ATM Hacking Techniques Revealed at BlackHat

ATM Hacking has been popular for years. With some nasty tricks, it had been easy to hack into most ATM systems.

But as the time evolved, those methods became obsolete and hardly few of those  hacks still persist and the ones that remain in sight are relative harder and un-popular.

With the latest Hack, as demoed at BlackHat conference, it can get pretty easy. Barnaby Jack, director of security testing at Seattle-based IOActive,  brought two ATMs onto the Black Hat conference stage and demonstrated that with a press of a button, ATM machine is spits out its cash till the last one in the Pile.

“I hope to change the way people look at devices that from the outside are seemingly impenetrable,” said Jack. He demonstrated a hack that allows the hacker to connect to the ATM through a telephone modem and, without knowing a password, instantly force it to bankrupt the ATM machine.

How the Hacking started

Initially, in order to kick start hacking, Jack said that he had bought a pair of standalone ATMs–one from  Tranax Technologies (yea, its not Taranfx) and the other by Triton. His study yielded success in within few years, during which he discoverred Vulnerabilities that had let him gain complete access to those machines.

Jack seems to be so confident about his technique that he said, “Every ATM I’ve looked at, I’ve found a game-over vulnerability that allows an attacker to get cash from the machine” .

On the good note, he had been an Ethical hacker and hence had brought up vulnerabilties to the notice of both ATM companies and was fixed an year ago. However, theres a twist to the tstory. These updates were pushed to ATMs which had been under support from the companies, not every ATM had been updated, hence,  a large number of the machines remain vulnerable.

Hacking ATMs: Now & then

Hacking ATMs had been popular under two techniques known as “card skimming” and “card trapping” which are now relatively uncommon coz these electronic cash-extraction techniques were limited because they didn’t rely on a deep analysis of an ATM’s code.

We got to knew what exactly happened when Cybercriminals hacked into Bank ATMs in Eastern Europe.

Most modern ATMs run on Windows CE with an ARM processor and use a dialup or leased-line connection to connect to the other branches over the interent/Intranet VPNs, ost of which is through a serial port connection. Jack used standard debugging techniques to interrupt the normal boot process and instead start Internet Explorer, and using some nasty IE hacks, he got access to the file system for copying off the files for analysis.

A remote access vulnerability was found to occur on Taranax ATMs, that allows full access to the machine, without password. The Hack uses two softwares: a utility called Dillinger, which attacks an ATM remotely, and one called Scrooge, a rootkit that inserts a backdoor and then conceals itself from discovery. Scrooge “hides itself from the process list, hides itself from the operating system, there’s a hidden pop-up menu that can be activated by a special key sequence or a custom card.”

For Triton’s ATMs, scenario was different. PC motherboard that dispenses cash from the vault was protected only by a standard (shared) key that could be purchased over the Internet for about $10. So Jack found out that he could force the machine to accept his backdoor-enabled software as a legitimate update, which then can do the damage thats irreversible.

Both companies have responded to the hacks, but necessary actions may still not have been taken place to fix all the machines. I just hope someone takes care of this sometime soon.

The difficult part in hacking the ATMs is evaluating the software for vulnerabilities, but once some one like Jack  creates it, its a childsplay to empty the machine.

We write about GoogleTwitter, SecurityOpen SourceProgrammingWebAppleiPhone,Android and latest in Tech @taranfx on Twitter or by subscribing below:

VN:F [1.9.22_1171]
Rating: 6.7/10 (18 votes cast)
VN:F [1.9.22_1171]
Rating: +6 (from 10 votes)
ATM Hacking Techniques Revealed at BlackHat, 6.7 out of 10 based on 18 ratings

Related Posts

Bookmark and Promote!

  • Www Rayford_thomas

    try listening to- one track heart-by the artist( elvis presley)

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  • John White Jnr

    Hello friend, i want to share my testimony on how i got my BLANK ATM
    card which have change my life today. i was once living on the street
    where by things were so hard for me, even to pay off my bills was very
    difficult for me i have to park off my apartment and start sleeping on
    the street of Vegas. i tried all i could do to secure a job but all went
    in vain because i was from the black side of America. so i decided to
    browse through on my phone for jobs online where i got an advert on
    Hackers advertising a Blank ATM card which can be used to hack any ATM
    Machine all over the world, i never thought this could be real because
    most advert on the internet are based on fraud, so i decided to give
    this a try and look where it will lead me to if it can change my life
    for good. i contacted this hackers and they told me they are from
    Australia and also they have branch all over the world in which they use
    in developing there ATM CARDS, this is real and not a scam it have help
    me out. to cut the story short this men who were geeks and also experts
    at ATM repairs, programming and execution who taught me various tips
    and tricks about breaking into an ATM Machine with a Blank ATM card.i
    applied for the Blank ATM card and it was delivered to me within 3 days
    and i did as i was told to and today my life have change from a street
    walker to my house, there is no ATM MACHINES this BLANK ATM CARD CANNOT
    penetrate into it because it have been programmed with various tools and
    software before it will be send to you. my life have really change and i
    want to share this to the world, i know this is illegal but also a
    smart way of living Big because the government cannot help us so we have
    to help our self. if you also want this BLANK ATM CARD i want you to
    contact the Hackers email on ANDREWMODRIC@OUTLOOK.COM and you life will
    never remain the same email ANDREWMODRIC@OUTLOOK.COM

    EMAIL .. ANDREWMODRIC@OUTLOOK.COM .. TO HAVE YOURS………….

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
© 2014 Geeknizer. All rights reserved. XHTML / CSS Valid.
Designed by taranfx.