Written by 
Security researcher Barnaby Jacks has used the Black Hat briefings to demonstrate an interesting way of getting money out of ATM machines.
Jack, head of research at cybersecurity consultancy IOActive, demoed the attack on two common ATM platforms. With one he unlocked the machine, using standard keys purchased on the internet, and inserted a USB stick which overwrote the ATM’s firmware and caused it to spew fake million dollar bills.
With the second attack he use the remote updating capabilities of the ATM to upload code that not only caused it to empty itself but also took a record of the cards used and their PIN numbers.
“Every ATM I’ve looked at I’ve found a game over vulnerability that allows me to get cash,” he said.
“So far I’ve looked at four and running four for four at the moment.”Jack bought the machines online to test out his hack before going public. He was due to give his presentation at last year’s Black hat conference but was stopped after legal action and because a fix for the problem wasn’t available.
Although most ATMs use Windows CE or a cut down version of XP Jack didn’t use these systems but instead he used a cloned version of the firmware in the machines to carry out the attacks. He said that using VoIP technology has could also run the remote attack since the code was out there to scan 10,000 dial-up numbers for the machines in less than an hour.
“We have developed a defence against the attack and made it available in December,” said Bob Bougles, vice president of engineering for Triton, which manufacturers one of the machines used.
“The problem was solved by remote update and we give customers the option of an individual, unpickable lock to their system.”
Firmware updates now require a digital signature before they can be installed on ATM machines he said.
1 Trackback