Hacker breaks into ATMs, dispenses cash remotely

Summary:Using home-brewed software tools and exploiting a gaping security hole in the authentication mechanism used to update the firmware on automated teller machines (ATMs), a security researcher hacked into ATMs made by Triton and Tranax and planted a rootkit that dispensed cash on demand.

LAS VEGAS --  Using home-brewed software tools and exploiting a gaping security hole in the authentication mechanism used to update the firmware on automated teller machines (ATMs), a security researcher hacked into ATMs made by Triton and Tranax and planted a rootkit that dispensed cash on demand.

Barnaby Jack, Director of Research at IOActive Labs, used a laptop with a custom-built software tool called "Dillinger" (named after the famous bank robber) to overwrite the machine's internal operating system,   take complete control of the ATM and send commands for it to spew cash on demand.

follow Ryan Naraine on twitter

At the Black Hat security conference here, Jack demonstrated two different attacks against Windows CE-based ATMs -- a physical attack using a master key purchased on the Web and a USB stick to overwrite the machine's firmware; and a remote attack that exploited a flaw in the way ATMs authenticate firmware upgrades.

He did not provide any technical details that would allow anyone to reproduce the attack techniques but suggested that a skilled hacker could exploit these weaknesses if ATM manufacturers continue to create software with gaping security holes.

Although the attacks were demonstrated against ATMs made by Tranax and Triton, Jack warned that his attacks could have been performed against a wide variety of ATM brands and called on the financial services sector to invest in code reviews, blackbox audits and penetration tests.

"There are attack vectors in all these standalone or hole-in-the-wall ATMs," Jack warned, noting that many ATMs are protected by a master key that can be bought for $10.78 on hundreds of web sites.  "With this master key, I can walk up to a secluded ATM and have access to USB [and] SD/CF slots.  In some cases, opening and inserting my USB key was faster than installing a skimmer," he said.

The most impressive attack, which used the "Dillinger remote ATM attack/admin tool, was done via a laptop connected to the ATM.  It launched an exploit against an authentication bypass vulnerability in the ATM's remote monitoring feature (this is enabled by default on all ATMs) and allowed the hacker to retrieve ATM settings, master passwords, receipt data and the location and name of the business hosting the ATM.

The Dillinger tool came with a graphical UI that included features to "Retrieve Track Data," or simply "Jackpot!".   A click of the Jackpot button and the commandeered ATM started spewing cash on demand.

"If someone inserts a card on that machine, I can capture and save the track data remotely," Jack said, explaining that his rootkit runs on a device hidden in the background.   The rootkit even sets up a hidden pop-up menu that can be activated by special key sequence.   The menu functions included instructions to "dispense cash from each cassette," "print stats on remaining bill counts," and "Exit!"

After his talk, Jack suggested that TM makers offer upgrade options on physical locks or a unique key for each ATM.  He also recommended the use of executable signing at kernel level to block his attack vector.

To mitigate remote attacks, Jack said ATM manufacturers should disable the on-by-default remote monitoring feature on the machines.

Topics: Networking, Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.