Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker Develops ATM Rootkit

Posted by CmdrTaco on from the well-that-doesn't-make-me-feel-better dept.

alphadogg writes "One year after his Black Hat talk on automated teller machine security vulnerabilities was yanked by his employer, security researcher Barnaby Jack plans to deliver the talk and disclose a new ATM rootkit at the computer security conference. He plans to give the talk, entitled "Jackpotting Automated Teller Machines," at the Black Hat Las Vegas conference, held July 28 and 29. Jack will demonstrate several ways of attacking ATMs, including remote, network-based attacks."

12 of 181 comments (clear)

  1. Lawsuit? by _PimpDaddy7_ · · Score: 3, Interesting

    Can the banks file a lawsuit at him?

    I can't stand companies not taking security seriously.

    Remember when ATMs first came out? The data being sent from ATM to the bank's systems had NO encryption.

    1. Re:Lawsuit? by Ubergrendle · · Score: 4, Interesting

      It would depend upon the nature of hte hack. The promotional materials for his speech are light on details. Is this a top end ATM from NCR, or a white label generic ATM which are little more than PCs with a cash handler attached? What level of physical access does he need to the cabinet? Is this an internal exploit (implying you get your software/rootkit installed as part of a distribution) or he looking an something more subtle?

      I'll reserve judgement on his expose until i read of the details; i understand why he wouldn't want to advertise the juicy details before his presentaiton, but on the other hand I'm skeptical around what he's implying.

      --
      John Maynard Keynes: "When the facts change, I change my mind. What do you do?"
    2. Re:Lawsuit? by evilandi · · Score: 5, Interesting

      Remember when ATMs first came out? The data being sent from ATM to the bank's systems had NO encryption.

      Dude, it was the 1950s.How were they supposed to encrypt punch cards? Colour them in?

      The data was "sent" using the secure process of having a burly security guard open the little door at the back and carry the deposits, punch cards and microfilm (they took a photo of all deposits) over to the back office.

      --
      Andrew Oakley - www.aoakley.com
    3. Re:Lawsuit? by Lumpy · · Score: 3, Interesting

      No it doesnt, you point out the flaws without any info about you attached. I.E. Publish all the info outside the country.

      Honestly it blows my mind that any Computer nerd tries to do the white hat thing and tell a company about a problem. Simply send it in a letter that is untraced and say, "I'm publishing this in 90 days. you are getting a heads up because I'm a nice guy"

      Then in 90 put it on the net.

      They cant sue you if they have no idea who you are. Problem is most of these white hats are looking more for street "cred" and getting their name out than actually being a good guy.

      --
      Do not look at laser with remaining good eye.
    4. Re:Lawsuit? by Bakkster · · Score: 4, Interesting

      The problem is that it's a catch-22: usually the only way to find these vulnerabilities is to exploit them in the first place. And companies often don't grant access to white-hats because they think their systems are secure (or at least want to believe so), which can't be disproven until said hackers show them wrong.

      One would hope that a company wouldn't press charges unless there was malicious intent (he dispensed and pocketed several hundred dollar for himself to 'test' the system). Of course, this is America, and I have nowhere near that much faith in our corporations or justice system...

      --
      Write your representatives! Repeal the 2nd Law of Thermodynamics!
    5. Re:Lawsuit? by bws111 · · Score: 2, Interesting

      On what grounds? If you have been the victim of a fraud, and the bank didn't correct it, you can probably sue them. If you haven't been the victim of a fraud, but you just think their security is too lax, then don't use them. Kind of hard to rail at someone else for not taking security seriously when by definition you yourself aren't taking security seriously if you trust someone you consider non-trustworthy.

    6. Re:Lawsuit? by Legion303 · · Score: 4, Interesting

      "There's a difference between pointing out that a lock can be picked and demonstrating in detail how to do it. Especially when the audience isn't limited to the owner of the lock."

      Not legally, there isn't. I'll be giving a talk on exactly this subject in 6 weeks. Marc Tobias, a lawyer, has co-authored an extremely detailed book on picking, bypassing, and completely ignoring the security of Medeco Biaxial locks. Find a better analogy.

  2. hmm... by Pojut · · Score: 2, Interesting

    I know this is the sort of thing that goes on at black hat conferences, but could this guy potentially get in some sort of legal trouble for demonstrating what he has found?

    --
    Living With a Nerd
    1. Re:hmm... by Anonymous Coward · · Score: 2, Interesting

      I don't know about banks but credit unions care about security and keeping their ATMs up to date. Unfortunately, they are at the mercy of the ATM manufacturers, vendors and whoever provides the maintenance. I suppose banks could have different maintenance contract due to their size but normally software updates are part of the annual support contract.

  3. Operating System specific? by tecker · · Score: 2, Interesting

    The title says it is multi-platform but doesnt mention that anywhere in the article. So is this one that runs on CustomFW, Windows and Linux based ATMS?

    To me it would seem better to create a system that would raise the "your-not-with-OUR-bank-so-we-can-stiff-you" charge (charge em 3.50 for the transation then send 2 back to the bank per normal). Slow but would make money over time if EVERY atm had your code.

    --
    Procrastinating life a way at a rapid rate of speed.
  4. Great way to get money out of ATMS by Rogerborg · · Score: 4, Interesting

    Threaten to disclose the vulnerabilities, get paid hush money to pull your presentation (again). Rinse, repeat.

    --
    If you were blocking sigs, you wouldn't have to read this.
  5. Re:What OS? by spidrw · · Score: 2, Interesting

    I managed to crash an ATM once (not a good feeling when you just deposited 50 big checks). When it rebooted, there was the Start menu. Before the 'ATM software' fired up I was able to easily open a command prompt and even get IE going. Then the ATM stuff went full screen and everything was hunky dory - except for my deposit.