Hitting jackpot: Barnaby Jack, director of research for IOActive, readies an ATM for a demonstration at the Black Hat conference in Las Vegas.
Credit: Erica Naone/Technology Review
Computing
How to Make an ATM Spit Out Money
A computer security researcher demonstrates attacks on cash machines.
- Thursday, July 29, 2010
- By Erica Naone
Yesterday, during a flashy presentation at the Black Hat security conference in Las Vegas, a computer security expert showed several ways to break into ATMs.
Barnaby Jack, who is director of research at IOActive Labs, made cash pour from a machine for minutes on end. After studying four different companies' models, he said, "every ATM I've looked at, I've found a 'game over' vulnerability that allowed me to get cash from the machine." He's even identified an Internet-based attack that requires no physical access.
The same talk was supposed to take place at last year's Black Hat conference, but it was pulled at the last moment. In his presentation, which did not reveal the exact details of how he performed the attacks, Jack named two vendors--Triton and Tranax--and said he had been in contact with both about fixing the problems.
Jack demonstrated the attacks on two ATMs that he bought online and drove to Las Vegas from his company's headquarters in San Jose. The hardware kit that he used in the demonstration cost less than $100 to make.
In one part of his presentation, he demonstrated a way for a thief to gain physical access to the ATM made by Triton. The device's main circuit, or motherboard, is protected only by a door with a lock that is relatively easy to open (Jack was able to buy a key online). He then used a USB port on the motherboard to upload his own software, which changed the device's display, played a tune, and made the machine spit out money.
Video
- 1
- 2
Related Articles
Got an iPhone? There's an App for Hacking That
New attacks highlight the growing threat to smart phones.
cobrasixtysix
14 Comments
- 556 Days Ago
- 07/30/2010
For every lock made, there will eventualy be an unlocker, its always just a matter of time. Staying ahead of the curve is an endless task.
I'm not sure where the housing market comes into ATM cracking though.
profquatermass
57 Comments
- 552 Days Ago
- 08/03/2010
Social attacking is the hard bit
He's talking about performing a social attack. He has to get on the premises and be allowed access to the ATM after first finding out the OS used in ATMs and presenting at a guess a 'CD-ROM' bootable USB stick? (I bet they're running Windows!).
I can't believe that the ATM door key can just be bought over the Internet.
Gaping big security hole - the IT security design staff at the ATM manufacturers should be all fired.
Erica Naone
70 Comments
- 549 Days Ago
- 08/06/2010
Re: Social attacking is the hard bit
He did say they were running Windows.
He did three attacks--1 one of which requires physical access as you describe, but two of which do not.
On Twitter
Become a Fan on Facebook
Subscribe to the Feed
mattgroom
284 Comments
Thats not a real crime...
Still a chance to be recorded doing it and traced back i presume?
If you want a better way to get money, just find your local drug dealers, shoot them all and take there money. I don't think the police will be bothered by that one.
Still that pales in comparison to (legal methods) the rental market where some owners have thousands of houses in areas and charge what they like....They should limit home-owners to one home...period. Other properties should be run as rentals by the government in a rent to buy scheme. Removing banks and their excessive 100% payback schemes will be a giant leap forward against crime.
This is the real crime against good people.
Reply
bdd
1 Comment
Re: Thats not a real crime...
One home per person, all the rest owned by the government? 100% payback scheme by banks? Please tell me your socialist/communist views are in the minority on your campus or in your commune. One place you will find more believers like yourself would be the White House. You should apply to be an intern, they would love you there.
Reply
bytor45
1 Comment
Re: Thats not a real crime...
Shoot drug dealers? Whoa dude where did that come from? How about we make the government the drug dealer, wouldn't that be better. Maybe ATM's can dispense drugs. One ATM per house per person with drugs, run by the government...
Reply