All the latest UK technology news, reviews and analysis
|
|
|
29 Jul 2010
Security researcher Barnaby Jacks has used the Black Hat briefings to demonstrate an interesting way of getting money out of an ATM machine.
Jacks, who is head of research at cyber security consultancy IOActive, demonstrated the attack on two common ATM platforms.
The first attack unlocked the machine using standard keys purchased on the internet. Jacks inserted a USB stick which overwrote the ATM's firmware and caused it to spew fake million dollar bills.
The second attack involved using the remote updating capabilities of an ATM to upload code that caused the machine to empty itself of cash, and record card details and PINs.
"Every ATM I've looked at, I've found a game-over vulnerability that allows me to get cash," said Jacks. "So far I've looked at four, and I'm running four-for-four at the moment."
Jacks bought the ATMs online to test his hack before going public. He was due to give his presentation at last year's Black hat conference, but was stopped after legal action and because a fix for the problem was not available.
Most ATMs use Windows CE or a cut down version of Windows XP, but Jacks used a cloned version of the firmware in the machines to carry out the attacks.
The remote attack could also be performed using VoIP technology, Jacks said, since code is available to scan 10,000 dial-up numbers for the machines in less than an hour.
Bob Douglas, vice president of engineering at Triton, which manufacturers one of the ATMs used, claimed that the company had developed a defence against the attack and had made it available in December.
"The problem was solved by remote update and we give customers the option of an individual, unpickable lock to their system," he said.
Firmware updates now require a digital signature before they can be installed on ATM machines, according to Douglas.
The case is more worrying because Jacks said that the same systems used by the ATM builders are used in voting machines, making electoral fraud very easy.
Latest stories from Security
Related articles
Related jobs
Poll
What is the most important IT priority for your company this year?
Firm also discusses Blackberry 10 system
Connect with V3.co.uk
This paper focuses on a series of best practices and techniques for development teams looking to improve their software development processes
Why good data management at all levels is essential in the modern business (video, 6mins)
Database Administrator (Oracle,DBA, SQL, RAC) Opus...
Sales and Account Management, Account Manager, Client...
SQL Database Analyst - Leading Consultancy - £28-35K...
BusinessObjects - Data Integrator 11.5 and Core Tools...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?