Skip the navigation
)
News

Update: ATM hack gives cash on demand

Researcher demos bug exploit at BlackHat that causes ATMs to dish out cash and record sensitive card data

By Robert McMillan
July 28, 2010 09:08 PM ET

IDG News Service - Barnaby Jack hit the jackpot at Black Hat on Wednesday. Twice.

Exploiting bugs in two different ATMs, the researcher from IOActive was able to get them to spit out money on demand and record sensitive data from the cards of people who used them.

Barnaby Jack demonstrates his ATM exploit at Black Hat on Wednesday
Barnaby Jack demonstrates his ATM exploit at Black Hat on Wednesday.

He showed the attacks on two systems he had purchased himself -- the type of generic ATMs typically found in bars and convenience stores. Criminals have been hitting this type of machine for years, using ATM skimmers to record card data and PINs, or in some cases simply pulling up a truck and hauling the machines away.

Patches have already been developed the systems, built by ATM-makers Triton and and Tranax, Jack said. Triton patched the issue in November 2009, said Bob Douglas, Triton's vice president of engineering.

Douglas showed up at Black Hat to attend the talk and a subsequent press conference. Tranax could not immediately be reached for comment.

Tranax has had security problems before. In 2006, CNN reported that a Virginia Beach, Virginia, criminal used a keypad code to reprogram a Tranax machine into thinking it was dispensing $5 bills. Then, using an anonymous prepaid debit card, he withdrew $20 bills, but was only debited for one-quarter of the money he took. A manual showing how to do this, was reportedly available on the Web.

But according to Jack there's an easier, much more alarming way to get the money out. Criminals can connect to the machines by dialing them up -- Jack believes a large number of them have remote management tools that can be accessed over a telephone -- and then launching an attack.

After experimenting with his own machines, Jack developed a way of bypassing the remote authentication system and installing a homemade rootkit, named Scrooge, that lets him override the machine's firmware. He also developed an online management tool, called Dillinger, that can keep track of compromised machines and store data stolen from people who use them.

Criminals could find vulnerable ATMs by using open-source "war-dialling" software to call hundreds of thousands of numbers, looking for those that respond by saying they have the vulnerable management software installed. Criminals have already used a similar technique over the Internet to break into vulnerable point-of-sale systems.

Jack's tools are just proof-of-concept software, designed to show how vulnerable the machines really are, he said. "The goal of the talk is to spark discussion on the best ways to remediate," he said.

"It's time to give these devices an overhaul," Jack said. "Companies who manufacture the devices aren't Microsoft. They haven't had 10 years of continual attacks against them."

The machines Jack hacked were, however, based on Microsoft's Windows CE operating system.

In an dramatic on-stage demonstration at Black Hat, he connected remotely to an ATM and ran a program called Jackpot that caused the ATMs to spit out cash, while playing a tune and splashing the word "Jackpot" across the screen of the machine.

In a second demo, he walked up to the machine, opened it with a key he had obtained on the Internet, and installed his own firmware. A single, standard key can open many different types of machines, he said, presenting another serious security problem.

He demonstrated the remote attack on an unpatched Tranax system; the hands-on attack was on an older Triton machine, he said.

Jack had planned to deliver the talk at last year's conference, but it was pulled after ATM vendors asked for more time to patch the issues he'd discovered.

He got the green light for the talk after leaving his former employer, Juniper Networks, and taking a job with IOActive, a company that sells -- among other things -- ATM security consulting services.

The security researcher seems to have had a good time researching ATM bugs. When a delivery man showed up, asking him why on earth he'd want a machine delivered to his home, Jack quipped, "Oh I just don't' like the transaction fees, mate."

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Reprinted with permission from IDG.net. Story copyright 2012 International Data Group. All rights reserved.
What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
Additional Resources
Security KnowledgeVault
WHITE PAPER
Security is not an option. This KnowledgeVault Series offers professional advice how to be proactive in the fight against cybercrimes and multi-layered security threats; how to adopt a holistic approach to protecting and managing data; and how to hire a qualified security assessor. Make security your Number 1 priority.

Read now.

Cut Communications Costs Once and for All
WHITE PAPER
New IP-based communications systems are being deployed by small and midsized businesses at a rapid rate. Learn how these organizations are enabling faster responsiveness, creating better customer experiences, speeding office or mobile interactions, and dramatically reducing existing communications costs.

Read now.

Hardware White Papers
Gary Watson, CTO, Nexsan: 6 Tips for Selecting Hard Drives
What type of drives should be used for what types of data? Selecting a drive and interface can seem complex with considerations of...
10 Reasons to Modernize the Desktop
Learn how to enhance your business through VMware View
The Laptop Dilemma: How to Maximize Productivity and Lower the Burden on IT
Download Now
Practice Management: Double Billing Rate and Improve Patient Services
Would you like to double your billing rate and achieve faster payment for services?

Download this customer success story to see how One Health...
Mission Critical Data Explosion and Customer Case Study
Would you like to double your tier 1 storage capacity while simultaneously reducing your storage footprint?

Download this customer success story to see how...
All Hardware White Papers
Hardware Webcasts
Distributed Database Security with Real-time Monitoring
View this demo and learn how IBM InfoSphere Guardium database activity monitoring can help protect your sensitive data in distributed DBMS environments with...
InfoSphere Warehouse Packs Demo
These flash modules make warehousing more tangible and relevant to business users through detailed explanations of the InfoSphere Warehouse Packs.
Delivery Management -- Extending Lifecycle Management
Date: Wednesday, June 20, 2012, 1:00 PM EDT

Siloed organizations continue doing the wrong things and doing things wrong, leading to increased costs,...
Leverage automation today to reduce IT complexity
Date: Tuesday, June 5, 2012, 2:00 PM EDT

Whether your B2B complexity is caused by multiple technologies due to M&A, business or application specific...
Redefine Expectations in the Data Center
Need to do more with less? Watch this video to learn how HP ProLiant Gen8 servers can help your business deploy servers three...
All Hardware Webcasts
Newsletter Sign-Up

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter
  1. View all newsletters | Privacy Policy
IT Jobs