Bank ATMs too can be hacked
By IANSSunday, August 1, 2010
LAS VEGAS - Even bank ATMs are not hack-proof. A security expert in US has demonstrated how a hacker using specific software can make the automated teller machines spew out its cash without knowing the password.
Barnaby Jack, director of security testing at Seattle-based IOActive, hauled two ATMs onto a stage and demonstrated to a rapt audience the fond daydream of teenage hackers everywhere: pressing a button and having an ATM spew out its cash until a pile of notes lay on the ground.
Jack, a New Zealand national, explained how the system allows a hacker to connect to the ATM through a telephone modem and, without knowing a password, instantly force it to disgorge its entire supply of cash, CBS News reported.
“I hope to change the way people look at devices that from the outside are seemingly impenetrable,” said Jack, who lives in San Jose.
Jack said he bought the pair of standalone ATMs - one manufactured by Tranax Technologies and the other by Triton - over the Internet and then spent years poring over the code.
The vulnerabilities and programming errors he unearthed during that process, Jack said, let him gain complete access to those machines and learn techniques that can be used to open the built-in safes of many others made by the same companies.
“Every ATM I’ve looked at, I’ve found a game-over vulnerability that allows an attacker to get cash from the machine,” Jack said.
“I’ve looked at four ATMs. I’m four for four.” He said he has not evaluated built-in ATMs like those used by banks and credit unions.
He, however, said both Tranax and Triton had patched the security vulnerabilities since he brought them to the companies’ attention a year ago. If a customer with an ATM such as a convenience store or a restaurant doesn’t apply the fix, though, the machines remain vulnerable.