LAS VEGAS A hacker has discovered a way to force ATMs to disgorge their cash by hijacking the computers inside them.
The attacks demonstrated Wednesday targeted stand-alone ATMs. But they potentially could be used against the ATMs operated by mainstream banks.
Criminals long have known that ATMs arent tamperproof.
There are many types of attacks in use today, ranging from sophisticated to foolhardy: installing fake card readers to steal card numbers, hiding tiny surveillance cameras to capture PIN codes, covering the dispensing slot to intercept money and even trying to haul the ATMs away with trucks and trying to crack them open later.
Computer hacker Barnaby Jack spent two years tinkering in his Silicon Valley apartment with ATMs he bought online. These were stand-alone machines, the type seen in front of convenience stores, rather than the ones in bank branches.
His goal was to find ways to take control of ATMs by exploiting weaknesses in the computers that run the machines.
He showed off his results here at the Black Hat conference, an annual gathering devoted to exposing the latest computer-security vulnerabilities.
His attacks have wide implications because they affect multiple types of ATMs and exploit weaknesses in software and security measures that are used throughout the industry. His talk was one of the conferences most widely anticipated, as it had been pulled a year ago over concerns that fixes for the ATMs wouldnt be in place in time. He used the extra year to craft more dangerous attacks.
Jack, who works as director of security research for Seattle-based IOActive Inc., showed in a theatrical demonstration two ways he can get ATMs to spit out money:
b He found that the physical keys that came with his machines were the same for all ATMs of that type made by that manufacturer. He figured this out by ordering three ATMs from different manufacturers for a few thousand dollars each. Then he compared the keys he got to pictures of other keys, found on the Internet.
He used his key to unlock a compartment in the ATM that had standard USB slots. He inserted a program he had written into one of them, commanding the ATM to dump its vaults.
b He hacked into the machines by exploiting weaknesses in the way ATM makers communicate with the machines over the Internet. Jack said the problem is that outsiders are permitted to bypass the need for a password. He didnt go into much more detail because he said the goal of his talk isnt to teach everybody how to hack ATMs. Its to raise the issue and have ATM manufacturers be proactive about implementing fixes.
The remote style of attack is more dangerous because an attacker doesnt need to open up the ATMs.
It allows an attacker to gain full control of the ATMs and not only order it to spit out money, but also to silently harvest card data from anyone who uses the machines. It also affects more than just the stand-alone ATMs vulnerable to the physical attack, and potentially could be used against the kinds of ATMs used by mainstream banks.
Jack said he didnt think hed be able to break the ATMs when he first started probing them.
My reaction was, this is the game-over vulnerability right here, he said of the remote hack. Every ATM Ive looked at, Ive been able to find a flaw in. Its a scary thing.
Jack wouldnt identify the ATM makers. He put stickers over the ATM makers names on the two machines used in his demonstration. But the audience, which burst into applause when he made the machines spit out money, could see from the screen prompts on the ATM that one of the machines was made by Tranax Technologies Inc., based in Hayward, Calif. Tranax did not immediately respond to e-mail messages from the AP.
Jack said the manufacturers whose machines he studied are deploying software fixes for both vulnerabilities, but added that the prevalence of remote-management software broadly opens up ATMs to hacker attacks.