Barnaby Jack, director of security testing at Seattle-based IOActive, hauled two ATMs onto the Black Hat conference stage and demonstrated to a rapt audience the fond daydream of teenage hackers everywhere: pressing a button and having an automated teller machine spew out its cash until a pile of paper lay on the ground.
“I hope to change the way people look at devices that from the outside are seemingly impenetrable,” said Jack, a New Zealand native who lives in the San Jose area. One vulnerability he demonstrated even allows a hacker to connect to the ATM through a telephone modem and, without knowing a password, instantly force it to disgorge its entire supply of cash.
Jack said he bought the pair of standalone ATMs–one manufactured by Tranax Technologies and the other byTriton–over the Internet and then spent years poring over the code. The vulnerabilities and programming errors he unearthed during that process, Jack said, let him gain complete access to those machines and learn techniques that can be used to open the built-in safes of many others made by the same companies.
“Every ATM I’ve looked at, I’ve found a game-over vulnerability that allows an attacker to get cash from the machine,” Jack said. “I’ve looked at four ATMs. I’m four for four.” (He said he has not evaluated built-in ATMs like those used by banks and credit unions.)
He said both Tranax and Triton had patched the security vulnerabilities since he brought them to the companies’ attention a year ago. If a customer with an ATM such as a convenience store or a restaurant doesn’t apply the fix, though, the machines remain vulnerable.
Hacking into ATMs is not exactly a new idea: It was immortalized by a young John Connor in the “Terminator 2” movie, and techniques like “card skimming” and “card trapping” are well-known by police.
Some enterprising thieves have even seized on ways to use a little-known configuration menu to trick ATMs into thinking that they’re dispensing $1 bills instead of $20 ones. (Traditional methods of stealing an ATM, ramming it, cutting into its safe, or blowing it up still work too.)
But those other electronic cash-extraction techniques were limited because they didn’t rely on a deep analysis of an ATM’s code. Many run Windows CE with an ARM processor and an Internet connection or a dialup modem, all of which controls access to the armored safe through a serial port connection. Jack said he used standard debugging techniques to interrupt the normal boot process and instead start Internet Explorer, giving him access to the file system and allowing him to copy off the files for analysis.
In the case of Tranax, a Hayward, Calif.-based company, Jack said he found a remote access vulnerability that allows full access to an unpatched machine without a password needed. He wrote two pieces of software to exploit that programming error: a utility called Dillinger, which attacks an ATM remotely, and one called Scrooge, a rootkit that inserts a backdoor and then conceals itself from discovery.
Scrooge “hides itself from the process list, hides itself from the operating system,” Jack said. “There’s a hidden pop-up menu that can be activated by a special key sequence or a custom card.”
Triton’s ATMs didn’t have an obvious remote access vulnerability. And the built-in vaults were well-armored. But the PC motherboard that dispenses cash from the vault was protected only by a standard (not unique) key that could be purchased over the Internet for about $10. So Jack did, and found he could force the machine to accept his backdoor-enabled software as a legitimate update.
Bob Douglas, Triton’s vice president of engineering, showed up at the conference to stress to reporters that the vulnerability has been fixed. “We have developed a defense against that attack,” he said. “We released it in November of last year.”
In addition, Douglas said: “We have an optional kit available to replace the lock with a unique key. It’s a high-security lock as well. I think it’s a Medeco lock.” But he said because some companies that service ATM machines might own 3,000 of them and visit dozens or hundreds a day, not all customers choose to upgrade.
Tranax did not respond to queries from CNET on Wednesday.
Jack was scheduled to present a similar talk at Black Hat last year, but it was pulled at the last minute after an ATM vendor complained to Juniper Networks, his then-employer.
The difficult part in hacking the ATMs was evaluating the software for vulnerabilities–but the Dilligner and Scrooge utilities Jack created as a result are easy enough for a child to use.
And will he release them? Teenage hackers, random criminals, and the Mob would surely be interested. “I’m not going to,” Jack said in response to a question from CNET after his talk.