CAN BUS SECURITY
CROSS REFERENCE TO RELATED APPLICATIONS
[0001] This application claims priority to US Patent Application No.62/063,1 10, filed on October 13, 2014 The contents of the aforementioned application are hereby incorporated by reference herein.
TECHNICAL FIELD
[0002] The present disclosure relates generally to detecting unauthorized devices operating on a bus such as may be employed by an automated banking machine.
BACKGROUND
[0003] Automated banking machines may include a card reader that operates to read data from a bearer record such as a user card. Automated banking machines may operate to cause the data read from the card to be compared with other computer stored data related to the bearer or their financial accounts. The machine operates in response to the comparison determining that the bearer record corresponds to an authorized user, to carry out at least one transaction which may be operative to transfer value to or from at least one account. A record of the transaction is often printed through operation of the automated banking machine and provided to the user. Automated banking machines may be used to carry out transactions such as dispensing cash, the making of deposits, the transfer of funds between accounts and account balance inquiries. The types of banking transactions that may be carried out are determined by the capabilities of the particular banking machine and system, as well as the programming of the institution operating the machine.
[0004] Other types of automated banking machines may be operated by merchants to carry out commercial transactions. These transactions may include, for example, the acceptance of deposit bags, the receipt of checks or other financial instruments, the dispensing of rolled coin, or other transactions required by merchants. Still other types of automated banking machines may be used by service providers in a transaction environment such as at a bank to carry out financial transactions. Such transactions may include for example, the counting and storage of currency notes or other financial instrument sheets, and other types of transactions. For purposes of this disclosure an automated banking machine, automated transaction machine or an automated teller machine (ATM) shall be deemed to include any machine that may be used to automatically carry out transactions involving transfers of value.
BRIEF DESCRIPTION OF THE DRAWINGS
[0005] The accompanying drawings incorporated herein and forming a part of the specification illustrate the example embodiments.
[0006] FIG. 1 illustrates an example of an automated banking machine upon which an example embodiment can be implemented.
[0007] FIG. 2 is a side view of the automated banking machine illustrated in FIG. 1 .
[0008] FIG. 3 illustrates an example of a system with a device operable to detect an unauthorized device on a bus.
[0009] FIG. 4 is a block diagram illustrating an example of an automated banking machine a controller operable to detect an unauthorized device on a CAN bus in the automated banking machine.
[0010] FIG. 5 is a block diagram that illustrates a computer system upon which an example embodiment may be implemented
[0011] FIG. 6 illustrates an example of a methodology for monitoring a bus for unauthorized devices. OVERVIEW OF EXAMPLE EMBODIMENTS
[0012] The following presents a simplified overview of the example embodiments in order to provide a basic understanding of some aspects of the example embodiments. This overview is not an extensive overview of the example embodiments. It is intended to neither identify key or critical elements of the example embodiments nor delineate the scope of the appended claims. Its sole purpose is to present some concepts of the example embodiments in a simplified form as a prelude to the more detailed description that is presented later.
[0013] In accordance with an example embodiment, there is disclosed herein an apparatus comprising a first transceiver coupled with a first bus and bus security logic coupled with the first transceiver. The bus security logic is operable to obtain data representative of an address of a device sending a signal on the first bus. The bus security logic is operable to determine, based at least in part on the address, whether the device sending the signal on the bus is an unauthorized device, and is further operable to take corrective action responsive to determining that the device sending the signal on the bus is an unauthorized device. Other embodiments are directed to a method or computer readable medium for implementing the functionality of the bus security logic.
[0014] In accordance with an example embodiment, there is disclosed herein an apparatus comprising: one of a group consisting of a card reader and a cardless card reader, an encrypting personal identification number (PIN) pad, a receipt printer, a cash dispenser, a hub operable to selectively light devices associated with the one of the group consisting of a card reader and a cardless card reader, the encrypting PIN pad, the receipt printer, and the cash dispenser, and a controller coupled with the one of the group consisting of a card reader and a cardless card reader, the encrypting PIN pad, the receipt printer, and the cash dispenser and the hub. The hub is coupled with the controller via a first bus and the hub is coupled with the light devices associated with the one of the group consisting of a card reader and a cardless card reader, the encrypting PIN pad, the receipt printer, and the cash dispenser via a second bus. The hub is operable to receive signals from the controller that include commands to operate a selected one of the light devices associated with the one of the group consisting of a card reader and a cardless card reader, the encrypting PIN pad, the receipt printer, and the cash dispenser via a second bus. The hub comprises bus security logic fur monitoring the second bus and determining whether a device sending a signal on the second bus is an unauthorized device, based at least in part on the address of the device sending the signal on the second bus.
DESCRIPTION OF EXAMPLE EMBODIMENTS
[0015] This description provides examples not intended to limit the scope of the appended claims. The figures generally indicate the features of the examples, where it is understood and appreciated that like reference numerals are used to refer to like elements. Reference in the specification to "one embodiment" or "an embodiment" or "an example embodiment" means that a particular feature, structure, or characteristic described is included in at least one embodiment described herein and does not imply that the feature, structure, or characteristic is present in all embodiments described herein.
[0016] FIG. 1 illustrates an example of an automated banking machine 10 upon which an example embodiment can be implemented. In an example embodiment, the automated banking machine 10 operates to cause financial transfers using information read from data bearing records such as user cards. Those skilled in the art should readily appreciate that the illustrated example (an automated teller machine or "ATM") was selected merely for ease of illustration and that the example embodiments described herein are not limited to any particular type of automated banking machine. The example automated banking machine 10 includes a housing 12. In the illustrated embodiment, the housing 12 includes an upper housing area 14 and a lower housing area 16. The lower housing area 16 includes a secure chest portion 18. Access to an interior area of the chest portion 18 is controlled by a chest door 20 (see FIG. 2), which when unlocked allows access to the interior area 22 of the chest area. In an example embodiment, access to the upper housing area 14 may be made through an appropriate opening in the housing 12. The opening to the interior area of the upper housing portion 14 may also be controlled by a movable door 150 that may be in a front, rear or side of the upper housing area 14. In other embodiments, the housing may include several openings to the interior area. In an exemplary embodiment, the chest door 20 may be situated at the front of the housing, for so called "front-load" ATMs or at the rear of the housing for "rear-load" ATMs. Examples of ATM housing structures are shown in U.S. Pat. Nos. 7,156,296; 7,156,297; 7,165,767; and 7,004,384, the disclosures of which are herby incorporated herein by reference.
[0017] In an example embodiment, the ATM 10 includes a number of transaction function devices.. These transaction function devices include, but are not limited to, a card reader 24 and a keypad 26. The card reader 24 and the keypad 26 serve as input devices through which users can input instructions and information. It should be understood that as referred to herein the keypad may include function keys or touch screen areas which may be used in embodiments to input data into the machine. ATM 10 further includes a visual display 28 generally operative as an output device to provide information to users of the machine. The information provided may include information concerning cash dispensing transactions. The card reader 24 is used to read data from user cards that can be used to identify customer financial accounts to the machine. In some embodiments the card reader may be a magnetic stripe type reader. In other embodiments the card reader may be a smart card reader, or a contactless reader such as a radio frequency identification (RFID) reader or near-field communication (NFC) reader. Particular embodiments may include camera 52.
[0018] In an example embodiment, the ATM 10 includes bus security logic as will be described herein infra. For example, the bus security logic may monitor a controller area network (CAN) bus to determine whether an unauthorized device is coupled with the bus, and if so, take appropriate action.
[0019] FIG. 2 shows a schematic view of an example hardware configuration of ATM 10. The ATM 10 includes additional transaction function devices. Such transaction function devices may include a document dispensing mechanism, including a dispenser, schematically indicated 30, which operates to cause sheets such as currency bills or other documents of value stored within the machine to be delivered from the machine to a machine user. Such mechanisms are referred to herein as a cash dispenser. Examples of such cash dispensers are shown in U.S. Pat. Nos. 7,121 ,461 ; 7,131 ,576; 7,140,537; 7,140,607; 7,144,006; and 7,000,832 the disclosures of which are incorporated herein by reference.
[0020] The exemplary ATM 10 further includes a depository 32. The depository 32 accepts deposits such as cash or other instruments such as checks from customers. It should be understood that in other embodiments other types of depositories which accept various types of items representative of value may be used. Examples of depository devices are shown in U.S. Pat. Nos. 7,156,295; 7,137,551 ; 7,150,394; and 7,021 ,529 the disclosures of which are incorporated hereby by reference. Exemplary ATMs may also include a note acceptor of the types described in the incorporated disclosures. The exemplary embodiment may include a printer 34 operative to print customer receipts related to the transaction. The exemplary embodiment may include other transaction function devices, such as a coin dispenser, coin acceptor, currency stacker, ticket accepting devices, stamp accepting devices, card dispensing devices, money order dispensing devices, and other types of devices which are operative to carry out transaction functions. Some of these devices may be located in the upper or lower housing areas, all generally schematically represented as 36. It should be understood that the embodiment shown is merely illustrative and automated banking machines of various embodiments may include a variety of transaction function devices and component combinations.
[0021] In an example embodiment, the automated banking machine includes a camera 52. The images captured by the camera 52 may be used, for example, to verify identity and/or provide security for the ATM 10 or users thereof. In an example embodiment, the ATM 10 may further include a data store 50 containing data corresponding to images of unauthorized users of the ATM 10. In an example embodimentI O, a controller 48 is able to compare data corresponding to the images captured by camera 52 with data in the data store 50 corresponding to unauthorized users. If the data generated by camera(s) 52 corresponds to unauthorized user, the controller 48 is operative to carry out instructions, such as to activate an indicator which indicates the presence of the unauthorized user. The indicator may be an audible alarm, a message to a remote entity, a machine shut-down operation, or any other action able to indicate attempted use of or access to the machine by an unauthorized user. Alternatively, in some embodiments the data store 50 may be located remotely. In other embodiments the data stored in data store 50 may correspond to authorized users. Determining through operation of one or more controllers 48 that image data corresponds to an authorized user may permit such authorized users to carry out certain operations.
[0022] In the example embodiment, ATM 10 also includes a movable image capture device 58 such as a camera, in operative connection with interface bus 42. When the ATM 10 is in an operational mode, the movable image capture device 58 may be housed within the upper housing area 14. Alternately, a movable device may be housed within the lower housing area 12. Alternatively, in some embodiments, the movable image capture device 58 may be brought to the ATM 10 by a servicer and operatively connected to at least one controller 48, such as by plugging in a cable connected to a camera to a USB (Universal Serial Bus) port. After a servicer attains access to the interior of the ATM housing, the movable image capture device 58 may be utilized to aid servicing of the ATM 10.
[0023] Those skilled in the art should readily appreciate that the components and layout used in FIGs 1 and 2 were selected for ease of illustration. Therefore, the example embodiments should not be construed as limited to the illustrated architectures.
[0024] FIG. 3 illustrates an example of a system 300 with a device 302 operable to detect an unauthorized device on a bus 304. The device 30 comprises a first transceiver 306 coupled with a bus 304 and bus security logic 308 coupled with the first transceiver 306. "Logic", as used herein, includes but is not limited to hardware, firmware, software and/or combinations of each to perform a function(s) or an action(s), and/or to cause a function or action from another component. For example, based on a desired application or need, logic may include a software controlled microprocessor, discrete logic such as an application specific integrated circuit (ASIC), a programmable/programmed logic device, memory device containing instructions, or the like, or combinational logic embodied in hardware. Logic may also be fully implemented in software embodied on a tangible, non-transitory computer- readable medium that performs the described functionality when executed by processor.
[0025] As illustrated bus 304 is coupled with a plurality of devices that include second device (Device 2) 310 and a third device (Device n) 312 where n is an integer greater than 2. Although the illustrated example shows two additional devices 310, 312 coupled with bus 304, those skilled in the art should readily appreciate that any physically realizable number of devices may be coupled to bus 304 and that the number of devices selected for this example was merely for ease of illustration.
[0026] In an example embodiment, the bus security logic 308 is operable to obtain data representative of an address of a device (e.g., device 310 for this example) sending a signal on the bus 304. The bus security logic 308 is operable to determine, based at least in part on the address of the device 310 sending the signal on the bus 304, whether the device 304 is an unauthorized device. The bus security logic 308 is operable to take corrective action responsive to determining that the device 310 sending the signal on the bus 304 is an unauthorized device. In an example embodiment, the bus 304 is a controller area network bus ("CAN bus").
[0027] In an example embodiment, the device 302 has an address (or identifier). The bus security logic 308 is operable to determine that the device 310 sending the signal on the bus 304 is an unauthorized device responsive to determining the address used by the device 310 is the same address as the apparatus's address.
[0028] In particular embodiments, the device 302 further comprises a second transceiver 314 operable to communicate on a second bus 316. The bus security logic 308 is further operable to send a signal on the second bus 36 via the transceiver 314 indicating an unauthorized device (device 310 in this example) was detected on the first bus 304 responsive to determining that the device 310 sending the signal on the first bus 304 is an unauthorized device. [0029] In an example embodiment, the bus security logic 308 is further operable to send a signal on the bus 30 instructing devices (e.g., Device n 312) on the bus 304 receiving the signal to discontinue operation responsive to determining that the device 310 sending the signal on the bus is an unauthorized device.
[0030] FIG. 4 is a block diagram illustrating an example of an automated banking machine (an automated teller machine or "ATM" in this example) 400 with a host 402 operable to detect an unauthorized device 430 on a CAN bus 406 in the automated banking machine 400. In an example embodiment, the ATM 40 comprises one of a group consisting of a card reader and a cardless card reader, an encrypting personal identification number (PIN) pad (or "EPP"), a receipt printer, and a cash dispenser (not shown, see e.g., FIGs. 1 and 2). The host 402 is coupled with the one of the group consisting of a card reader and a cardless card reader, the EPP, the receipt printer, the cash dispenser and the lighting hub 404.
[0031] In an example embodiment, the host 402 is operable to communicate with the lighting hub 404 that is coupled with the CAN bus 406 via transceiver 408. The lighting hub 404 is operable to selectively light devices associated with the one of the group consisting of a card reader and a cardless card reader, the encrypting PIN pad, the receipt printer, and the cash dispenser. The lighting hub 404 converts signals from the CAN bus 404 and provides them to lighting controller logic 412 to operate the appropriate light device. In this example, lights 420 associated with a contactless card reader, lights 421 associated with a card reader, and lights 422 associated with an encrypting personal identification (PIN) pad (or "EPP") are coupled to a first interface 414 in lighting hub 404. Lights 423 associated with a biometric reader, lights 424 associated with a barcode reader, and lights 425 associated with a media acceptor (which may be a currency accepter, check accepter, or a mixed media accepter or "MMA") are associated with interface 416. Lights 426 associated with a cash dispenser and lights 427 associated with a receipt printer are coupled with interface 418. Those skilled in the art should readily appreciate that the devices and organization of devices used in this example were selected merely for ease of illustration and that the principles described herein can be employed with any type of devices or arrangement of devices associated with a CAN bus in the ATM 400. [0032] The lighting hub 404 is coupled with the host 404 via the CAN bus 408 and the lighting hub 404hub is coupled with the light devices associated with the one of the group consisting of a card reader and a cardless card reader, the encrypting PIN pad, the receipt printer, and the cash dispenser via a second bus. The lighting hub 404 is operable to receive a signal from the ATM host 402 that include commands to operate a selected one of the light devices 420, 421 , 422, 423, 424, 425, 426, 427 associated with the one of the group consisting of a card reader and a cardless card reader, the encrypting PIN pad, the receipt printer, and the cash dispenser via the CAN bus 406. The lighting controller logic 412 in lighting hub 404 converts the signals from the ATM controller received via host 402 to an appropriate signal to operate the selected one lighting devices 420, 421 , 422, 423, 424, 425, 426, 427.
[0033] Bus security logic 308 in the host 402 monitors the CAN bus 406 and determines whether a device sending a signal on the CAN bus 406 is an unauthorized device, based at least in part on the address of the device sending the signal on the CAN bus 406. For example, bus security logic 308 upon detecting a signal on CAN bus 406 from unauthorized device 430, determines from the address used by the unauthorized device 430 that the unauthorized device 430 is not authorized to use CAN bus 406.
[0034] In an example embodiment, an address is associated with the ATM host 402. The bus security logic 308 is operable to determine that device 430 is unauthorized responsive to determining that device 430 is using the same address as the address associated with the ATM host 402.
[0035] The bus security logic 308 is operable to take corrective action upon detecting unauthorized device 430. For example, the bus security logic 308 may send a signal (e.g., an alarm signal) on bus 434 coupled with transceiver 432 indicating that an unauthorized device 430 was detected operating on the CAN bus 406. For example an alarm signal can be sent to the ATM controller via bus 434. In particular embodiments, the bus security logic 308 may signal devices, such as lighting hub 404, coupled with the CAN bus 406 shut down or stop operating responsive to detecting the unauthorized device 430 operating on the CAN bus 406. [0036] FIG. 5 is a block diagram that illustrates a computer system 500 upon which an example embodiment may be implemented. Computer system 500 is suitable for implementing the functionality of bus security logic 308 described in FIGs 3 and 4.
[0037] Computer system 500 includes a bus 502 or other communication mechanism for communicating information and a processor 504 coupled with bus 502 for processing information. Computer system 500 also includes a main memory 506, such as random access memory (RAM) or other dynamic storage device coupled to bus 502 for storing information and instructions to be executed by processor 504. Main memory 506 also may be used for storing a temporary variable or other intermediate information during execution of instructions to be executed by processor 504. Computer system 500 further includes a read only memory (ROM) 508 or other static storage device coupled to bus 502 for storing static information and instructions for processor 504. A storage device 510, such as a magnetic disk or optical disk, is provided and coupled to bus 502 for storing information and instructions.
[0038] An aspect of an example embodiment is related to the use of computer system 500 for a power control hub. According to one embodiment, the functionality of the power control hub is provided by computer system 500 in response to processor 504 executing one or more sequences of one or more instructions contained in main memory 506. Such instructions may be read into main memory 506 from another computer-readable medium, such as storage device 510. Execution of the sequence of instructions contained in main memory 506 causes processor 504 to perform the process steps described herein. One or more processors in a multi-processing arrangement may also be employed to execute the sequences of instructions contained in main memory 506. In alternative embodiments, hard-wired circuitry may be used in place of or in combination with software instructions to implement an example embodiment. Thus, embodiments described herein are not limited to any specific combination of hardware circuitry and software.
[0039] The term "computer-readable medium" as used herein refers to any medium that participates in providing instructions to processor 504 for execution. Such a medium may take many forms, including but not limited to non-volatile media. Non-volatile media include for example optical or magnetic disks, such as storage device 510. Common forms of computer-readable media include for example floppy disk, a flexible disk, hard disk, magnetic cards, paper tape, any other physical medium with patterns of holes, a RAM, a PROM, an EPROM, a FLASHPROM, CD, DVD or any other memory chip or cartridge, or any other medium from which a computer can read.
[0040] Computer system 500 also includes a communication interfaces, or ports, 520, 526 coupled to bus 502. In the illustrated example two ports 520, 526 are illustrated, however, those skilled in the art should readily appreciate that computer system 500 may have as few as one port or any physically realizable number of ports. Communication interfaces 520, 526 are coupled to busses 518, 524 via links 522, 528 respectively. Links 522, 526 may comprise wired, wireless, or any combination of wired and wireless links.
[0041] For example, processor 504 may monitor bus 522 via communication interface 518 and obtain data representative of addresses used on the bus. If the processor 504 determines an address on the bus belongs to an authorized device (for example another device is detected using the same address as computer system 500), the processor 504 may take corrective action as described herein. For example, the processor 504 may signal devices on bus 522 to power down or send a signal (such as an alarm signal) on bus 528.
[0042] In view of the foregoing structural and functional features described above, a methodology 600 in accordance with an example embodiment will be better appreciated with reference to FIG. 6. While, for purposes of simplicity of explanation, the methodology 600 of FIG. 6 is shown and described as executing serially, it is to be understood and appreciated that the example embodiment is not limited by the illustrated order, as some actions could occur in different orders and/or concurrently with other actions from that shown and described herein. Moreover, not all illustrated features may be required to implement a methodology in accordance with an example embodiment. The methodology 600 described herein is suitably adapted to be implemented in hardware, software, software when executed by a processor (such as processor 504 in computer system 500 in FIG. 5), or a combination thereof. For example, methodology 600 may be implemented by bus security logic 308 described in FIGs 3 and 4, or computer system 500 described in FIG. 5. FIG. 6 illustrates an example of a methodology for monitoring a bus for unauthorized devices..
[0043] At 602, the bus is monitored. In an example embodiment, the bus may be a CAN bus. When signals are detected, an address for the source of the signal is obtained.
[0044] At 604, a determination is made whether the address of the source of a signal is an unauthorized address. In particular embodiments, the address is compared with the address of the host monitoring the bus. If the addresses match, then the source of the signal is determined to be an unauthorized. If the address of the source of a signal is determined to be an unauthorized, spoofed, or fake (YES), at 606 corrective action is taken. Any suitable type of corrective action may be taken. For example, an alarm signal may be sent to a predetermined destination. In particular embodiments, a signal may be sent on the bus commanding recipients of the signal to cease operation or to top responding to signals received on the bus.
[0045] If, however, at 606 a determination is made that the source of the signal is not from an unauthorized address (NO), the methodology 600 continues and returns to monitoring the bus at 602.
[0046] The actions described in 602, 604, 606 may be repeated as often as desired. For example, the bus may be monitored continuously, periodically, or aperiodically.
[0047] Described above are example embodiments. It is, of course, not possible to describe every conceivable combination of components or methodologies for purposes of describing the example embodiments, but one of ordinary skill in the art will recognize that many further combinations and permutations of the example embodiments are possible. Accordingly, it is intended to embrace all such alterations, modifications and variations that fall within the spirit and scope of any claims filed in applications claiming priority hereto interpreted in accordance with the breadth to which they are fairly, legally and equitably entitled.