Barnaby Jack is at it again.
In a city filled with slot machines spilling jackpots, it was a “jackpotted” ATM machine that got the most attention Wednesday at the Black Hat security conference, when researcher Barnaby Jack demonstrated two suave hacks against automated teller machines that allowed him to program them to spew out dozens of crisp bills.
The demonstration was greeted with hoots and applause.
In one of the attacks, Jack reprogrammed the ATM remotely over a network, without touching the machine; the second attack required he open the front panel and plug in a USB stick loaded with malware.
Jack, director of security research at IOActive Labs, focused his hack research on standalone and hole-in-the-wall ATMs — the kind installed in retail outlets and restaurants. He did not rule out that bank ATMs could have similar vulnerabilities, though he hasn’t yet examined them.
The two systems he hacked on stage were made by Triton and Tranax. The Tranax hack was conducted using an authentication bypass vulnerability that Jack found in the system’s remote monitoring feature, which can be accessed over the Internet or dial-up, depending on how the owner configured the machine.
Tranax’s remote monitoring system is turned on by default, but Jack said the company has since begun advising customers to protect themselves from the attack by disabling the remote system.
To conduct the remote hack, an attacker would need to know an ATM’s Internet IP address or phone number. Jack said he believes about 95 percent of retail ATMs are on dial-up; a hacker could war dial for ATMs connected to telephone modems, and identify them by the cash machine’s proprietary protocol.
The Triton attack was made possible by a security flaw that allowed unauthorized programs to execute on the system. The company distributed a patch last November so that only digitally signed code can run on them.
Both the Triton and Tranax ATMs run on Windows CE.
Using a remote attack tool, dubbed Dillinger, Jack was able to exploit the authentication bypass vulnerability in Tranax’s remote monitoring feature and upload software or overwrite the entire firmware on the system. With that capability, he installed a malicious program he wrote, called Scrooge.
Scrooge lurks on the ATM quietly in the background until someone wakes it up in person. It can be initiated in two ways — either through a touch-sequence entered on the ATM’s keypad or by inserting a special control card. Both methods activate a hidden menu that allows the attacker to spew out money from the machine or print receipts. Scrooge will also capture track data embedded in bank cards inserted into the ATM by other users.
To demonstrate, Jack punched the keys on the typed to call up the menu, then instructed the machine to spit out 50 bills from one of four cassettes. The screen lit up with the word “Jackpot!” as the bills came flying out the front.
To hack the Triton, he used a key to open the machine’s front panel, then connected a USB stick containing his malware. The ATM uses a uniform lock on all of its systems — the kind used on filing cabinets — that can opened with a $10 key available on the web. The same key opens every Triton ATM.
Two Triton representatives said at a press conference after the presentation that its customers preferred a single lock on systems so they could easily manage fleets of machines without requiring numerous keys. But they said Triton offers a lock upgrade kit to customers who request it — the upgraded lock is a Medeco pick-resistant, high-security lock.
. . .
Jack said that so far he’s examined ATMs made by four manufacturers and all of them have vulnerabilities. “Every ATM I’ve looked at allows that ‘game over.’ I’m four for four,” he said at the press conference. He wouldn’t discuss the vulnerabilities in the two ATMs not attacked on Wednesday because he said his previous employer, Juniper Networks, owns that research.
Jack said his aim in demonstrating the hacks is to get people to look more closely at the security of systems that are presumed to be locked down and impenetrable.
Bunker-busting ATM attacks show security holes
Hacker breaks into ATMs, dispenses cash remotely
Security researcher demonstrates ATM hacking
Black Hat: Hacker Tricks ATMs Into Raining Cash
Researcher shows how to hack ATMs with “Dillinger” tool
Armed with exploits, ATM hacker hits the jackpot
Powered By Microsoft Windows
All your ATMs are belong to Barnaby Jack!
/I’ll bet Barnaby is really well paid and gets plenty of job offers from the Black Hats as well as the White Hats
Filed under: Blog Entry | Tagged: ATM, Attacker, Authentication Bypass Vulnerability, Automated Teller Machine, Bank Cards, Barnaby Jack, Black Hat Conference, Black Hats, Cassettes, Demonstration, Dial-Up, Digitally Signed Code, Dillinger, Director Of Security Research, Firmware, Game Over, Hack Research, Hidden Menu, High-Security, Hole-In-The-Wall ATM, Impenetrable, Internet, IOActive Labs, IP Address, Jackpot, Jackpotted, Jackpotting, Juniper Networks, Key, Keypad, Las Vegas, Lock Upgrade Kit, Locked Down, Malicious Program, Malware, Medeco, Nevada, Patch, Phone Number, Pick-Resistant, Press Conference, Proprietary Protocol, Remote Attack Tool, Remote Hack, Remote Monitoring System, Remotely Reprogrammed, Researcher, Restaurants, Retail Outlets, Scrooge, Security, Security Research, Slot Machines, Software, Special Control Card, Standalone ATM, Systems, Telephone Modems, Touch-Sequence, Track Data, Tranax, Tranax Hack, Triton, Unauthorized Programs, Uniform Lock, Upgraded Lock, USB Stick, Vulnerabilities, White Hats, Windows CE | Leave a comment »