Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker Develops ATM Rootkit

Posted by CmdrTaco on from the well-that-doesn't-make-me-feel-better dept.

alphadogg writes "One year after his Black Hat talk on automated teller machine security vulnerabilities was yanked by his employer, security researcher Barnaby Jack plans to deliver the talk and disclose a new ATM rootkit at the computer security conference. He plans to give the talk, entitled "Jackpotting Automated Teller Machines," at the Black Hat Las Vegas conference, held July 28 and 29. Jack will demonstrate several ways of attacking ATMs, including remote, network-based attacks."

8 of 181 comments (clear)

  1. Re:Lawsuit? by Capt+James+McCarthy · · Score: 4, Insightful

    Can the banks file a lawsuit at him?

    I can't stand companies not taking security seriously.

    Remember when ATMs first came out? The data being sent from ATM to the bank's systems had NO encryption.

    Why? For pointing out security flaws? I know people love litigation as a means to prevent actions, however once information can be presented at a conference, any conference, don't you think that the cat is already out of the bag somewhere else.

    Everyone should know that a lock can be picked. It's just a matter of return for a thief. Making the lock so time consumable to pick that it's not worth it. So the ATM manufactures have to create security that is not worth the criminals time. Now if these hacks are easy, then I think the consumers have a right to hold the banks accountable.

    --
    There are no loopholes. It's either legal or it's not.
  2. Re:Lawsuit? by _PimpDaddy7_ · · Score: 4, Insightful

    Don't you remember Verizon and other companies SUED people when they showed their websites were UNSECURE?

  3. Re:Lawsuit? by Daley_G · · Score: 3, Insightful

    As much as it's true that a thief won't bother with something that's not worth his time, there's another side of the coin to keep in mind. If it costs considerably more to make something more secure, the customer isn't going to purchase the product to begin with. I've gotta believe that the banks have accepted a certain amount of risk, and therefore they've determined what those ATM's are worth to them given the cost of the unit itself as well as the cost of dealing with any issues that arise - including penetration.

  4. What OS? by AlecC · · Score: 4, Insightful

    As far as I can tell, all ATMs are based on data processing OSes - either ones with a desktop heritage then multi-processing and networking added on (Windows) or with a data processing/networking heritage with desktop added on (*nix families). It seems to me that they ought to be based on real-time control OSs, such as those used in the automotive and aerospace industry, I don't see how an ATM is any more complicated than a Digital Engine Control system, especially for state-of-the art engines. People who design such systems know about reliability, which can include security in a limited function machine. The problem with general-purpose machines is that they have generalized functionality, just hidden away. Such systems can be subverted and the extra functionality exploited. Machines built from the ground up to do only what they have to do do not have the functionality to be subverted.

    I see no reason why such fixed-function machines should be much more expensive that those based on general purpose machines. There is an up-front cost in getting started, probably compensated by reduced security testing later. Wat will be harder is all the dreams the marketing people will have, of using the ATM to do other things, such as sell insurance. It will do only what it is built to do. Inflexible, but secure.

    --
    Consciousness is an illusion caused by an excess of self consciousness.
  5. Re:hmm... by plover · · Score: 4, Insightful

    What pisses me off is that he is publishing this.

    Why does that make you mad?

    Only two groups of people should be upset by this revelation: any thieves exploiting the weakness who may soon lose their money stream, and the banks who have to plug these holes.

    The only reason the banks should have to be mad is that they may not have budgeted the costs of these fixes for this year. Well that's too bad, I'm all broke up for them.

    So again I ask, why you are mad? Are you a banker or a thief? (And yes those are usually different unless you're on Wall Street.)

    --
    John
  6. Re:Lawsuit? by HungryHobo · · Score: 3, Insightful

    In the case of academics getting their names on the publications is more than an ego thing- it actually influences their chances of staying employed.

  7. Re:Lawsuit? by hrieke · · Score: 4, Insightful

    No, the real reason is liability.
    If you sell the machine and believe it to be secure and sell it as such with out the review & audit, and then it's proven to be insecure, fine, unknown bug.
    If you audit the machine with white hat hackers, they tell you of issues, you sell the machine anyways, it's hacked, you're on a very big hook.

    --
    III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIIIV IIVIIIIIIVIII...
  8. Re:hmm... by plover · · Score: 4, Insightful

    His talk is a year old already. You don't think he's disclosed it to the banks long ago? No, they've had all the warning they need. Now it's time to prove they've fixed their equipment.

    Seriously, if he never releases his info, it will never get fixed. You can talk to the I.T. staff for a year about the problems and nothing will get done. The banks can even have a guy inside I.T. shouting "we gotta fix this!!" and he'll be ignored.

    Post it on the internet, deliver it to a roomful of blackhats, THEN something will get done. Until then, however, we're all still vulnerable to the bad guys who are already exploiting this kind of crap.

    --
    John