Security researcher Barnaby Jack on Wednesday showed how easy it can be to trigger a waterfall of cash from a standard bank ATM using readily-available software applications.
Here on the first day of the Black Hat conference, Barnaby Jack of IOActive demonstrated attacks that would allow a criminal to compromise ATMs, allowing hypothetical thieves to steal cash, copy customers’ ATM card data, or learn the master passwords of the machines. While one of the attacks required a few seconds to open the ATM and insert a USB drive with code to overwrite the system, the other attack used a remote management feature commonly found on standalone ATMs.
The demonstration was greeted with hoots and applause. In one of the attacks, Jack reprogrammed the ATM remotely over a network, without touching the machine; the second attack required he open the front panel and plug in a USB stick loaded with malware. He did so by using a common universal key and a USB stick to load a rootkit software application, along with another program to take over the ATMs. Jack claims to have hacked at least four different ATM machines, a couple of which have since been patched.
To conduct the remote hack, an attacker would need to know an ATM’s Internet IP address or phone number. Jack said he believes about 95 percent of retail ATMs are on dial-up; a hacker could war dial for ATMs connected to telephone modems, and identify them by the cash machine’s proprietary protocol. The Triton attack was made possible by a security flaw that allowed unauthorized programs to execute on the system. The company distributed a patch last November so that only digitally signed code can run on them.