ATM hacker hits jackpot in Vegas
There have likely been numerous cases of people scamming machines in Las Vegas so that they pay out money. But it’s certainly rare for them to do so in front of an invited audience.
That’s what Barnaby Jack of IOActive did yesterday in one of the more spectacular demonstrations of a security flaw ever seen at the annual Black Hat conference. Rather than simply tell the audience how an ATM could be hacked, he showed them: complete with the machine dispensing a wad of cash.
The bad news for those hoping to get rich quick is that Jack had previously informed the manufacturers of the relevant machines and made sure they were patched before his demonstration. He canceled a similar talk last year as patches weren’t in place.
It could be argued that Jack was entitled to at least take a few Benjamins to make back his expenses on the research: he bought two ATMs online and spent years examining them. Both the scams he demonstrated worked only on standalone ATMs such as those found in retail stores, rather than the machines built-in to banks.
While most scammers attempt to breach physical security on ATMs, Jack concentrated on the code which runs them, in many cases based on Windows CE. He was able to interrupt the machines’ boot process and extract the relevant code through Internet Explorer.
The first exploit, on a Tranax-made ATM, simply involved breaching the phone line connection to the phone and remotely forcing it to dispense cash. The second, on a Triton-built model, involved buying a $10 physical key to open up the machine, then inserting a USB stick with the relevant malware.
Amazingly Jack says a WarGames-style technique can still aid would-be ATM hackers: simply dialing every possible phone number in sequence can uncover which lines lead to ATMs that might be vulnerable to attacks.
Related Posts:
