/>
X

Hacker breaks into ATMs, dispenses cash remotely

Using home-brewed software tools and exploiting a gaping security hole in the authentication mechanism used to update the firmware on automated teller machines (ATMs), a security researcher hacked into ATMs made by Triton and Tranax and planted a rootkit that dispensed cash on demand.
ryan-naraine.jpg
Written by Ryan Naraine on

LAS VEGAS --  Using home-brewed software tools and exploiting a gaping security hole in the authentication mechanism used to update the firmware on automated teller machines (ATMs), a security researcher hacked into ATMs made by Triton and Tranax and planted a rootkit that dispensed cash on demand.

Barnaby Jack, Director of Research at IOActive Labs, used a laptop with a custom-built software tool called "Dillinger" (named after the famous bank robber) to overwrite the machine's internal operating system,   take complete control of the ATM and send commands for it to spew cash on demand.

At the Black Hat security conference here, Jack demonstrated two different attacks against Windows CE-based ATMs -- a physical attack using a master key purchased on the Web and a USB stick to overwrite the machine's firmware; and a remote attack that exploited a flaw in the way ATMs authenticate firmware upgrades.

He did not provide any technical details that would allow anyone to reproduce the attack techniques but suggested that a skilled hacker could exploit these weaknesses if ATM manufacturers continue to create software with gaping security holes.

Although the attacks were demonstrated against ATMs made by Tranax and Triton, Jack warned that his attacks could have been performed against a wide variety of ATM brands and called on the financial services sector to invest in code reviews, blackbox audits and penetration tests.

"There are attack vectors in all these standalone or hole-in-the-wall ATMs," Jack warned, noting that many ATMs are protected by a master key that can be bought for $10.78 on hundreds of web sites.  "With this master key, I can walk up to a secluded ATM and have access to USB [and] SD/CF slots.  In some cases, opening and inserting my USB key was faster than installing a skimmer," he said.

The most impressive attack, which used the "Dillinger remote ATM attack/admin tool, was done via a laptop connected to the ATM.  It launched an exploit against an authentication bypass vulnerability in the ATM's remote monitoring feature (this is enabled by default on all ATMs) and allowed the hacker to retrieve ATM settings, master passwords, receipt data and the location and name of the business hosting the ATM.

The Dillinger tool came with a graphical UI that included features to "Retrieve Track Data," or simply "Jackpot!".   A click of the Jackpot button and the commandeered ATM started spewing cash on demand.

"If someone inserts a card on that machine, I can capture and save the track data remotely," Jack said, explaining that his rootkit runs on a device hidden in the background.   The rootkit even sets up a hidden pop-up menu that can be activated by special key sequence.   The menu functions included instructions to "dispense cash from each cassette," "print stats on remaining bill counts," and "Exit!"

After his talk, Jack suggested that TM makers offer upgrade options on physical locks or a unique key for each ATM.  He also recommended the use of executable signing at kernel level to block his attack vector.

To mitigate remote attacks, Jack said ATM manufacturers should disable the on-by-default remote monitoring feature on the machines.

Related

Why you should really stop charging your phone overnight
iphone-charging.jpg

Why you should really stop charging your phone overnight

iPhone
I loved driving the Hyundai Ioniq 5 and Kia EV6, and there's only one reason I can't buy one
img-1724

I loved driving the Hyundai Ioniq 5 and Kia EV6, and there's only one reason I can't buy one

Electric Vehicles
Samsung phone deal: Get the Galaxy S22 Ultra for $299
1296x729-29

Samsung phone deal: Get the Galaxy S22 Ultra for $299

Smartphones