Barnaby Jack Ingeniously Hacks ATMs at Black Hat (original) (raw)
(July 29) -- "Jackpot!" That's the message that was displayed on the screen of an ATM as it spewed its entire reservoir of cash across the stage at the Caesars Palace Hotel and Casino in Las Vegas Wednesday after a hacker easily bypassed its security features.
And indeed, for hackers and crackers and unscrupulous opportunists everywhere, the high-profile demonstration of a cash machine's vulnerabilities would indeed appear to be a boon. But for those gathered at the annual technology security conference known as Black Hat, the situation presented less a victory than a challenge: how to safeguard against clever new hacks as more and more important computer systems go online.
The crafty individual responsible for the hack was one Barnaby Jack, director of security research at IOActive, a cybersecurity company that services all sorts of clients, "including power and utility, game, hardware, retail, financial, media, travel, aerospace, health care, high-tech, social-networking and software development organizations." The former computer hacker spent two years perfecting two different, startling simple methods to bypass common stand-alone ATMs, according to The Associated Press.
1. Physically
One method involved ordering a $10 master key online to physically unlock a panel on the front of the ATM, whereupon Jack gained access to the device's USB port -- akin to that found on most modern personal computers to allow for quick, easy data transfer using a USB stick or thumb drive. At Black Hat, Jack plugged his own USB stick preloaded with a malicious code of his own design into the machine (manufactured by Triton), forcing it to dispense all of the money contained within.
2. Remotely
While that technique alone was impressive enough to draw wild applause and laughter from the audience, it was Jack's remote hack of a machine manufactured by Tranax over a wireless Internet connection that really stole the show. He said all that was needed to accomplish this was knowledge of the ATM's phone number or IP address and a way to get past the password, reports Wired. Of course, this technique has its own sexy code name: "Dillinger.
In fact, Jack noted that the idea of using any PC to gain access to an ATM's hard drive was so attractive to cybercriminals and so potentially damaging, he didn't go into specifics as to how he bypassed the machine's password, only showing that he could make it dispense all of its stash and gain access to the stored PIN numbers of previous customers. (His presentation was actually scheduled for last year's Black Hat conference but reportedly got canned at the urging of an unidentified ATM manufacturer.)
The Takeaway
Both machines were operating on Windows CE, both were-stand alone models (found in stores and bars, as opposed to those found in banks) and both have since had their firmware security flaws patched, according to manufacturers (via Computerworld). However, Jack is convinced that the ease with which he bypassed their security features is cause for a wake-up call.
"Sometimes you have to demo a threat to spark a solution," he said, according to Forbes.
The source of Jack's inspiration? A memorable scene from a little old movie by the name of Terminator 2.