ATM hack gives cash on demand

Windows CE-based machines can easily be made to dole out cash, a security researcher says

Barnaby Jack hit the jackpot at Black Hat on Wednesday. Twice.

Exploiting bugs in two different ATM machines, the researcher from IOActive was able to get them to spit out money on demand and record sensitive data from the cards of people who used them.

He showed the attacks on two systems he had purchased himself -- the type of generic ATM machines typically found in bars and convenience stores. Criminals have been hitting this type of machine for years, using ATM skimmers to record card data and PIN numbers, or in some cases simply pulling up a truck and hauling the machines away.

Patches have already been developed the systems, built by ATM-makers Triton and and Tranax, Jack said. Triton patched the issue in November 2009, said Bob Douglas, Triton's vice president of engineering.

Douglas showed up at Black Hat to attend the talk and a subsequent press conference. Tranax could not immediately be reached for comment.

Tranax has had security problems before. In 2006, CNN reported that a Virginia Beach, Virginia, criminal used a keypad code to reprogram a Tranax machine into thinking it was dispensing $5 bills. Then, using an anonymous prepaid debit card, he withdrew $20 bills, but was only debited for one-quarter of the money he took. A manual showing how to do this, was reportedly available on the web.

But according to Jack there's an easier, much more alarming way to get the money out. Criminals can connect to the machines by dialing them up -- Jack believes a large number of them have remote management tools that can be accessed over a telephone -- and then launching an attack.

After experimenting with his own machines, Jack developed a way of bypassing the remote authentication system and installing a homemade rootkit, named Scrooge, that lets him override the machine's firmware. He also developed an online management tool, called Dillinger, that can keep track of compromised machines and store data stolen from people who use them.

Criminals could find vulnerable ATMs by using open-source "war-dialling" software to call hundreds of thousands of numbers, looking for those that respond by saying they have the vulnerable management software installed. Criminals have already used a similar technique over the Internet to break into vulnerable point-of-sale systems.

Jack's tools are just proof-of-concept software, designed to show how vulnerable the machines really are, he said. "The goal of the talk is to spark discussion on the best ways to remediate," he said.

"It's time to give these devices an overhaul," Jack said. "Companies who manufacture the devices aren't Microsoft. They haven't had 10 years of continual attacks against them."

The machines Jack hacked were, however, based on Microsoft's Windows CE operating system.

In an dramatic on-stage demonstration at Black Hat, he connected remotely to an ATM and ran a program called Jackpot that caused the ATMs to spit out cash, while playing a tune and splashing the word "Jackpot" across the screen of the machine.

In a second demo, he walked up to the machine, opened it with a key he had obtained on the Internet, and installed his own firmware. A single, standard key can open many different types of machines, he said, presenting another serious security problem.

He demonstrated the remote attack on an unpatched Tranax system; the hands-on attack was on an older Triton machine, he said.

Jack had planned to deliver the talk at last year's conference, but it was pulled after ATM vendors asked for more time to patch the issues he'd discovered.

He got the green light for the talk after leaving his former employer, Juniper Networks, and taking a job with IOActive, a company that sells -- among other things -- ATM security consulting services.

The security researcher seems to have had a good time researching ATM bugs. When a delivery man showed up, asking him why on earth he'd want a machine delivered to his home, Jack quipped, "Oh I just don’t' like the transaction fees, mate."

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Topics: ATM, black hat, security, hardware systems, finance, industry verticals, IOActive

Comments

vt7

1

Talk about repeatedly redundant. Between the Automated Teller Machine machines and Personal Identification Number numbers, I couldn't make it past the third paragraph. :-P

sarc

2

@vt7 So you have the attention span of a retarded squirrel. Thanks for taking the time to tell everyone.

dub

3

^lol

Acecool

4

If you don't know the difference between an ATM and an ATM Machine (Automated Teller Machine Machine) or the difference between a PIN and a PIN Number (Personal Identification Number Number) then you should not be writing for others to read!

nulldevice

5

If you can't read for content instead of nitpicking particulars of syntax, then you should not be viewing articles on my Internet.

Rodger

6

Get off my interwebs!

Nobody

7

Sure - call it nitpicking. 'Cause it would be terrible to actually follow the rules of the language. No, no - let's make up new rules. Nobody needs capitalization, punctuation, or correct spelling. They'll all figure it out, anyway.

Really - is it asking people too much to TRY? Especially if you're writing an article you want others to read and enjoy (or use)?

Mrknowitall

8

prittysoonwellberedingcommintsdatlooksumtinglikedis. I think you should keep "nitpicking" .

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?