ATMs badly secured
At this year's Black Hat conference, Barnaby Jack gave a presentation entitled "Jackpotting Automated Teller Machines", which was withdrawn last year by his employer at the time, Juniper Networks, after a complaint by an ATM vendor. According to media reports, Jack, who has since become Director of Security Research at IOActive Labs, used two standalone ATMs made by US vendors Tranax and Triton to demonstrate the results of his research: After a click on the jackpot button of "Dillinger", the software developed by Jack, one of the ATMs started coughing up cash, which soon began to pile up in front of the machine.
To hack the Tranax machine, Jack exploited a vulnerability in the remote maintenance feature which is enabled by default and allowed him to remotely inject his specially crafted firmware into the machine, without any password authorisation. Jack has also developed a rootkit called Scrooge. It is said to be almost invisible until a specific combination of keys is entered or a specific magnetic card is inserted into the ATM.
The Triton machine didn't allow Jack to intrude via an external interface. However, the security expert discovered that, while the actual vault is secure, the ATM's PC hardware is accessible via a master key. Jack said he paid $10.78 for a key on the internet and with the key, he also managed to inject modified firmware into the Triton ATM using a specially crafted USB Flash drive.
ATMs by other vendors are in theory also said to be vulnerable to this type of attack. Many ATMs use Windows CE, which controls the access to the cash-dispensing module via a serial interface. Both ATM vendors have now closed the holes exposed by Jack. According to a report by CNET, Triton's vice president of engineering said at the conference that his company now offers optional replacement locks with unique keys.