Researcher Discovers ATM Hack, Gets Silenced

Al writes "A researcher working for networking company Juniper has been forced to cancel a Black Hat presentation that would have revealed a way to hack into ATMs. The presentation focused on exploiting vulnerabilities in devices running the Windows CE operating system, including some ATMs. The decision to cancel was made to give the vendor concerned time to patch the problem, although the company was notified 8 months ago. The article mentions a growing trend in ATM hacking: In November 2008 thieves stole nearly $9 million from more than 130 cash machines in 49 cities worldwide. And earlier this year, the second biggest maker of ATMs, Diebold, warned customers in an advisory that certain cash machines in Eastern Europe had been loaded with malicious software capable of stealing financial information and the secret PINs from customers performing ATM transactions."

Ridiculous

So they've had 8 months warning, and now suddenly when researchers want to publish they now want time to fix it? Not indicative of a company that gives a flying fuck about security. They don't deserve time.

Re:Ridiculous

[furby076]

You're right they don't deserve it - but giving information to criminals to make it easier for them to steal - thus hurting society as a whole - is not the answer. Unfortunately the security of ATM's is greater then these researches desire to present their work.

Re:Ridiculous

[Svartalf]

Actually, they HAD time to fix it. It still is highly problematic- but the big problem with all this thinking that bars people from disclosing this stuff at the stage it's at right now is the highly flawed thinking that disclosing a vulnerability discloses it to potential attackers which will use it.

It's a bad thing to think the bad guys don't already know what you're showing off and presume that they're not doing it. Depending on the hack, they may be prepping for it or already screwing you over with it and you just don't know it yet. If a white/grey hat found it, I can assure you a black hat either has already found it or will shortly.

Re:Ridiculous

[poetmatt]

Companies only move upon losses and public fiascos. Politeness should be gone by 8 months. Honestly, "this can slash your profits to 0 or below" doesn't sound like a cause for concern?

I'm sure departments within the company can make that same argument for losses but those are harder to take care of than simple software fixes that people are nice enough to be willing to tell them what the issue is. I mean how much easier can you get than someone else doing the job for you, that you didn't do originally? etc etc.

Re:Ridiculous

[arose]

Current situation: society as a whole does not know the vulnerability or it's scope, criminals might or might not know the vulnerability and might or might not be actively exploiting it.

Full disclosure:anyone with enough brains and guts can exploit the vulnerability, society at large can take steps to minimize the risk since it is now known what exactly the risk is.

Re:Ridiculous

[spun]

You've made the classic mistake of assuming corporations have any motivation to do the right thing, as opposed to the profitable thing. They don't give a rat's ass who is using this hack. All they care about is the price of their shares. If keeping a dangerous vulnerability semi-secret for a few more months will help their share price, they don't really care how many people get screwed over. Think of it this way: if their ATMs were electrocuting people at random, they would do a cost benefit analysis to figure out the likely damages awarded at trials, and compare that to the cost of fixing the problem. If fixing the problem were more expensive, the company would happily go on killing people. You think they care about your freaking finances?

Re:Ridiculous

[Hizonner]

1. Diebold (or whoever; I don't know that it's Diebold) customers/partners are primarily banks, which are supposed to be in the business of worrying about securing money. It's negligent for a bank to buy a product without verifying its security. So, yes, they did in some sense cause the problem, or at least they bear a chunk of the blame for it.
2. If I use an ATM, I am a customer of Diebold's (or whoever's) customer, the bank, not a customer of Diebold. And what I'm paying the bank to do is to secure my transactions. I will admit that I've obviously hired an incompetent bank and am perhaps at fault for doing so, but that doesn't excuse the bank's incompetence. And I think my fault is reduced by the unavailability of banks that actually do their jobs, whereas banks would have access to decent ATMs if it they bothered to demand them.
3. Where do people get this nonsense? Diebold (or whoever) already charges as much for the ATMs as it can get away with. They don't set prices based on their costs; they set prices based on what customers willl pay, subject only to the proviso that if customers won't pay what it costs to make the product, they won't make the product at all. To a first approximation, in a properly functioning market with competition (and there is competition in ATMs), prices fall to approach marginal cost of production (for the most efficient producer). This doesn't increase marginal cost of production for anybody.
4. Maybe, except that it's NON-disclosure that actually enables the criminals, and that goes beyond this particular bug and beyond the case of ATMs. Not only does non-disclosure enable ATM manufacturers and whoever else to continue to ignore the problem while the criminals continue to exploit it, but, by ecouraging other companies in similar situations to do the same, it guarantees further problems. To prevent companies in general from ignoring problems, there needs to be a credible threat of disclosure if there isn't prompt action on reported problems. 8 months is way, way more than enough time. In order to maintain the credibility of the threat of disclosure, there needs to actually BE disclosure once in a while, so that companies know they actually have to live up to their responsibilities.

Release it anyway

[Hatta]

You don't need a conference to publicize a security problem. Post it on the internet, and the vendor will have plenty of incentive to implement a fix immediately.

Re:Release it anyway

[AndersOSU]

You don't think these ATMs will stay up if an exploit is published do you?

The sequence of events goes something like this:
Bank buys shitty ATMs
Exploits are developed
People start stealing from ATMs
Someone gives the ATM manufacturer the exploit and tells them to fix their problem
People continue to steal from ATMs
Someone (publicly) threatens to publish
ATM company says, "hold on give us a minute to fix it"
People continue stealing from ATMs

scenario A
ATM company fixes the problem
Banks and consumers never know their assets were exposed

scenario b
ATM company stalls
people continue to steal from ATMs
someone publishes
a whole lot of money is suddenly stolen in a very short time period
Banks shut down all vulnerable ATMs
Customers notice their ATMs don't work - maybe ask questions
Banks sue ATM manufacturer, become a little more careful about who they do business with in the future