Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker Develops ATM Rootkit

Posted by CmdrTaco on from the well-that-doesn't-make-me-feel-better dept.

alphadogg writes "One year after his Black Hat talk on automated teller machine security vulnerabilities was yanked by his employer, security researcher Barnaby Jack plans to deliver the talk and disclose a new ATM rootkit at the computer security conference. He plans to give the talk, entitled "Jackpotting Automated Teller Machines," at the Black Hat Las Vegas conference, held July 28 and 29. Jack will demonstrate several ways of attacking ATMs, including remote, network-based attacks."

31 of 181 comments (clear)

  1. OK, That's It! by WrongSizeGlass · · Score: 5, Funny

    I'm stuffing all my cash under my mattress from now on. If you can't trust a Deibold ATM, what can you trust?

    1. Re:OK, That's It! by MiniMike · · Score: 5, Funny

      If you can't trust a Deibold ATM, what can you trust?

      Weren't they voted as the #1 ATM?

    2. Re:OK, That's It! by Rogerborg · · Score: 5, Funny

      If you can't trust a Deibold ATM, what can you trust?

      Weren't they voted as the #1 ATM?

      By 107% of the respondents.

      --
      If you were blocking sigs, you wouldn't have to read this.
  2. Lawsuit? by _PimpDaddy7_ · · Score: 3, Interesting

    Can the banks file a lawsuit at him?

    I can't stand companies not taking security seriously.

    Remember when ATMs first came out? The data being sent from ATM to the bank's systems had NO encryption.

    1. Re:Lawsuit? by Capt+James+McCarthy · · Score: 4, Insightful

      Can the banks file a lawsuit at him?

      I can't stand companies not taking security seriously.

      Remember when ATMs first came out? The data being sent from ATM to the bank's systems had NO encryption.

      Why? For pointing out security flaws? I know people love litigation as a means to prevent actions, however once information can be presented at a conference, any conference, don't you think that the cat is already out of the bag somewhere else.

      Everyone should know that a lock can be picked. It's just a matter of return for a thief. Making the lock so time consumable to pick that it's not worth it. So the ATM manufactures have to create security that is not worth the criminals time. Now if these hacks are easy, then I think the consumers have a right to hold the banks accountable.

      --
      There are no loopholes. It's either legal or it's not.
    2. Re:Lawsuit? by _PimpDaddy7_ · · Score: 4, Insightful

      Don't you remember Verizon and other companies SUED people when they showed their websites were UNSECURE?

    3. Re:Lawsuit? by baKanale · · Score: 3, Informative

      Financially bankrupting someone for pointing out security flaws might dissuade others from doing so in the future, for fear of the same consequences.

    4. Re:Lawsuit? by Ubergrendle · · Score: 4, Interesting

      It would depend upon the nature of hte hack. The promotional materials for his speech are light on details. Is this a top end ATM from NCR, or a white label generic ATM which are little more than PCs with a cash handler attached? What level of physical access does he need to the cabinet? Is this an internal exploit (implying you get your software/rootkit installed as part of a distribution) or he looking an something more subtle?

      I'll reserve judgement on his expose until i read of the details; i understand why he wouldn't want to advertise the juicy details before his presentaiton, but on the other hand I'm skeptical around what he's implying.

      --
      John Maynard Keynes: "When the facts change, I change my mind. What do you do?"
    5. Re:Lawsuit? by MBGMorden · · Score: 4, Informative

      Don't recall that one. Depends on the circumstances though. I remember a ton of other cases where the "showing they were insecure" part included hacking into the network in question. That's illegally accessing a computer system.

      It'd be akin to you telling your neighbor that his lock sucks and him just dismissing your idea.

      One of two possible scenarios then play out:

      a. You show at the next town meeting that your neighbor - John Q. Noob, is using a Lockatron LT-200 front door lock, and then proceed to show pictures, diagrams, and and example lock and how to pick it.

      b. He comes home the next day, and you're standing in his living room yelling "I TOLD YOU THE LOCK WASN'T ANY GOOD!!!!".

      A is fine. He'll get pissed and change his lock. B is trespassing. Too often in computer security terms people consider them the same action, and they aren't.

      --
      "People who think they know everything are very annoying to those of us who do."-Mark Twain
    6. Re:Lawsuit? by Daley_G · · Score: 3, Insightful

      As much as it's true that a thief won't bother with something that's not worth his time, there's another side of the coin to keep in mind. If it costs considerably more to make something more secure, the customer isn't going to purchase the product to begin with. I've gotta believe that the banks have accepted a certain amount of risk, and therefore they've determined what those ATM's are worth to them given the cost of the unit itself as well as the cost of dealing with any issues that arise - including penetration.

    7. Re:Lawsuit? by evilandi · · Score: 5, Interesting

      Remember when ATMs first came out? The data being sent from ATM to the bank's systems had NO encryption.

      Dude, it was the 1950s.How were they supposed to encrypt punch cards? Colour them in?

      The data was "sent" using the secure process of having a burly security guard open the little door at the back and carry the deposits, punch cards and microfilm (they took a photo of all deposits) over to the back office.

      --
      Andrew Oakley - www.aoakley.com
    8. Re:Lawsuit? by Lumpy · · Score: 3, Interesting

      No it doesnt, you point out the flaws without any info about you attached. I.E. Publish all the info outside the country.

      Honestly it blows my mind that any Computer nerd tries to do the white hat thing and tell a company about a problem. Simply send it in a letter that is untraced and say, "I'm publishing this in 90 days. you are getting a heads up because I'm a nice guy"

      Then in 90 put it on the net.

      They cant sue you if they have no idea who you are. Problem is most of these white hats are looking more for street "cred" and getting their name out than actually being a good guy.

      --
      Do not look at laser with remaining good eye.
    9. Re:Lawsuit? by Bakkster · · Score: 4, Interesting

      The problem is that it's a catch-22: usually the only way to find these vulnerabilities is to exploit them in the first place. And companies often don't grant access to white-hats because they think their systems are secure (or at least want to believe so), which can't be disproven until said hackers show them wrong.

      One would hope that a company wouldn't press charges unless there was malicious intent (he dispensed and pocketed several hundred dollar for himself to 'test' the system). Of course, this is America, and I have nowhere near that much faith in our corporations or justice system...

      --
      Write your representatives! Repeal the 2nd Law of Thermodynamics!
    10. Re:Lawsuit? by HungryHobo · · Score: 3, Insightful

      In the case of academics getting their names on the publications is more than an ego thing- it actually influences their chances of staying employed.

    11. Re:Lawsuit? by hrieke · · Score: 4, Insightful

      No, the real reason is liability.
      If you sell the machine and believe it to be secure and sell it as such with out the review & audit, and then it's proven to be insecure, fine, unknown bug.
      If you audit the machine with white hat hackers, they tell you of issues, you sell the machine anyways, it's hacked, you're on a very big hook.

      --
      III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIIIV IIVIIIIIIVIII...
    12. Re:Lawsuit? by ClosedSource · · Score: 3, Informative

      Perhaps you're thinking of a night deposit box which isn't an ATM. There were no ATMs in the 1950s.

    13. Re:Lawsuit? by Legion303 · · Score: 4, Interesting

      "There's a difference between pointing out that a lock can be picked and demonstrating in detail how to do it. Especially when the audience isn't limited to the owner of the lock."

      Not legally, there isn't. I'll be giving a talk on exactly this subject in 6 weeks. Marc Tobias, a lawyer, has co-authored an extremely detailed book on picking, bypassing, and completely ignoring the security of Medeco Biaxial locks. Find a better analogy.

    14. Re:Lawsuit? by Zenaku · · Score: 3, Funny

      That's like saying that keeping your money in a big pile on your front lawn will protect you from safe-crackers.

      --
      If fate makes you a motorcycle, you become a motorcycle.
  3. ATM machine by Anonymous Coward · · Score: 5, Funny

    You almost made it through the whole summary without saying it.

  4. Why can't the ATM suppliers just... by drc003 · · Score: 5, Funny

    ...just get a deal going with McAfee? Then there systems would be completely safe and always online!

  5. Come on Taco, more imagination! by Dystopian+Rebel · · Score: 4, Funny

    "from the well-that-doesn't-make-me-feel-better dept."

    Where's the zip, the punch in your writing? This is the news business! If Larry Wall can be funny AND write Perl code, so can you!

    Suggestions:

    "from the All Your ATM Are Belong To Us dept"

    "from the Who Says Cybercrime Doesn't Pay dept."

    "from the Your Money Is In Good Hands -- NOT dept"

    "from the Can We Have Human Tellers Again dept"

    "from the It'll Be The Debit Of Me dept."

    --
    Rich And Stupid is not so bad as Working For Rich And Stupid.
  6. Re:Did anyone else read it as saying..... by ProfMobius · · Score: 3, Funny

    It is just you. I know a good specialist if you want.

    --
    EULA : By reading the above message, you agree that I now own your soul.
  7. ATM Machines by ThrowAwaySociety · · Score: 4, Funny

    Can anyone determine if these are Automated ATM Machines?

    I'd better be careful entering my personal PIN number into these from now on.

    1. Re:ATM Machines by spidrw · · Score: 3, Funny

      I find it best to use part of my vehicle's VIN number when picking out my personal PIN number for use at the automated ATM machines. That way I can just read the reflection off my dash when punching the numbers into the LCD display.

  8. What OS? by AlecC · · Score: 4, Insightful

    As far as I can tell, all ATMs are based on data processing OSes - either ones with a desktop heritage then multi-processing and networking added on (Windows) or with a data processing/networking heritage with desktop added on (*nix families). It seems to me that they ought to be based on real-time control OSs, such as those used in the automotive and aerospace industry, I don't see how an ATM is any more complicated than a Digital Engine Control system, especially for state-of-the art engines. People who design such systems know about reliability, which can include security in a limited function machine. The problem with general-purpose machines is that they have generalized functionality, just hidden away. Such systems can be subverted and the extra functionality exploited. Machines built from the ground up to do only what they have to do do not have the functionality to be subverted.

    I see no reason why such fixed-function machines should be much more expensive that those based on general purpose machines. There is an up-front cost in getting started, probably compensated by reduced security testing later. Wat will be harder is all the dreams the marketing people will have, of using the ATM to do other things, such as sell insurance. It will do only what it is built to do. Inflexible, but secure.

    --
    Consciousness is an illusion caused by an excess of self consciousness.
    1. Re:What OS? by Miser · · Score: 5, Informative

      Seconded. Diebold (specifically, Opteva line) run plain old Windows XP. Some of them run Win XP Embedded. All of the "peripherals" in this case such as the cash dispenser, card reader, depositor if equipped, etc are just USB devices. The computer is NOT in the vault portion of the ATM, so if you can get into the flimsy door, you can get access to the computer.

      If you know the passwords (they are surprisingly easy ... or just use Hiren's to blank them out) you can get into the OS itself.

      I'm not sure why Diebold picked Windows, I would have preferred Linux of course, or perhaps back in the old days when the ATM wasn't a general purpose computer - it was a board with discrete circuitry and firmware. Everything to the network may be 3DES encrypted, but since it's Windows just get yourself a piece of malware on there and capture everything. Come back, retrieve the data, make yourself some cards, PROFIT. Of course, this required physical access.

      The older model ATMs (like the Cashsource Plus 200/400) still run eComstation (OS/2) and can connect via modem (really just serial) or TCP.

      NOT posting anonymously either. It's not like it's some big secret. If they secured their stuff, they wouldn't have to worry about it.

      -Miser

  9. Not Sarah, John This Time! by Scholasticus · · Score: 3, Funny

    John Connor did this way back in '91 ... which means the machines ... oh shit.

  10. Re:My friend is a Linux hacker... by Yvan256 · · Score: 4, Funny

    So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

  11. Great way to get money out of ATMS by Rogerborg · · Score: 4, Interesting

    Threaten to disclose the vulnerabilities, get paid hush money to pull your presentation (again). Rinse, repeat.

    --
    If you were blocking sigs, you wouldn't have to read this.
  12. Re:hmm... by plover · · Score: 4, Insightful

    What pisses me off is that he is publishing this.

    Why does that make you mad?

    Only two groups of people should be upset by this revelation: any thieves exploiting the weakness who may soon lose their money stream, and the banks who have to plug these holes.

    The only reason the banks should have to be mad is that they may not have budgeted the costs of these fixes for this year. Well that's too bad, I'm all broke up for them.

    So again I ask, why you are mad? Are you a banker or a thief? (And yes those are usually different unless you're on Wall Street.)

    --
    John
  13. Re:hmm... by plover · · Score: 4, Insightful

    His talk is a year old already. You don't think he's disclosed it to the banks long ago? No, they've had all the warning they need. Now it's time to prove they've fixed their equipment.

    Seriously, if he never releases his info, it will never get fixed. You can talk to the I.T. staff for a year about the problems and nothing will get done. The banks can even have a guy inside I.T. shouting "we gotta fix this!!" and he'll be ignored.

    Post it on the internet, deliver it to a roomful of blackhats, THEN something will get done. Until then, however, we're all still vulnerable to the bad guys who are already exploiting this kind of crap.

    --
    John