Hacker Develops ATM Rootkit

← Back to Stories (view on slashdot.org)

Posted by CmdrTaco on Thursday May 6, 2010 @12:48AM from the well-that-doesn't-make-me-feel-better dept.

alphadogg writes "One year after his Black Hat talk on automated teller machine security vulnerabilities was yanked by his employer, security researcher Barnaby Jack plans to deliver the talk and disclose a new ATM rootkit at the computer security conference. He plans to give the talk, entitled "Jackpotting Automated Teller Machines," at the Black Hat Las Vegas conference, held July 28 and 29. Jack will demonstrate several ways of attacking ATMs, including remote, network-based attacks."

7 of 181 comments (clear)

Min score:

Reason:

Sort:

OK, That's It! by WrongSizeGlass · 2010-05-06 00:52 · Score: 5, Funny

I'm stuffing all my cash under my mattress from now on. If you can't trust a Deibold ATM, what can you trust?
1. Re:OK, That's It! by MiniMike · 2010-05-06 01:30 · Score: 5, Funny
  
  If you can't trust a Deibold ATM, what can you trust?
  Weren't they voted as the #1 ATM?
2. Re:OK, That's It! by Rogerborg · 2010-05-06 01:39 · Score: 5, Funny
  
  If you can't trust a Deibold ATM, what can you trust?
  Weren't they voted as the #1 ATM?
  By 107% of the respondents.
  
  --
  If you were blocking sigs, you wouldn't have to read this.
ATM machine by Anonymous Coward · 2010-05-06 00:55 · Score: 5, Funny

You almost made it through the whole summary without saying it.
Why can't the ATM suppliers just... by drc003 · 2010-05-06 00:58 · Score: 5, Funny

...just get a deal going with McAfee? Then there systems would be completely safe and always online!
Re:What OS? by Miser · 2010-05-06 01:58 · Score: 5, Informative

Seconded. Diebold (specifically, Opteva line) run plain old Windows XP. Some of them run Win XP Embedded. All of the "peripherals" in this case such as the cash dispenser, card reader, depositor if equipped, etc are just USB devices. The computer is NOT in the vault portion of the ATM, so if you can get into the flimsy door, you can get access to the computer.
If you know the passwords (they are surprisingly easy ... or just use Hiren's to blank them out) you can get into the OS itself.
I'm not sure why Diebold picked Windows, I would have preferred Linux of course, or perhaps back in the old days when the ATM wasn't a general purpose computer - it was a board with discrete circuitry and firmware. Everything to the network may be 3DES encrypted, but since it's Windows just get yourself a piece of malware on there and capture everything. Come back, retrieve the data, make yourself some cards, PROFIT. Of course, this required physical access.
The older model ATMs (like the Cashsource Plus 200/400) still run eComstation (OS/2) and can connect via modem (really just serial) or TCP.
NOT posting anonymously either. It's not like it's some big secret. If they secured their stuff, they wouldn't have to worry about it.
-Miser
Re:Lawsuit? by evilandi · 2010-05-06 01:59 · Score: 5, Interesting

Remember when ATMs first came out? The data being sent from ATM to the bank's systems had NO encryption.
Dude, it was the 1950s.How were they supposed to encrypt punch cards? Colour them in?
The data was "sent" using the secure process of having a burly security guard open the little door at the back and carry the deposits, punch cards and microfilm (they took a photo of all deposits) over to the back office.

--
Andrew Oakley - www.aoakley.com