By Declan McCullagh
July 28, 2010
LAS VEGAS -- Hacking into an ATM isn't impossible, a security researcher
showed Wednesday. With the right software, it's actually pretty easy.
Barnaby Jack, director of security testing at Seattle-based IOActive,
hauled two ATMs onto the Black Hat conference stage and demonstrated to
a rapt audience the fond daydream of teenage hackers everywhere:
pressing a button and having an automated teller machine spew out its
cash until a pile of paper lay on the ground.
"I hope to change the way people look at devices that from the outside
are seemingly impenetrable," said Jack, a New Zealand native who lives
in the San Jose area. One vulnerability he demonstrated even allows a
hacker to connect to the ATM through a telephone modem and, without
knowing a password, instantly force it to disgorge its entire supply of
Jack said he bought the pair of standalone ATMs--one manufactured by
Tranax Technologies and the other by Triton--over the Internet and then
spent years poring over the code. The vulnerabilities and programming
errors he unearthed during that process, Jack said, let him gain
complete access to those machines and learn techniques that can be used
to open the built-in safes of many others made by the same companies.
Attend Black Hat USA 2010, hosted at Caesars Palace in Las Vegas, Nevada
July 24-29th, offering over 60 training sessions and 11 tracks of Briefings
from security industry elite. To sign up visit http://www.blackhat.com