in a theatrical demonstration earlier
this year Barnaby Jack director of
research at Io active Labs showed how he
could take control of an ATM and among
other things make it spit out money here
Jack explains why and how he performed
the stunt when you think of ATM security
you typically think about like physical
security right is the ATM bolt down
properly are the cameras in place you
don't typically think about the actual
underlying software on the ATM so I
figured it was about a about right time
that someone actually pulled these
things apart looked at the software and
see if there's any vulnerabilities there
and once I actually tore the lid off and
found out how many vulnerabilities
actually exist there it was um it was
quite shocking in a way Jack used his
discoveries to design two different
attacks against Standalone ATMs here he
demonstrates them the first attack is a
walk-up style attack now all of these
Standalone ATMs they uh they ship with a
master key so this master key will open
the top compartment which allows access
to the motherboard it won't open the
safe or anything like that but this one
key will open all the ATMs from that
same manufacturer now that you have
access to the motherboard you can now
update the software locally so long as
that software adheres to the correct
format the ATM will happily override its
software with this new code now of
course this new code will allow you to
dump from the entire dispenser and do
other nefarious deeds and the other
attack is the remote attack now all of
these Standalone ATMs they support
Remote Management or remote
configuration so you can log into your
ATM change your Splash screens retrieve
the settings and all that type of thing
generally to be able to do this you
require a combination of passwords a
serial number and what have you I found
the vulnerability which will allow me to
bypass all of these passwords and then
upload my own software onto the ATM
remotely and of course my own software
will capture credit card details dump
from the dispenser and all that type of
thing and the worst part about this is
these ATMs ship with this functionality
enabled by default and the reason they
enable this functionality is so they can
uh it's ironically enough so they can
ship security patches to these ATMs it
takes a specialized skill set to
actually come up with these attacks and
for myself it was about eight months of
Fairly constant work but I'm not naive
enough to think that I'm the only person
who could do this and the thing is with
these type of attacks it only takes one
person to come up with that attack and
then they can distribute that software
to to whoever else so it only takes one
person to do it uh to this at the moment
we haven't seen any of these exploits
replicated but
um
uh it's certainly possible at the moment
the ATM manufacturers have shipped
patches to their ATMs but of course
whether the actual ATM owners have
applied those patches is a different
story