Hacker Makes ATMs Puke Money, Shows How
A hacker demonstrated to Black Hat attendees two ways to force an ATM to puke its load of money.
During the annual Black Hat conference in Las Vegas, computer hacker Barnaby Jack demonstrated how a hacker could trick an ATM machine into coughing up its full load of money.
Apparently the technique took two full years to perfect, and mainly works on stand-alone ATM machines found at convenience stores. Jack chose to go public with his findings so that ATM manufacturers would take notice of the exploit and plug the holes.
Although criminals have long known that ATM machines aren't tamper-proof, previously they gained access by installing fake card readers to steal card numbers, installing tiny cameras to capture PIN numbers and other methods.
However Jack's method takes a different approach by attacking the computer within the machine. What makes this somewhat easy is that--through his discovery of purchasing ATM machines online--manufacturers tend to use the same key across all models. He was able to gain access to the computers and download his program via standard USB slots.
But the demonstration didn't stop there. He also showed a second, more dangerous form of attack--hacking by remote. Based on the procedure, a hacker wouldn't need to break into the ATM cabinet.
"He hacked into the machines by exploiting weaknesses in the way ATM makers communicate with the machines over the Internet," the Associated Press reported from the event. "Jack said the problem is that outsiders are permitted to bypass the need for a password. He didn't go into much more detail because he said the goal of his talk "isn't to teach everybody how to hack ATMs."
The remote hack allowed him to gain full control of the ATM--including the ability to harvest card data from anyone using the machine. It also wasn't limited to stand-alone convenience store machines as seen with his previous demonstration, opening the door to hacks against various ATMs used by mainstream banks.
"Every ATM I've looked at, I've been able to find a flaw in," he said. "It's a scary thing."
To read more, head here.
- Boy Receives Porn on Xbox Live; Mom Goes Nuts
- Lara Croft Way is Now a Real Street in England
- Best Buy Offering Free Skins to iPhone 4 Buyers
- Amazon Announces New, Improved Wi-Fi Kindle
- Simply the Best Earphone Packaging Ever
- Oil From Dinner Last Night is Fuel of Tomorrow
- Government Funds Artificial Photosynthesis Hub
- Ultra-Detailed Tattoos for Lego People
- Now Here's a Batpod You Can Actually Ride
- Shirt Turns iPad Into T-Shirt Accessory
- Apple Investigates iOS 4 Bogging Down iPhone 3G
- Apps to Avoid: Road SMS and Type 'n Walk
- The BlackBerry ''Blackpad'' to Take on Apple iPad
- Screaming Teenage Girls are Faster than Segway
- How to Check if Your Android App is Stealing Info
- Facebook Page for Snitching Traffic Violators
- The Controller for Guitar Hero Minimalists
- Cell Phones Closer To Replacing Credit Cards
Job Security for some, not so much for others...
this is why I always wear my foil hat when I use the ATM
Can we be friends?
Isn't this obvious, like saying "there is no such thing as a safecracker-proof vault"? As ATMs become more computerized they are naturally going to be more bug-prone and finding those weaknesses is only a matter of time. The only thing stopping the banks from losing all their money is the deterrents they put in place like locks, security cameras, network monitors, etc. to make it hard to steal and get away with it.
Stealing will always be possible, though. There is no getting around it.
They make debit cards more secure and difficult to copy by combining MICR technology with chip/circuit technology. Yet the backdoor is left wide open.
You mean upload, right?
People use ATMs?
One more reason to go to your bank's ATMs, on top of saving fifty cents.
It's not so much a duh moment, of course stealing will always be possible, but that doesn't mean these people should be so lazy about security that they facilitate such theft.
Can't they just encrypt the damned data? Doesn't seem too difficult to protect such data, geez.
Uhh, no, he meant make the atm WANT to download his program, cause an atm would never want it if it's being uploaded, it takes the program and downloads it by itself using some method I don't know of, basically, it tricks the atm into downloading the program, if you try to upload it it's like forcefeeding a toddler broccoli
One more reason to go to your bank's ATMs, on top of saving fifty cents.It's not so much a duh moment, of course stealing will always be possible, but that doesn't mean these people should be so lazy about security that they facilitate such theft.
I agree I only use my bank's ATMs as much as possible. But the article states:
So major Bank ATMs are also susceptible to this problem.
i usually just deal with the people.
Since when did Apple start making ATMs?
Its a combination of human imperfection, human nature and human ingenuity, there is no such thing as a perfectly secure system... if a human made it, at some point another human will break it, even if (like in this case) its just for the challenge of doing it.
Hoooly crap that scares me!
Since when did Apple start making ATMs?
I think an apple ATM would steal your card and spit out a piece of paper that said you were holding it wrong.
ATM's have "standard USB slots" on them that are accessible to public?? Never seen an atm with visible USB slots poking around on em.
They make debit cards more secure and difficult to copy by combining MICR technology with chip/circuit technology. Yet the backdoor is left wide open.
The difference is this method makes the machine pukes out money. Whereas in the old (more common) methods the crook steals from your account.
Banks should still tighten up security, but for the moment, we have more to worry about from phishing scams and stolen ATM cards.
"there is no such thing as a safecracker-proof vault"?
Nothing ever Proof. Even waterproof and fireproof item arn't proof. There just all highly resistant.
i bet he only reported this after several test of puting the wads of cash in his pocket.
What's an "ATM machine"? Is that a machine that dispenses ATMs?
ATM machine = Automated Teller Machine machine = redundant
Or we could just call them AT-Machines. It just seems so much techier, you know?
/Evangelionnerd
Why don't we mount lasers on them and call them AT-AT Machines?
Ha ha! he Atm'd alright!
Why don't we mount lasers on them and call them AT-AT Machines?
this is the most awesome thing i have heard all month. bravo.
Now that's one ability I'd kill to have... lol
Oh no... even Toms is target for these spammers now?
Show me how to do this!
I've been out of the ATM business for a few years but,
when i left non of the machines had USB ports.
Yes they all do come from the factory keyed with a "standard" key unless you specify otherwise and pay more. Then you have to have unimpeded access to get into the top of the machine. Where it was proprietary PCBs.
Sure you could pull jumpers and use a laptop to load software but you have to have pretty intimate knowledge of the machines. and there were many security checks in place between the communications between the individual components that if one was not right the rest refused to work with it and the security was only getting stronger when i left.
Older machines were even worse when the main boards were old 386s and they were located inside the safe. Sure they keys to get into the top of the machine were the same but to do a software change to them you had to get into the safe.
So while on one hand I think it is possible that this guy could hack one, I find it unlikely that the mfgs got that sloppy on their security as to put a USB port with enough access to the rest of the systems in to their machines.
Unless it was one of the smaller lesser know mfgs , i remember one that just put a whole PC inside (windows 2k I think) but it was a bit player in the market.
The others I dealt with Tidel, Triton, Tranax and a small but growing at the time company out of Ohio whose name escapes me at the moment all were decent as far as security went.
And then there was Diebold, yeah the voting machine diebold, but there weren't too many of them in the Mom&Pop stores/nightclubs/bars where the smaller standalone machines were. I don't remember much of their inner workings but, given the weakness in voting machine security , I wouldn't put it past them.
Damn, this is scary stuff. Watch out of you see a guy on a laptop outside the bank