ATM Hacking Techniques Revealed at BlackHat

ATM Hacking has been popular for years. With some nasty tricks, it had been easy to hack into most ATM systems.

But as the time evolved, those methods became obsolete and hardly few of those  hacks still persist and the ones that remain in sight are relative harder and un-popular.

With the latest Hack, as demoed at BlackHat conference, it can get pretty easy. Barnaby Jack, director of security testing at Seattle-based IOActive,  brought two ATMs onto the Black Hat conference stage and demonstrated that with a press of a button, ATM machine is spits out its cash till the last one in the Pile.

“I hope to change the way people look at devices that from the outside are seemingly impenetrable,” said Jack. He demonstrated a hack that allows the hacker to connect to the ATM through a telephone modem and, without knowing a password, instantly force it to bankrupt the ATM machine.

How the Hacking started

Initially, in order to kick start hacking, Jack said that he had bought a pair of standalone ATMs–one from  Tranax Technologies (yea, its not Taranfx) and the other by Triton. His study yielded success in within few years, during which he discoverred Vulnerabilities that had let him gain complete access to those machines.

Jack seems to be so confident about his technique that he said, “Every ATM I’ve looked at, I’ve found a game-over vulnerability that allows an attacker to get cash from the machine” .

On the good note, he had been an Ethical hacker and hence had brought up vulnerabilties to the notice of both ATM companies and was fixed an year ago. However, theres a twist to the tstory. These updates were pushed to ATMs which had been under support from the companies, not every ATM had been updated, hence,  a large number of the machines remain vulnerable.

Hacking ATMs: Now & then

Hacking ATMs had been popular under two techniques known as “card skimming” and “card trapping” which are now relatively uncommon coz these electronic cash-extraction techniques were limited because they didn’t rely on a deep analysis of an ATM’s code.

We got to knew what exactly happened when Cybercriminals hacked into Bank ATMs in Eastern Europe.

Most modern ATMs run on Windows CE with an ARM processor and use a dialup or leased-line connection to connect to the other branches over the interent/Intranet VPNs, ost of which is through a serial port connection. Jack used standard debugging techniques to interrupt the normal boot process and instead start Internet Explorer, and using some nasty IE hacks, he got access to the file system for copying off the files for analysis.

A remote access vulnerability was found to occur on Taranax ATMs, that allows full access to the machine, without password. The Hack uses two softwares: a utility called Dillinger, which attacks an ATM remotely, and one called Scrooge, a rootkit that inserts a backdoor and then conceals itself from discovery. Scrooge “hides itself from the process list, hides itself from the operating system, there’s a hidden pop-up menu that can be activated by a special key sequence or a custom card.”

For Triton’s ATMs, scenario was different. PC motherboard that dispenses cash from the vault was protected only by a standard (shared) key that could be purchased over the Internet for about $10. So Jack found out that he could force the machine to accept his backdoor-enabled software as a legitimate update, which then can do the damage thats irreversible.

Both companies have responded to the hacks, but necessary actions may still not have been taken place to fix all the machines. I just hope someone takes care of this sometime soon.

The difficult part in hacking the ATMs is evaluating the software for vulnerabilities, but once some one like Jack  creates it, its a childsplay to empty the machine.

We write about GoogleTwitter, SecurityOpen SourceProgrammingWebAppleiPhone,Android and latest in Tech @taranfx on Twitter or by subscribing below:

VN:F [1.9.22_1171]
Rating: 6.3/10 (20 votes cast)
VN:F [1.9.22_1171]
Rating: +5 (from 11 votes)
ATM Hacking Techniques Revealed at BlackHat, 6.3 out of 10 based on 20 ratings

Related Posts

Bookmark and Promote!

  • Www Rayford_thomas

    try listening to- one track heart-by the artist( elvis presley)

    VA:F [1.9.22_1171]
    Rating: 3.0/5 (2 votes cast)
    VA:F [1.9.22_1171]
    Rating: +1 (from 1 vote)
  • John White Jnr

    Hello friend, i want to share my testimony on how i got my BLANK ATM
    card which have change my life today. i was once living on the street
    where by things were so hard for me, even to pay off my bills was very
    difficult for me i have to park off my apartment and start sleeping on
    the street of Vegas. i tried all i could do to secure a job but all went
    in vain because i was from the black side of America. so i decided to
    browse through on my phone for jobs online where i got an advert on
    Hackers advertising a Blank ATM card which can be used to hack any ATM
    Machine all over the world, i never thought this could be real because
    most advert on the internet are based on fraud, so i decided to give
    this a try and look where it will lead me to if it can change my life
    for good. i contacted this hackers and they told me they are from
    Australia and also they have branch all over the world in which they use
    in developing there ATM CARDS, this is real and not a scam it have help
    me out. to cut the story short this men who were geeks and also experts
    at ATM repairs, programming and execution who taught me various tips
    and tricks about breaking into an ATM Machine with a Blank ATM card.i
    applied for the Blank ATM card and it was delivered to me within 3 days
    and i did as i was told to and today my life have change from a street
    walker to my house, there is no ATM MACHINES this BLANK ATM CARD CANNOT
    penetrate into it because it have been programmed with various tools and
    software before it will be send to you. my life have really change and i
    want to share this to the world, i know this is illegal but also a
    smart way of living Big because the government cannot help us so we have
    to help our self. if you also want this BLANK ATM CARD i want you to
    contact the Hackers email on ANDREWMODRIC@OUTLOOK.COM and you life will
    never remain the same email ANDREWMODRIC@OUTLOOK.COM


    VA:F [1.9.22_1171]
    Rating: 1.0/5 (1 vote cast)
    VA:F [1.9.22_1171]
    Rating: +2 (from 2 votes)
  • george donald


    Hackers with the above email ( ) is at it again!! Cool
    way to have financial freedom!!! Are you tired of living a poor life; here is

    opportunity you have been waiting for. This is a testimony that I myself

    have experience and I can tell us it is 100% real. Get the new ATM

    BLANK CARD that can hack any ATM MACHINE and withdraw money from any

    account. You do not require anybody’s account number before you can use

    it. Although you and I knows that it’s illegal, there is no risk using

    it. It has SPECIAL FEATURES, that makes the machine unable to detect this very
    card and its transaction is can’t be traced.You can use it anywhere in the
    world. With this card, you can withdraw nothing less than $2500 a day. So far I
    have been able to withdraw $45,000. I don’t know why am posting this but I
    believe it can help someone else in need of money. To get the card, reach the
    hackers via email address:

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: +1 (from 1 vote)
  • bird smith

    Hello friend’s get rich in less than 3day’s It all depends on how fast you can be to get the new PROGRAMMED blank ATM card that is capable of hacking into any ATM machine,anywhere in the world. I got to know about this BLANK ATM CARD when I was searching for job online about a month ago..It has really changed my life for good and now I can say I¿m rich and I can never be poor again. The least money I get in a day with it is about $50,000.(fifty thousand USD) Every now and then I keeping pumping money into my account. Though is illegal,there is no risk of being caught ,because it has been programmed in such a way that it is not traceable,it good¿Love you all ¿contact them now, the email address again is :

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: +1 (from 1 vote)
  • Anderson Wood

    Nobody will complain if all their comments are real or either if the Blank card producers as they claim are real as YANDEX HACKING( Scared as usual not to be scammed again, being rational is better than to be scammed. I thought YANDEX HACKING( where scammers until I got my blank card I requested.

    YANDEX HACKING, Please you have to improve on the security because the ATM Machine always beeps whenever I slot in the card. I hope it is not alerting the securities in the bank? Am scared Anderson Wood

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
© 2016 Geeknizer. All rights reserved. XHTML / CSS Valid.
Designed by taranfx.