A security researcher attending the Black Hat conference has hacked two demo ATMs and forced both machines to dispense wads of cash on demand.
The ATMs – manufactured by Triton and Tranax – were reportedly exploited via a security hole in the authentication mechanism designed to update the firmware on automated teller machines.
According to ZDNet, the hack was executed by Barnaby Jack, Director of Research at IOActive Labs, who used a laptop dubbed “Dillinger” to overwrite ATM’s operating system and assume full control of the system.
“Jack demonstrated two different attacks against Windows CE-based ATMs — a physical attack using a master key purchased on the Web and a USB stick to overwrite the machine’s firmware; and a remote attack that exploited a flaw in the way ATMs authenticate firmware upgrades,” explained ZDNet’s Ryan Naraine.
“[However], [Jack] did not provide any technical details that would allow anyone to reproduce the attack techniques…But [he warned] that a skilled hacker could exploit these weaknesses if ATM manufacturers continue to create software with gaping security holes.”
Meanwhile, Kim Zetter of Wired noted that malware attacks leveraging similar methods have already been launched against bank ATMs in Europe.
“Security researchers at Trustwave, based in Chicago, found the malware on 20 machines in Russia and Ukraine that were all running Microsoft’s Windows XP operating system,” wrote Zetter.
“They said they found signs that hackers were planning on bringing their attacks to machines in the United States. The malware was designed to attack ATMs made by Diebold and NCR. [Still], those attacks required an insider, such as an ATM technician or anyone else with a key to the machine, to place malware on the ATM.”