Cracking an ATM
Updated: Jun 17, 2019
Pinn pivoted its mission in early 2016. Initially we wanted to be a handsfree payments platform enabled by ACH; thus removing a majority of transaction fees to merchants and offering a seamless experience for customers. The platform applied to retail, online, and even banking (where the idea of an ATM originated) use cases. Built the minimum viable product, tested it, and got some interest, which was all great. However we kept getting concerns of security and authentication, a background thought for us all the while developing. The features to enable greater security were even on our roadmap as additives that would make the increase usability. Little did we know, this was soon to become our primary focus and mission.
At some point, we decided to built these features rather than just keep on mentioning the possibility of it. So we set out to prove we could develop a system with enhanced security. Take what we had and create something that showed we could provide security beyond what current payment rails offer. So what did we do first? We bought an ATM. Here's the actual one we bought.
We had a couple considerations when building this demo. Do we tap into the computer that came with the ATM? Can we get necessary readings for the biometrics we wanted to analyze (images and keystroke readings)? How do we communicate with the nearby device that we wanted to authenticate? Lets look at these pieces one by one.
So early on we decided we would never be able to tap into the onboard computer. The instructions were in Chinese. It ran on some unknown OS that we just were not going to figure out. We needed access keys from Hyosung, which come on now. So we decided to gut the entire thing and rig it with a Raspberry PI. Using the GPIO board, we were able to through some server code onto the Pi and there we had rails to communicate the ATMs signals. This enabled everything. The Pi became our sensory data distributor, local server, and key to communicating with the darn thing. Gutting the ATM was a guilt-wrenched but enjoyable experience. Just a funny thing to mention, the ATM is essentially a Faraday cage for wifi signal. So we even had to get an extended wifi dongle, 5g capable, that extends outside the ATM itself. Demoing with the cage was not ideal.
First and foremost, how do we read what the person is typing off of this heavy duty steel keyboard? Those keyboards are NOT made to be able to be read off of easily. While dissembling, there were even headless screws that took some elbow grease before even getting to the real hardware. We considered even building our own keyboard with soldered push switches. However through Dave's brilliance and skills with a multi meter we found hair sized outputs that the keyboard ran electricity through to communicate with the encryption circuits. I am not exaggerating when saying male jumper wires could not reach these little holes. We actually shaved down the metal with scissors to even reach the conductors. After destroying one of the conductors, we tasked Mitchell, on his first day on the job, of soldering these wires to the conduction endpoints and rigging it to our GPIO board.
Since there was no chance of using anything the ATM provided, we had to jimmy rig our own camera for our facial recognition. Luckily the Pi camera takes some very high resolution photos. To attach it to the ATM, took some careful Dremel work, done by yours truly. The cool thing about having our own server is that this allowed us to put facial detection software behind the camera. Not only can we now send photos to our API's but we can filter what we send and make sure we got some faces to work with. My honorable mention for complications is the installation of these packages on the oh so delicate Pi.
So now that we aren't communicating with the ATM's native computer we had the option for how we present an ATM transaction on the machine itself. Luckily for us, Apple just had released their supersize iPad Pro. Framing the iPad and stably holding it behind the once ATM screen was a fun rig job. Our iOS backgrounds allowed us to push a demo ATM application that communicated to the Pi socket. There were considerable optimizations when deciding which client handled the data collection, preprocessing, and shipping. All the options were considered. The iPad allowed us to use our bluetooth/wifi payment platform to communicate with nearby devices and actually allow for multiple people to walk up to the ATM and enter their own pin.
Awesome stuff huh, well given you're into this kind of hacking. Here are some photos and a video of our CEO Will and COO Herb using the demo for demonstration purposes. Hope this was eye opening to our road to proofing our new concept and vision.