At the Black Hat security conference in Las Vegas, Barnaby Jack, Director of Research at IOActive Labs, used a laptop with a custom-built software tool called “Dillinger" (named after the famous bank robber) to overwrite the machine’s internal operating system, and take complete control of the ATM and send commands for it to spew cash on demand.
Jack demonstrated two different attacks against Windows CE-based ATMs — a physical attack using a master key purchased on the Web and a USB stick to overwrite the machine’s firmware; and a remote attack that exploited a flaw in the way ATMs authenticate firmware upgrades.
He did not provide any technical details that would allow anyone to reproduce the attack techniques but suggested that a skilled hacker could exploit these weaknesses if ATM manufacturers continue to create software with gaping security holes.
“There are attack vectors in all these standalone or hole-in-the-wall ATMs,” Jack warned, noting that many ATMs are protected by a master key that can be bought for $10.78 on hundreds of web sites. ”With this master key, I can walk up to a secluded ATM and have access to USB [and] SD/CF slots. In some cases, opening and inserting my USB key was faster than installing a skimmer,” he said.
The Dillinger tool came with a graphical UI that included features to “Retrieve Track Data,” or simply “Jackpot!”. A click of the Jackpot button and the commandeered ATM started spewing cash on demand!
Why doesn't that happen to me when I go to the ATM?
No comments:
Post a Comment