ATM makers patch Black Hat cash-dispensing flaw

Two automated teller machine (ATM) manufacturers have shipped patches to block the cash-dispensing attack demonstrated by researcher Barnaby Jack at this year's Black Hat conference.

Hantle (formerly Tranax) and Triton released separate bulletins to address the issue, which lets a remote hacker overwrite the machine’s internal operating system, take complete control of the ATM and send commands for it to spew cash on demand.

[ SEE: Hacker breaks into ATMs, dispenses cash remotely ]

At the Black Hat conference, Jack demonstrated two different attacks against Windows CE-based ATMs -- a physical attack using a master key purchased on the Web and a USB stick to overwrite the machine’s firmware; and a remote attack that exploited a flaw in the way ATMs authenticate firmware upgrades.

The patches apply to the following machines:

• Any Triton ATM machine with X2 platform purchased before November 16, 2009
• Any Triton ATM machine with X Scale platform
• Hantle 1700W ATM machines with application version V02.01.12 or earlier
• Hantle C4000 ATM machines with application version V02.01.12 or earlier
• Hantle 4000T ATM machines with application version V02.01.12 or earlier