Hacker breaks into ATMs, dispenses cash remotely

Hacker breaks into ATMs, dispenses cash remotely

Summary: Using home-brewed software tools and exploiting a gaping security hole in the authentication mechanism used to update the firmware on automated teller machines (ATMs), a security researcher hacked into ATMs made by Triton and Tranax and planted a rootkit that dispensed cash on demand.

SHARE:
TOPICS: Networking, Security
48

LAS VEGAS --  Using home-brewed software tools and exploiting a gaping security hole in the authentication mechanism used to update the firmware on automated teller machines (ATMs), a security researcher hacked into ATMs made by Triton and Tranax and planted a rootkit that dispensed cash on demand.

Barnaby Jack, Director of Research at IOActive Labs, used a laptop with a custom-built software tool called "Dillinger" (named after the famous bank robber) to overwrite the machine's internal operating system,   take complete control of the ATM and send commands for it to spew cash on demand.follow Ryan Naraine on twitter

At the Black Hat security conference here, Jack demonstrated two different attacks against Windows CE-based ATMs -- a physical attack using a master key purchased on the Web and a USB stick to overwrite the machine's firmware; and a remote attack that exploited a flaw in the way ATMs authenticate firmware upgrades.

He did not provide any technical details that would allow anyone to reproduce the attack techniques but suggested that a skilled hacker could exploit these weaknesses if ATM manufacturers continue to create software with gaping security holes.

Although the attacks were demonstrated against ATMs made by Tranax and Triton, Jack warned that his attacks could have been performed against a wide variety of ATM brands and called on the financial services sector to invest in code reviews, blackbox audits and penetration tests.

"There are attack vectors in all these standalone or hole-in-the-wall ATMs," Jack warned, noting that many ATMs are protected by a master key that can be bought for $10.78 on hundreds of web sites.  "With this master key, I can walk up to a secluded ATM and have access to USB [and] SD/CF slots.  In some cases, opening and inserting my USB key was faster than installing a skimmer," he said.

The most impressive attack, which used the "Dillinger remote ATM attack/admin tool, was done via a laptop connected to the ATM.  It launched an exploit against an authentication bypass vulnerability in the ATM's remote monitoring feature (this is enabled by default on all ATMs) and allowed the hacker to retrieve ATM settings, master passwords, receipt data and the location and name of the business hosting the ATM.

The Dillinger tool came with a graphical UI that included features to "Retrieve Track Data," or simply "Jackpot!".   A click of the Jackpot button and the commandeered ATM started spewing cash on demand.

"If someone inserts a card on that machine, I can capture and save the track data remotely," Jack said, explaining that his rootkit runs on a device hidden in the background.   The rootkit even sets up a hidden pop-up menu that can be activated by special key sequence.   The menu functions included instructions to "dispense cash from each cassette," "print stats on remaining bill counts," and "Exit!"

After his talk, Jack suggested that TM makers offer upgrade options on physical locks or a unique key for each ATM.  He also recommended the use of executable signing at kernel level to block his attack vector.

To mitigate remote attacks, Jack said ATM manufacturers should disable the on-by-default remote monitoring feature on the machines.

Topics: Networking, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

48 comments
Log in or register to join the discussion
  • Nice article

    I know the anti-windows zealots will start mouthing off, but it really sounds like these machines have poorly designed software features.

    Regardless of the OS, one would expect that the motherboard was physically secured, and that a technician would require a hardware key of some kind to anything resembling a "firmware upgrade".

    This just sounds like pure stupidity.
    croberts
    • I don't think the boxes run windows

      Pretty sure they don't. I've seen a couple boot up after a power-loss before, and the OS that came up was something other than a MS product. I can believe that some vendors *may* be using windows, but I can't conceive why? Between license costs, the purpose of the boxes, and everything else around them, I think that would be way overkill. @croberts
      rock06r
      • The majority used to run OS/2, I believe.

        @rock06r
        Back 10 or more years ago I believe just about all the bank's ATMs ran on IBM's OS/2. There was a lot of discussion on the OS/2 boards when the machines started switching to variants of Windows. I suspect some banks are still using OS/2, and that may have been what you saw. If knew what to look for during the boot up you would be able to tell for sure.
        snberk341
      • RE: Hacker breaks into ATMs, dispenses cash remotely

        @rock06r Did you even read the article before commenting? The BIG CLUE is here: "At the Black Hat security conference here, Jack demonstrated two different attacks against Windows CE-based ATMs"<br><br>Thank you for attending Windows Defence 101. You scored 100 points for making a pro Microsoft point. You scored -100 points for that being inaccurate, and -100 points for not reading the article.

        Please return to your grade school with a lawsuit or a gun - the choice is yours!
        Graham Ellison
      • RE: Hacker breaks into ATMs, dispenses cash remotely

        @rock06r
        Some definitely run windows, about a month back my local banks' atm crashed - it was displaying the default WindowsXP screen saver.
        AndyPagin
      • RE: Hacker breaks into ATMs, dispenses cash remotely

        @rock06r <a href="http://www.universaldegrees.com/">online degree</a>
        <a href="http://www.universaldegrees.com/universaldegrees/doctoral-degree.asp">doctorate degree</a>
        <a href="http://www.universaldegrees.com/universaldegrees/programs/associate-degree-program.asp">online associate degree</a>
        rainnwilson94
      • RE: Hacker breaks into ATMs, dispenses cash remotely

        @rock06r Thank you for this very useful information.
        <a href="http://viims.com/news.php?ID=14">IAO Accreditation</a>
        <a href="http://www.123degreereviews.com/?p=52">Working Adults</a>
        rainnwilson94
    • RE: Hacker breaks into ATMs, dispenses cash remotely

      @croberts
      The Banking industry as a whole is all about being cheap. Unless you do all your banking at the main branch where 5 guards, 30 cameras and bullet proof everything reeks of security.

      I agree that the OS issue is a moot point. If they aren't password protecting the Add/Remove Hardware feature then OS is the least of their worries. The OS in the article has one feature that I have found that would maybe make it give out cash. Hiding your cash in the cd-rom and when you need it you tell it to eject.
      The hardware itself it the main weak spot here. Key locks to secure them are also a break point. The old days when there would be a theft of the entire ATM and when they reported on the news that the money was recovered 2 weeks later when they found the ATM still intact because the robbers couldn't break into it was hogwash. They were just discouraging the next smash and grab guy from trying it.

      This way of robbing the ATM is better for the banks now that they wont have to replace one that had a chain wrapped around it and dragged 5 miles and then had a cutting torch used on it.
      dbisse@...
    • RE: Hacker breaks into ATMs, dispenses cash remotely

      @croberts
      You are absolutely correct! Why do these machines have USB and SD slots that is accessable by the general public? Why do they have them at all? I sometimes think the smarter we get the dumber we become.
      eargasm
      • They're not.... hence the key.

        @windozefreak
        The key gains access to some of the innards and is where the chap is doing his dirty work. It should be noted that ALL ATMs are protected by alarm systems and this would be noticed. At the very least this should flag somehwhere. The cash is in a safe and the dispensing bits will be protected too so don't all think it's an open door.

        The really scary thing is the way this opens up rural, store based remotes to dodgy criminal entrepeneurs. Not a risk for users but definitely a big risk for banks.
        johnmckay
    • RE: Hacker breaks into ATMs, dispenses cash remotely

      @croberts Excellent article, it clarified a lot of issues for me. <a href="http://www.genericdruglist.net/">generic medicines</a>,<a href="http://www.genericdruglist.net/blog/">Medication List</a>,<a href="http://www.genericdruglist.net/blog/muscle-relaxers.html">Muscle Relaxants</a>,<a href="http://www.genericdruglist.net/blog/pain-drugs.html">pain drugs online</a>,<a href="http://www.genericdruglist.net/blog/erectile-dysfunction-drugs.html">erectile dysfunction</a>,<a href="http://www.genericdruglist.net/blog/arthritis-drugs.html">arthritis drugs</a>,<a href="http://www.genericdruglist.net/blog/weight-loss-drugs.html">Weight Loss Drugs</a>,<a href="http://www.genericdruglist.net/blog/antiviral-drugs.html">Antiviral Drugs</a>,<a href="http://www.genericdruglist.net/blog/antidepressants.html">Antidepressants</a>,<a href="http://www.genericdruglist.net/blog/allergy-drugs.html">Allergy Medications</a>
      Peter38
  • RE: Hacker breaks into ATMs, dispenses cash remotely

    They even got physical ATM's there, how did they get them? If you have thousands of dollars for your research I can come up with a dozen similar things. And so what, in the end anything that was designed can be reversed. What's the big deal, besides the motive of those security researchers to get more grants or leads because they shown us a trick in a casino. Let's say I kick your car to prove my point. You could have guessed the bumber would fall off. See how ridiculous this whole thing is?
    JoeHo
    • RE: Hacker breaks into ATMs, dispenses cash remotely

      @JoeHo So your carefully thought out point is that we should leave ATM security unnecessarily wide open and deny funding to researchers?
      .
      <br>Did you come to that decision while cleaning out my toilet ?
      Steve__Jobs
    • RE: Hacker breaks into ATMs, dispenses cash remotely

      @JoeHo
      I read another article on this and they got those ATM machines the same way they got the master keys to get at the USB and SD slots inside the machine.
      Anyone can go online an purchase one of those machines and the master keys with very little questioning!
      The OS on the ATM machines is irelavant and not what is making them vanrable. Even if they had a linux or Mac OS the fact you can physicly access the computer part of the ATM that basicly has no software security for the chep price of master key that would pay for itself more than a 1000 times over at the first ATM you hit is the vanrability. It's like being able to buy a bank front door key online so you could walk into the bank that has no alarm system installed and then find sitting on the managers desk a peice of paper with the combination to the bank vault!
      NZJester
  • RE: Hacker breaks into ATMs, dispenses cash remotely

    Nice article.

    Saftey Note: Don't use stand-alone ATM's.
    rhonin
    • I haven't used a non-bank ATM for years.

      @zenwalker
      Anyone can buy an ATM machine and start their own cash dispensing business. This includes organized crime groups who want to launder money, or organized crime groups who want to skim the data off all the cards used in a machine for month before raiding the bank accounts.

      You don't need to add a card skimmer to the ATM machine if you own the machine.
      snberk341
  • This is not quite as scary as it sounds

    Look at this part of the article:

    "noting that many ATMs are protected by a master key that can be bought for $10.78 on hundreds of web sites. ?With this master key, I can walk up to a secluded ATM and have access to USB [and] SD/CF slots. In some cases, opening and inserting my USB key was faster than installing a skimmer,? he said."

    He's talking about a *default* master password. This is no different than breaking into an admin account on a server if the default password is left unchanged.

    Standard practice requires changing all passwords on ATMs during setup. So unless the people setting up the ATM are criminally negligent this really isn't much of an issue.

    Scary, none the less!

    Triton and Tranax need to hop on this *yesterday*.
    wolf_z
    • RE: Hacker breaks into ATMs, dispenses cash remotely

      @wolf_z - I think he's talking about a physical key to open an access door. Not sure how that relates to default passwords.
      gtvr
      • RE: Hacker breaks into ATMs, dispenses cash remotely

        @gtvr I believe what they did was open up the machine to gain access to the USB ports. Then they installed their software on the machine. They were able to install the software because the machine still had the default password.
        Al_nyc
    • From the article...

      "...a physical attack using a master key purchased on the Web...". This is a physical key to open up the machine in order to access the USB port.
      jasonp@...