Black Hat Conference Demonstration Reveals ATM Security Risk

Updated Niki_Fears 0 Tallied Votes 1K Views Share

At the Black Hat conference in Las Vegas, Barnaby Jack gave a demonstration of how he learned to crack the security of various stand alone ATM's. While they have long been at risk for physical theft (someone stealing or physically breaking into the internal safe of the ATM itself), this is a rather easy security matter; however, as the demonstration showed, securing the ATM's from enterprising hackers may not have been a big enough of a concern for some ATM companies.

Jack, who works for IOActive as the Director of Security Research, bought two stand alone ATM machines and began to work on their coding in search of any possible vulnerabilities. The two ATM machines were manufactured by two different companies, one from Triton , the other from Tranax Technologies. During his examination of the coding for both ATMs, Jack came across several errors and security weaknesses that allowed him to eventually gain full access to the machines and to make his way into each of the safes.

Jack wrote multiple programs to exploit some of the machines' weaknesses including one that allows him to gain remote entry without the need of a password, which he calls Dillinger, and a second program, Scrooge, that relies on a backdoor entry with the ability to conceal itself from the machine's main operating system. In the case of Triton's ATMs, Jack found the motherboard of the machine was sorely lacking in physical security, and once he had gained access to it he was easily able to use a similar back door technique then simply trick the machine into thinking that the hack was actually a legitimate update.

So far Jack has attempted to hack four different ATM's and, as he demonstrated at the conference, he has found that the same “game over vulnerability” has enabled him to crack every one of them. After learning of the security risk, Jack notified both Tranax Technologies and Triton around a year ago. They have since issued security patches to take care of the problems; however, if these security fixes are not actually put into place by the owners of the ATM's, then many of them could still be at risk. It is also likely that similar ATM's from other manufacturers could also have the same security flaws that would make them vulnerable as well.

It is also important to note that this vulnerability is with the type of stand alone ATM's that you find at convenience stores and shopping malls; it is yet unknown whether or not built in ATM's like those at banks and credit unions would also suffer from the same security risk as Jack applied to the stand alone machines.

While finding the vulnerabilities of each of the machines was certainly not amateur work, the programs that Jack developed to exploit those weaknesses are simple enough that anyone could use them; however, he of course has no plans on releasing them, much to the dismay of would be criminals looking for a quick fix.