Delivering on his promise, security researcher Barnaby Jack has managed to make two unpatched ATMs from two major vendors spit out cash during his demonstration at the Black Hat conference in Las Vegas.
He accessed the ATM manufactured by Tranax Technologies with software that can remotely operate the machine, and then installed a rootkit that revealed administrative passwords and account PINs, which allowed him to wrest money from it.
The ATM made by Triton Systems was compromised locally, by using a key that he acquired over the Internet and that enabled him to gain access to the internal components of the machine and to install a rootkit from a USB drive.
Jack is sure that these ATMs are not an exception. “Every ATM I’ve looked at, I’ve found a game-over vulnerability that allows me to get cash from the machine,” he said. And even thought the vulnerabilities he exploited during this demonstration are now patched, he knows that this is just the beginning.
He thinks the reason to this high incidence of vulnerable machines is due to the fact that ATMs haven’t been targeted as much as, let’s say, Microsoft products. If they had, the manufacturers would have had give much more attention to secure development.
He also says that vulnerable ATMs are very easily located, since they return specific responses when contacted by phone or with queries to IP addresses.
He feels that the time has come for big changes and advises manufacturers to upgrade physical locks and executable signing at the kernel level, and to pay special attention to the reviewing of the code used in the operating systems and software installed on the machines.