Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker Develops ATM Rootkit

Posted by CmdrTaco on from the well-that-doesn't-make-me-feel-better dept.

alphadogg writes "One year after his Black Hat talk on automated teller machine security vulnerabilities was yanked by his employer, security researcher Barnaby Jack plans to deliver the talk and disclose a new ATM rootkit at the computer security conference. He plans to give the talk, entitled "Jackpotting Automated Teller Machines," at the Black Hat Las Vegas conference, held July 28 and 29. Jack will demonstrate several ways of attacking ATMs, including remote, network-based attacks."

6 of 181 comments (clear)

  1. Re:Lawsuit? by baKanale · · Score: 3, Informative

    Financially bankrupting someone for pointing out security flaws might dissuade others from doing so in the future, for fear of the same consequences.

  2. Re:Lawsuit? by MBGMorden · · Score: 4, Informative

    Don't recall that one. Depends on the circumstances though. I remember a ton of other cases where the "showing they were insecure" part included hacking into the network in question. That's illegally accessing a computer system.

    It'd be akin to you telling your neighbor that his lock sucks and him just dismissing your idea.

    One of two possible scenarios then play out:

    a. You show at the next town meeting that your neighbor - John Q. Noob, is using a Lockatron LT-200 front door lock, and then proceed to show pictures, diagrams, and and example lock and how to pick it.

    b. He comes home the next day, and you're standing in his living room yelling "I TOLD YOU THE LOCK WASN'T ANY GOOD!!!!".

    A is fine. He'll get pissed and change his lock. B is trespassing. Too often in computer security terms people consider them the same action, and they aren't.

    --
    "People who think they know everything are very annoying to those of us who do."-Mark Twain
  3. Re:What OS? by Miser · · Score: 5, Informative

    Seconded. Diebold (specifically, Opteva line) run plain old Windows XP. Some of them run Win XP Embedded. All of the "peripherals" in this case such as the cash dispenser, card reader, depositor if equipped, etc are just USB devices. The computer is NOT in the vault portion of the ATM, so if you can get into the flimsy door, you can get access to the computer.

    If you know the passwords (they are surprisingly easy ... or just use Hiren's to blank them out) you can get into the OS itself.

    I'm not sure why Diebold picked Windows, I would have preferred Linux of course, or perhaps back in the old days when the ATM wasn't a general purpose computer - it was a board with discrete circuitry and firmware. Everything to the network may be 3DES encrypted, but since it's Windows just get yourself a piece of malware on there and capture everything. Come back, retrieve the data, make yourself some cards, PROFIT. Of course, this required physical access.

    The older model ATMs (like the Cashsource Plus 200/400) still run eComstation (OS/2) and can connect via modem (really just serial) or TCP.

    NOT posting anonymously either. It's not like it's some big secret. If they secured their stuff, they wouldn't have to worry about it.

    -Miser

  4. Re:Lawsuit? by evilandi · · Score: 2, Informative

    The threat alone is enough because no individual (or group) can afford to spend as much money on a bogus lawsuit as any of these companies

    Perhaps, in America. But civilised countries have systems of taxpayer-funded legal aid for those unable to mount their own defence, or have strict rules about misuse of court process. This kind of tomfoolery simply doesn't happen in the UK, for example; the most recent attempt being some chiropractors who tried to sue a British science journalist for proving their profession was bunkum. The chiropractors suffered the judicial equivalent of having flaming oil poured over them.

    --
    Andrew Oakley - www.aoakley.com
  5. Re:Lawsuit? by ClosedSource · · Score: 3, Informative

    Perhaps you're thinking of a night deposit box which isn't an ATM. There were no ATMs in the 1950s.

  6. Re:Lawsuit? by Zenaku · · Score: 2, Informative

    The entire purpose of a man-in-the-middle attack is work around the fact that the attacker cannot eavesdrop directly on an encrypted channel. The attacker wants the authentication credentials for your bank account, but the communication is encrypted. So instead he tricks the client device into opening an encrypted channel to HIM instead, by poisoning a DNS cache for instance, and gets you to send him the credentials directly. The whole point is to get access to what he needs to access your account.

    If the data is transmitted in the clear, MITM is completely unnecessary. He just eavesdrops on the communication and gets the credentials.

    It's not about "seeing your money." It's about seeing the secret numbers needed to access your money. Perhaps it would have been a better analogy if I had said that it was akin to thinking that posting the combination to your safe on a sign right next to it would protect you from safe-crackers, but I still fail to see your point.

    --
    If fate makes you a motorcycle, you become a motorcycle.