Another ATM Maker Pwned by Googling

bagsc writes "Kevin Poulsen of Wired.com strikes fear into another ATM manufacturer. This time, Triton ATMs had their super-secret master codes revealed by simple Google searches. Tranax was the most recent company with this problem, but probably not the last."

Re:What?!!?

[gurps_npc]

It's not 'a little warning'.

It's repeated, frequent warnings from the manufacturers and industry associations for several years.

Now finally it hit the news media.

You can lead a horse to water, but you can't stop him from sticking his head underneath and drowning simply because they painted a carrot at the bottom of the water trough.

Lipman ATM's

[detritus.]

Lipman's Nurit ATM manuals are also available to the public on their website, which also contain the default passwords accessing the operator menus. And unlike Triton, their manuals don't even warn/instruct the user to change the default passwords. Pretty sad if you ask me.

they didn't remove all the docs

[thedrunkensailor]

there's another doc up there exposing the defualt master password at http://www.tritonatm.com/en/service/technical_bull etins/05-48.pdf i emailed them about it so it might come down

Re:"pwned"?

[mark-t]

Wikipedia's entry is reasonably spot on.

don't know about spot on

Wikipedia went a bit overboard with their definition. They pulled a bit of a Clavin. Owned started with gaming where one player played so much better than the other that they owned them, in that they could do with them what they pleased. pwned came about much later and is simply a misspelling of owned, look where the o and the p are on the keyboard. pwned and teh are common typos in games where you are franticly trying to type in a comment before you get killed. Therefore using them in your text implies a sense of frantic urgency.

That's all there is to it. Anybody trying to make a distinction on when and where the proper use of the term own vs. pwn is just talking out their tailpipe.

So what?

[delirium+of+disorder]

How many real ATMs have been exploited using this information? Manuals for common hardware are basically public information (although I'm sure the vendor retains copyright to them and could conceivably also use trade secret law to keep people from sharing proprietary information). I don't really think this is much of a threat. If you are a security researcher and want to learn more, here are two ATM manuals that I've found.
Images scanned from a physical ATM manual
A different manual in PDF form

Re:"Pwned", indeed

[QuantumFTL]

Bottom line, this is a perfectly routine default password issue. Blame your bank.

The manufacturers should have the firmware require a password change after the initial set-up. If everyone did this, this wouldn't be a problem. Of course, I also blame my bank!

Re:OT: What is the tune the ATM plays and why?

[jayloden]

Yeah, and why does it have to have those funny bumps on the keypad, too?

One thing I can think of is that blind ATM users would probably appreciate some sort of feedback to let them know the money is ready to be retrieved from the slot.

the easy solution

[jd]

Banks (or any organization, venture or activity involving people) are never going to bother doing more than they have to, so simply waise the bar on what they have to do. Doesn't sound that hard to me. Simply require that on first power-up the sys-admin code MUST be different from the default, and/or requires a dongle to be plugged into a port that can only be reached inside of the machine for the sys-admin code to work (but, in having it plugged in, all other codes are disabled).

Security of physical kiosks is trivial stuff, it has been done to death, and people understand the pros and cons of the different technologies. Personally, I'd abandon the ATM and switch to the Mondo card, or something similar, as the risks are generally lower all-round and the security is far better distributed. (We're not talking what vain PHB's refer to as a smart card - which is a bit of non-volatile RAM and the processing power of a seedless grape. We're talking asymetric strong encryption with full-blown key exchange algorithms, transaction processing and - if the device is to be meaningfully secure - transaction logging, event logging and data validation. Such a system should be totally decentralized with all transactions being 100% local, not indirect via half a dozen organizations with dubious security.)

The basic technology for a totally secure, totally impervious financial system has existed for a decade and a half, maybe two, with far better response times and far lower risks to those involved. If it were updated to the technology that exists today, and enough funding was made available to get the technology in place, you could eliminate 90% of all the points of vulnerability in the banking system and eliminate 50% of the related services which - these days - serve no purpose at all.

Re:"pwned"?

[HolyCause]

Actually, "pwned" is a (usually on purpose) typo of "owned", since on a standard QWERTY keyboard, P and O are beside each other.

I believe that this originated with WarCraft. In multiplayer, a typo for "own" was made: "playerX pwns playerY" or something similar (not sure on this myself, as I've never played WarCraft - it's just what I've heard). Of course, it could have originated as a common typo, but that's an interesting story behind it =)