Vulnerability Management

Black Hat 2010: Researcher Jack uses design, authentication flaws to force ATMs to spit out cash

Making a dream come true for anyone who ever has seen their chips evaporate at a Las Vegas casino, a security researcher on Wednesday forced two ATMs to spit out bundles of cash thanks to security weaknesses in the machines.

Barnaby Jack, director of security researcher at IOActive Labs, completed the feat Wednesday while on stage at the Black Hat conference in Sin City. Speaking to a standing-room-only crowd at the annual show's most anticipated talk, Jack demonstrated a physical and remote attack on two cash machines that he had purchased on the internet. The attacks allowed him to force the machines to spew cash, seemingly at an unlimited rate.

"Every ATM I've looked at I've found the game-over vulnerability that lets me get cash out of the machine," Jack said Wednesday in a press conference after his talk.

In total, he has analyzed machines from four manufacturers, two of which were on display at Black Hat. Both run on Windows CE and are the ones bank users likely will find in places like delis and bars, not at their bank.

Jack had planned a similar presentation last year, but it was scrapped about a month before the show out of objections from the affected ATM makers, who claimed they had not had time to develop a patch for the issues.

View video of the demonstration here.

In one of his demonstrations on Wednesday, Jack used a master key that he purchased online for about $10 to open the door to the ATM, which allowed him to install modified software in the form of a USB key to the motherboard, thereby overwriting the machine's firmware. The maker, Mississippi-based Triton, which has some 150,000 machines worldwide, has since issued an update that prohibits software from running that hasn't been digitally signed by the company, Triton engineers said at the press conference.

Jack awed the crowd when he opened up the machine, applied the modified software and, not long after, the ATM began spilling cash, bill after bill. He even forced it to play music resembling the sound a slot machine makes when a player hits the jackpot.

In the other case, Jack used an attack tool he named "Dillinger," after the infamous 1930s bank robber, to exploit a vulnerability in the remote monitoring authentication process, which is turned on by default in most machines made by the manufacturer Tranax, based in Hayward, Calif. This allowed him to remotely install a rootkit he named "Scrooge," which hides itself on the machine from things like the process list and file system.

He called the exploit "100 percent reliable."

A spokesperson from Tranax could not immediately be reached for comment. Jack said the company now is offering a workaround -- disabling remote access by default.

In addition to forcing the machine to issue cash remotely, a scam that would require a cohort to collect the stolen bills, the rootkit also can be used to steal track data from cards inserted in the affected ATM.

The Australian Jack recounted some of the comical moments he experienced during the months he spent reverse engineering. In one instance, a delivery person asked Jack why he was having ATMs sent to his home.

"I don't want the transaction fees, mate," Jack said, inciting laughter from the packed Black Hat crowd.

Jack said his work underscores the security problems around embedded systems, such as electronic voting machines and parking meters.

As a response, vendors must upgrade their firmware, roll out machines that require unique physical keys and conduct proper code review, including penetration tests.

"There is a need to play catch-up," he said. "We're talking about devices that weren't developed with secure principles in mind."

Jack said he is confident bank ATMs are just as easy to penetrate and take control of, mostly because they are based on even more vulnerable operating systems than Windows CE. However, he has not had an opportunity to study them because they are not sold over the internet.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.