Bunker-busting ATM attacks show security holes

Jul 29, 2010 By JORDAN ROBERTSON , AP Technology Writer
Barnaby Jack demonstrates an attack on two automated teller machines during the Black Hat technology conference in Las Vegas on Wednesday, July 28, 2010. The attacks demonstrated Wednesday targeted standalone ATMs. But they could potentially be used against the ATMs operated by mainstream banks. (AP Photo/Isaac Brekken)

(AP) -- A hacker has discovered a way to force ATMs to disgorge their cash by hijacking the computers inside them.

The attacks demonstrated Wednesday targeted standalone ATMs. But they could potentially be used against the ATMs operated by mainstream banks.

Criminals have long known that ATMs aren't tamperproof.

There are many types of attacks in use today, ranging from sophisticated to foolhardy: installing fake card readers to steal card numbers, hiding tiny surveillance cameras to capture PIN codes, covering the dispensing slot to intercept money and even hauling the ATMs away with trucks in hopes of cracking them open later.

Barnaby Jack spent two years tinkering in his apartment with ATMs he bought online. These were standalone machines, the type seen in front of convenience stores, rather than the ones in bank branches.

His goal was to find ways to take control of ATMs by exploiting weaknesses in the computers that run the machines.

He showed off his results here at the Black Hat conference, an annual gathering devoted to exposing the latest computer-security vulnerabilities.

His attacks have wide implications because they affect multiple types of ATMs and exploit weaknesses in software and security measures that are used throughout the industry.

His talk was one of the conference's most widely anticipated, as it had been pulled a year ago over concerns that fixes for the ATMs wouldn't be in place in time. He used the extra year to craft more dangerous attacks.

Jack, who works as director of security research for Seattle-based IOActive Inc., showed in a theatrical demonstration two ways he can get ATMs to spit out money:

- Jack found that the physical keys that came with his machines were the same for all ATMs of that type made by that manufacturer. He figured this out by ordering three ATMs from different manufacturers for a few thousand dollars each. Then he compared the keys he got to pictures of other keys, found on the Internet.

He used his key to unlock a compartment in the ATM that had standard USB slots. He then inserted a program he had written into one of them, commanding the ATM to dump its vaults.

- Jack also hacked into ATMs by exploiting weaknesses in the way ATM makers communicate with the machines over the Internet. Jack said the problem is that outsiders are permitted to bypass the need for a password. He didn't go into much more detail because he said the goal of his talk "isn't to teach everybody how to hack ATMs. It's to raise the issue and have ATM manufacturers be proactive about implementing fixes."

The remote style of attack is more dangerous because an attacker doesn't need to open up the ATMs.

It allows an attacker to gain full control of the ATMs. Besides ordering it to spit out money, attackers can silently harvest account data from anyone who uses the machines. It also affects more than just the standalone ATMs vulnerable to the physical attack; the method could potentially be used against the kinds of ATMs used by mainstream banks.

Jack said he didn't think he'd be able to break the ATMs when he first started probing them.

"My reaction was, 'this is the game-over vulnerability right here,'" he said of the remote hack. "Every ATM I've looked at, I've been able to find a flaw in. It's a scary thing."

Kurt Baumgartner, a senior security researcher with antivirus software maker Kaspersky Lab, called the demonstration a "thrill" to watch and said it is important to improving the security of machines that can each hold tens of thousands of dollars in cash. However, he said he doesn't think it will result in widespread attacks because banks don't use the standalone systems and Jack didn't release his attack code.

Jack wouldn't identify the ATM makers. He put stickers over the ATM makers' names on the two machines used in his demonstration. But the audience, which burst into applause when he made the machines spit out money, could see from the screen prompts on the ATM that one of the machines was made by Tranax Technologies Inc., based in Hayward, Calif. Tranax did not immediately respond to e-mail messages from The Associated Press.

Triton Systems, of Long Beach, Miss., confirmed that one of its ATMs was used in the demonstration. It said Jack alerted the company to the problems and that Triton now has a software update in place that prevents unauthorized software from running on its ATMs.

Bob Douglas, Triton's vice president of engineering, said customers can buy ATMs with unique keys but generally don't, preferring to have a master key for cost and convenience.

"Imagine if you have an estate of several thousand ATMs and you want to access 20 or so of them in one day," he wrote in an e-mail to the AP. "It would be a logistical nightmare to have all the right keys at just the right place at just the right time."

Other manufacturers contacted by the AP also did not immediately respond to messages.

Jack said the manufacturers whose machines he studied are deploying software fixes for both vulnerabilities, but added that the prevalence of remote-management software broadly opens up ATMs to attacks.

Explore further: Privacy groups take 2nd hit on license plate data

5 /5 (6 votes)
add to favorites email to friend print save as pdf

Related Stories

2010 tech bug hits German credit cards

Jan 04, 2010

Many Germans have been hit by a computer bug linked to the year 2010 that has rendered their credit cards useless, the ZKA banking commission said on Monday.

Indictment of card hacker unlikely to end thefts

Aug 18, 2009

(AP) -- This week's indictment of a hacker believed responsible for the biggest retail-store data breaches in U.S. history doesn't necessarily make shoppers safer from having their credit card numbers plundered.

Recommended for you

Privacy groups take 2nd hit on license plate data

Sep 19, 2014

A California judge's ruling against a tech entrepreneur seeking access to records kept secret in government databases detailing the comings and goings of millions of cars in the San Diego area via license plate scans was ...

Scots' inventions are fuel for independence debate

Sep 17, 2014

What has Scotland ever done for us? Plenty, it turns out. The land that gave the world haggis and tartan has produced so much more, from golf and television to Dolly the Sheep and "Grand Theft Auto."

White House backs use of body cameras by police

Sep 16, 2014

Requiring police officers to wear body cameras is one potential solution for bridging deep mistrust between law enforcement and the public, the White House said, weighing in on a national debate sparked by the shooting of ...

Chinese city creates cellphone sidewalk lane

Sep 15, 2014

Taking a cue from an American TV program, the Chinese city of Chongqing has created a smartphone sidewalk lane, offering a path for those too engrossed in messaging and tweeting to watch where they're going.

Coroner: Bitcoin exchange CEO committed suicide

Sep 15, 2014

A Singapore Coroner's Court has found that the American CEO of a virtual currency exchange committed suicide earlier this year in Singapore because of work and personal issues.

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

FredJose
not rated yet Jul 29, 2010
I hope he remains resistant to the idea of going into the business of hacking atms and banks....
So far so good.
frajo
not rated yet Jul 30, 2010
His attacks have wide implications because they affect multiple types of ATMs and exploit weaknesses in software and security measures that are used throughout the industry.
And, as always, no mention of the operating system. And no mention of the fact that news of this kind weren't heard of in the days when ATMs didn't yet run on Windows.