down. If you've got specialisation, and a system of quid pro quo, then you've got professions, IMHO.
      • by PPH (736903)

        "I will fuck you if you give me engagement ring."

        FTFY.

  • He put some of the people responsible for the 2008 banking crisis in charge of the places were they can continue to loot the economy. He managed to put a troll in charge of Homeland Security He managed to put the company that paid 0 in taxes and took more tax credits in charge of economic development. I am certain that if he weren't chasing down the heads of terrorist groups with drones, he would probably put them in charge of the CIA. Do we have anyone charged with being a peeping tom to put in charge o
  • by Anonymous Coward

    So... if people with the right cmoputer skills are given time and access to a computer that decides stuff, they can change how it decides stuff?

    No shit?

  • Counterfeiting ? (Score:4, Insightful)

    by mbone (558574) on Wednesday October 30, 2013 @01:32PM (#45283467)

    If it accepts _any_ piece of paper, I don't see how that is counterfeiting - theft and fraud, sure, but if I make no effort to copy something, how is that still counterfeiting?

  • by mbone (558574) on Wednesday October 30, 2013 @01:35PM (#45283509)

    If you go by buildings, you could make a good case for astronomy / astrology being the oldest profession. Stonehenge, the pyramids, etc., they all either were observatories, or needed a fair amount of astronomical knowledge to build.

    • by danlip (737336)

      Astronomy came after farming. Farming came after hunting and gathering. But prostitution may have occurred any of them. Chimps exchange sex for food. But what do you consider a profession? If you do one thing as your primary source of wealth and barter for other things you need that is a profession. Early farmers more or less took care of all their own needs, but bartered some with the blacksmith, miller, cobbler, etc. Unless you are talking about extremely early farmers. Priests may have been one of the ea

  • I worked in the vending industry for a very long time, and have worked with all sorts of bill and coin acceptors.

    If the stakes are low (parking meters, etc), then a cheapass validator from some random Spanish company (like this one) is probably fine.
    If the stakes are high, get a Swiss-designed Sodeco BNA validator with impeccable security, reliability, and accuracy. Unfortunately, it'll cost a small fortune.

  • I would think the very fact that you can potentially compromise a machine once you have sufficient physical access to the system that you are able to replace its internals with whatever you want should be pretty damn obvious to almost anybody all on its own
  • ...couldn't they come up with some way to put a unique cryptographic fingerprint on the currency that would enable it to be verified as legitimate?

    • by jklovanc (1603149)

      That would require a server system that is up 24/7 to verify that the key was correct. and every validation device would need a connection to that service.

      • by swb (14022)

        Two words: credit cards.

        While it's true that once in a blue moon someone will take your credit card manually (I am old enough to still remember when they were called "charge plates" and were used with carbon paper), almost always someone uses a machine with dialup or connected to the internet to validate a credit card transaction.

        Nor is it necessary to validate every bit of cash you take in -- once in a while someone will take a magic pen to a $100 bill, but most of the time at least in Minnesota nobody b

        • by jklovanc (1603149)

          Two words: credit cards.

          The vendor is charged a fee for every credit card transaction. Are you going to do that for every cash transaction too? Who is going to pay for the servers?

          Nor is it necessary to validate every bit of cash you take in

          Cashiers are trained to automatically validate billed by just looking at them. One can not hand over a blank piece of paper to a cashier and expect it to me accepted. Simple validation was done. Suspect bills are tested further. With your system, every bill would need to be validated because the bill can be easily duplicated and visual validation would b

  • There is likely some sort of data port... likely this thing flashes by USB or something... better to make firmware updates require a chip change.

  • Given physical access this is a trivial firmware hack. You simply bypass all the verification routines other than the one that checks the length of the bill inserted.

Are you having fun yet?

Working...