Kaspersky’s researchers already had the same model of ATM in their test lab, one that’s been in wide use since the 1990s. They removed its front panel to find a serial port that would have been accessible from the thieves’ hole. It connected to a wire that ran through the ATM’s entire internal bus of components, from the computer that controlled its user interface to the cash dispenser. Then the researchers spent five solid weeks with an oscilloscope and logic analyzer, decoding the protocol of the ATM’s internal communications from raw electric signals. They found that the machine’s only encryption was a weak XOR cipher they were able to easily break, and that there was no real authentication between the machine’s modules.
In practical terms, that means any part of the ATM could essentially send commands to any other part, allowing an attacker to spoof commands to the dispenser, giving them the appearance of coming from the ATM’s own trusted computer.
Eventually, the researchers were able to build their own device capable of sending cash-ejecting commands through just that exposed port. Their compact gadget, far smaller than even the arrested suspect’s laptop, consisted of only a breadboard, an Atmega microcontroller of the kind commonly found in Arduino microcomputers, some capacitors, an adapter, and a 9 volt battery. All told, it took less than $15 worth of equipment.