ATM Jacking Demoed on the First day of Black Hat
Astonished I looked upon Barnaby Jack’s demonstration of “ATM Jacking”. Every script kiddies dream come true of having an ATM machine spew forth a pile of money was being played out by Barnaby Jack on the first day of Black Hat, a annual security conference held by Hackers along with representatives of federal agencies and corporations. (Link is to Wikipedia Page)
Basically the attacks work simply enough, Barnaby wrote a program that remotely infects the ATM machine, and with the unauthorized software on the ATM he could approach the machine and either press a secret key combo or swipe a special card, and make the ATM unload all it’s cash. Out of 4 ATM brands Barnaby found the first four he tried exploitable, out of four. “Four for Four” he said. On the first one he used a simple debugging method to launch internet explorer and download his trojan, on another he bought an update license and got the code to send the rootkit as a fake update.
Probably the scariest and most amazing thing, is that he wrote his presentation over a year ago, for the last Black Hat conference, but wasn’t allowed to demo his findings. Since last November the ATM manufacturers have stated that they have fixed all the security holes presented, but Barnaby says there are still more he hasn’t disclosed yet. The types of ATMs effected are the smaller ones that run Windows CE, kiosk style ATM Machines like in gas stations and movie theaters. The larger ones at Banks are more secure and do not rely on dial up modems and public internet lines to connect to their servers.