Search Form

BlackHat 2010 – Jackpotting Automated Teller Machines [Barnaby Jack]

Owning the ATM:

ATM’s, we use them everyday. Need some cash? Insert card, receive money. Simple. Automated teller machines are not something  you really think about getting hacked. Sure you may have heard of card skimmers, collecting credit card numbers, but this is far more nefarious.

atm_1

Every  once in a while you see a demonstration at these kinds of events that just blows your mind. This was one of those instances. Hackers now have the ability to remotely jackpot ATM machines. This means that with the push of a button a hacker can make cash start pouring out of an ATM, just like in the movies.

atm_11 atm_10

The whole act is done by taking advantage of a design flaw in the system, machines being able to run unsigned executables. The presenter also released two new tools to help make the process easier, Scrooge, a rootkit that installs on the ATM, and Dillinger, the remote management system to control them. The rootkit installs on machines made by Triton and Tranax, two of the largest names in ATM production. Both vendors have released patches for their systems, but just like people’s home computers, not everyone updates their machines.

atm_4 atm_2
atm_3 atm_8

atm_6

At the press conference after the presentation, Barnaby divulged more details of how the hack is performed. We also had a chance to talk to the VP of engineering for Triton and hear about what they have done to prevent these kinds of attacks.

atm_7 atm_5

In short, the solution is for end users to patch their system. They should also replace the lock on their unit with a unique lock to prevent walk by firmware replacement, as by default it comes with a lock that works off of a generic master key.

Stay tuned to TechwareLabs for more coverage of Black Hat 2010.

Trackbacks

  1. BlackHat 2010 ? Jackpotting Automated Teller Machines [Barnaby ……

    I found your entry interesting do I’ve added a Trackback to it on my weblog :)…

  2. […] This post was mentioned on Twitter by ChrisTWL, Cory Blomenkamp, tcpflorida, Josh, Tom Gowing and others. Tom Gowing said: Review: BlackHat 2010 – Jackpotting Automated Teller Machines [Barnaby Jack] – http://bit.ly/bQaMPz […]

Join in, share your thoughts

You must be logged in to post a comment.