Security researcher Barnaby Jacks has used the Black Hat briefings to demonstrate an interesting way of getting money out of an ATM machine.

Jacks, who is head of research at cyber security consultancy IOActive, demonstrated the attack on two common ATM platforms.

The first attack unlocked the machine using standard keys purchased on the internet. Jacks inserted a USB stick which overwrote the ATM's firmware and caused it to spew fake million dollar bills.

The second attack involved using the remote updating capabilities of an ATM to upload code that caused the machine to empty itself of cash, and record card details and PINs.

"Every ATM I've looked at, I've found a game-over vulnerability that allows me to get cash," said Jacks. "So far I've looked at four, and I'm running four-for-four at the moment."

Jacks bought the ATMs online to test his hack before going public. He was due to give his presentation at last year's Black hat conference, but was stopped after legal action and because a fix for the problem was not available.

Most ATMs use Windows CE or a cut down version of Windows XP, but Jacks used a cloned version of the firmware in the machines to carry out the attacks.

The remote attack could also be performed using VoIP technology, Jacks said, since code is available to scan 10,000 dial-up numbers for the machines in less than an hour.

Bob Douglas, vice president of engineering at Triton, which manufacturers one of the ATMs used, claimed that the company had developed a defence against the attack and had made it available in December.

"The problem was solved by remote update and we give customers the option of an individual, unpickable lock to their system," he said.

Firmware updates now require a digital signature before they can be installed on ATM machines, according to Douglas.

The case is more worrying because Jacks said that the same systems used by the ATM builders are used in voting machines, making electoral fraud very easy.