Rely only on the secrecy of that which can be easily changed
The title is a statement of Kerkhoffs’ principle. A cryptographic system is only secure if the security of the system doesn’t depend on the whole system being secret. And there’s an interesting lesson there for Diebold. You see Diebold sells ATMs and voting machines. And they posted pictures of the key that allegedly opens every voting machine they sell.
Ross Kinard looked at the key (they’re for sale on Diebold’s web site) and using some blank keys from Ace Hardware, made some keys, and sent them to Alex Haldeman, who blogs about it in “Diebold Shows How to Make Your Own Voting Machine Key.” Alex also reports that Diebold has removed the picture, now all over the internet, of their key.
I hope it can be easily changed, and I wonder if there’s a single key for ATM machines?
Also, thanks to the several friends who sent this to me!
I don’t have any experience with Diebold ATMs. However, my experience with another brand is that, yes, they seem to be keyed alike. However, it doesn’t really matter, because the key will not get you into the internal vault that holds the cash. It will only let you access the part of the ATM that holds the electronics and the receipt printer. To get into the vault, you need to open a combination lock, which can (and should) be custom-set by each site.
ATMs actually have some nice examples of security in depth. For example, the ATM PIN pad has its own encryption chip. It encrypts the PIN before the ATM’s OS even sees it.
Just the electronics, huh? http://www.emergentchaos.com/archives/2006/12/chip_pin_and_tetris.html
Yeah, I know. But if someone has that much time alone with the machine no lock is going to help you.
Orv, I’m not sure I follow the logic. If I can open the machine in a second with a key, and play with the electronics, that’s a lot easier than spending 30 minutes trying to pick the lock?
Sure, it’s easier. But in either case someone is likely to notice your tinkering, unless you’re doing this to your own ATM in the privacy of your home or office. I don’t disagree that they really ought to be keyed differently, but in the case of ATMs this isn’t as big a concern as it is with voting machines. (This may explain Diebold’s shortsightedness about it.) It could easily be fixed by taking the same tack the ATMs I’ve seen do — having a combination lock that can be field-set to a unique combination.
There *have* been scams involving people setting up entire fake ATMs and skimming card numbers. They generally don’t last long because someone always reports the “broken” ATM that won’t dispense cash.
@Orv:
There was a bit of a kerfuffle a while back over an ATM scam which “aligned incentives” far better.
ATMs designed for use in low-security settings (like in a hotel lobby or 7-11) sometimes ship with default passwords and can be reprogrammed from the keypad. So, a clever person reprogrammed an ATM to think it had $5 bills in the cash dispenser where it actually had $20. Call it the “withdraw 1, get 3 free” trick. IIRC, the instance that drew headlines operated like this for 8 days before being reported. I guess when the “broken” ATM gives out free $$, people don’t feel it’s worth reporting :^).
The default passwords and reprogramming instructions were available to anyone via some manufacturer web sites (and trivially locatable with search engines), which helped this grab some headlines.
Clever. Having worked on a few ATMs that can be programmed from the keypad, I wondered about that.
Having provided people with a way to change the password, I’m not sure what a manufacturer can do if people then neglect to actually change it. Even forcing it to be changed on the first power-up doesn’t necessarily work, since people will often try to re-use the same password or something else obvious.