Risk
7/28/2010
11:27 PM
50%
50%

ATMs At Risk, Researcher Warns At Black Hat

Barnaby Jack demonstrates remote and local exploits that work on popular bank machines

LAS VEGAS, NEVADA -- Black Hat USA 2010 -- A security researcher today gave notice to companies that make automated teller machines (ATMs).

Click here for more of Dark Reading's Black Hat articles.

Here on the first day of the Black Hat conference, Barnaby Jack, director of research at IOActive, demonstrated attacks that would allow a criminal to compromise ATMs, allowing hypothetical thieves to steal cash, copy customers' ATM card data, or learn the master passwords of the machines. While one of the attacks required a few seconds to open the ATM and insert a USB drive with code to overwrite the system, the other attack used a remote management feature commonly found on standalone ATMs.

Jack's presentation targeted machines made by Tranax and Triton, but other ATMs likely have similar security issues, he said.

"I found specific vulnerabilities in the ATM machines," Jack said during a press conference following the presentation. "But the attack surface is [similar] across the ATM industry as a whole ... In every ATM system I've looked at, I've been able to find flaws."

Jack said he used fairly simple analyses of the operating system and software commonly found on ATMs to create the exploits he demonstrated on stage. "We are back to 1999 in terms of code quality," he said.

Other security experts who watched the presentation agreed that ATM software would likely be a gold mine for security researchers.

"The presentation shows that the security of these machines need to be revisited because they were never architected with [online] security in mind," says Jamie Butler, director of research for security firm Mandiant.

In the past, cybercriminal attacks on cash machines have generally focused on physical attacks, such as adding skimmers to steal users' ATM card data -- or even stealing the whole machine. Instead, IOActive's Jack focused on the software, creating a remote administration tool, dubbed Dillinger, and rootkit, known as Scrooge. Dillinger allows a person to easily select known ATMs and retrieve data or send payloads, while Scrooge, which can be sent to an ATM as a payload, overwrites the system's programming to allow a person to control the machine.

Most standalone ATMs, such as those frequently found in convenience stores and bars, run on Windows CE. But Jack stressed that the vulnerabilities he found were in the proprietary cash management software, not in the operating system.

A compromised cash machine can be controlled by a person who inserts a card with special codes stored on the magstripe or who types a code on the ATM's keys, Jack said. He demonstrated Scrooge's ability to make the ATM dispense 50 bills -- all novelty cash in his demonstration -- and to store the details of any card inserted into the machine.

Triton, the maker of one of the ATMs, has required that all code running on its system be signed. It offers its customers special tamper-resistant keys for preventing access to the internal components of a cash machine, said Bob Douglas, vice president of engineering for the firm.

Slideshow: Barnaby Jack Hits The Jackpot With ATM Hack
Barnaby Jack Hits The Jackpot With ATM Hack
(view slideshow)
"We have developed a defense against attacks of this nature," Douglas said.

This is not the first time ATMs have been targeted with rogue code.

In 2009, Diebold, the No. 2 maker of ATMs, warned customers that more than 20 cash machines in Eastern Europe had been found to contain malicious code. The software had features similar to those demonstrated by IOActive's Jack, allowing criminals to steal and retrieve ATM card data and dispense cash from the cartridges. At the time, security researchers claimed the attack was an inside job, but Jack said his research has convinced him otherwise.

"Based on what I have seen, I think there is a possibility that the attacks were software-based," Jack said.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8370
Published: 2015-01-29
VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, VMware Fusion 6.x before 6.0.5, and VMware ESXi 5.0 through 5.5 allow host OS users to gain host OS privileges or cause a denial of service (arbitrary write to a file) by modifying a configuration file.

CVE-2015-0236
Published: 2015-01-29
libvirt before 1.2.12 allow remote authenticated users to obtain the VNC password by using the VIR_DOMAIN_XML_SECURE flag with a crafted (1) snapshot to the virDomainSnapshotGetXMLDesc interface or (2) image to the virDomainSaveImageGetXMLDesc interface.

CVE-2015-1043
Published: 2015-01-29
The Host Guest File System (HGFS) in VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, and VMware Fusion 6.x before 6.0.5 and 7.x before 7.0.1 allows guest OS users to cause a guest OS denial of service via unspecified vectors.

CVE-2015-1044
Published: 2015-01-29
vmware-authd (aka the Authorization process) in VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, and VMware ESXi 5.0 through 5.5 allows attackers to cause a host OS denial of service via unspecified vectors.

CVE-2015-1422
Published: 2015-01-29
Multiple cross-site scripting (XSS) vulnerabilities in Gecko CMS 2.2 and 2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) horder[], (2) jak_catid, (3) jak_content, (4) jak_css, (5) jak_delete_log[], (6) jak_email, (7) jak_extfile, (8) jak_file, (9) jak_hookshow[], (10) j...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.