IDG News Service - Barnaby Jack hit the jackpot at Black Hat on Wednesday. Twice.
Exploiting bugs in two different ATM machines, the researcher from IOActive was able to get them to spit out money on demand and record sensitive data from the cards of people who used them.
He showed the attacks on two systems he had purchased himself -- the type of generic ATM machines typically found in bars and convenience stores. Criminals have been hitting this type of machine for years, using ATM skimmers to record card data and PIN numbers, or in some cases simply pulling up a truck and hauling the machines away.
Patches have already been developed the systems, built by ATM-makers Triton and and Tranax, Jack said. Triton patched the issue in November 2009, said Bob Douglas, Triton's vice president of engineering.
Douglas showed up at Black Hat to attend the talk and a subsequent press conference. Tranax could not immediately be reached for comment.
Tranax has had security problems before. In 2006, CNN reported that a Virginia Beach, Virginia, criminal used a keypad code to reprogram a Tranax machine into thinking it was dispensing $5 bills. Then, using an anonymous prepaid debit card, he withdrew $20 bills, but was only debited for one-quarter of the money he took. A manual showing how to do this, was reportedly available on the web.
But according to Jack there's an easier, much more alarming way to get the money out. Criminals can connect to the machines by dialing them up -- Jack believes a large number of them have remote management tools that can be accessed over a telephone -- and then launching an attack.
After experimenting with his own machines, Jack developed a way of bypassing the remote authentication system and installing a homemade rootkit, named Scrooge, that lets him override the machine's firmware. He also developed an online management tool, called Dillinger, that can keep track of compromised machines and store data stolen from people who use them.
Criminals could find vulnerable ATMs by using open-source "war-dialling" software to call hundreds of thousands of numbers, looking for those that respond by saying they have the vulnerable management software installed. Criminals have already used a similar technique over the Internet to break into vulnerable point-of-sale systems.
Jack's tools are just proof-of-concept software, designed to show how vulnerable the machines really are, he said. "The goal of the talk is to spark discussion on the best ways to remediate," he said.
"It's time to give these devices an overhaul," Jack said. "Companies who manufacture the devices aren't Microsoft. They haven't had 10 years of continual attacks against them."
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Preparing Your Infrastructure for the Hyperconvergence Era From cloud computing and virtualization to mobility and unified communications, an array of innovative technologies is transforming today's data centers.
- How WAN Optimization Helps Enterprises Reduce Costs If you wanted to break down innovation into a tidy equation, it might go something like this: Technology + Connectivity = Productivity. Productivity...
- Redefine Your IT Operations: Remote Office IT Has Never Been Simpler Join us to see why PC Pro named Dell PowerEdge VRTX the "2013 Server of the Year." PowerEdge VRTX may be just what...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Hardware White Papers | Webcasts
Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!