Slashdot Mirror

← Back to Stories (view on slashdot.org)

ATM Hack Gives Cash On Demand

Posted by samzenpus on from the one-card-bandit dept.

angry tapir writes "Windows CE-based ATMs can easily be made to dole out cash, according to security researcher Barnaby Jack. Exploiting bugs in two different ATMs at Black Hat, the researcher from IOActive was able to get them to spit out money on demand and record sensitive data from the cards of people who used them. Jack believes a large number of ATMs have remote management tools that can be accessed over a telephone. After experimenting with two machines he purchased, Jack developed a way of bypassing the remote authentication system and installing a homemade rootkit, named Scrooge."

4 of 193 comments (clear)

  1. Yup, they can. by Cyberax · · Score: 3, Informative

    ATMs are sold 'over the counter'.

    They aren't even that expensive, it's possible to get a new ATM for about $2000 (though realistically a good ATM costs about $5000).

  2. Re:Really? by tomhudson · · Score: 3, Informative
    They're not that expensive. Look at the "white label" ATMs you'll see in restaurants and bars.

    Here's one of the machines in question

    esigned and assembled with pride in the USA, the RL1600's innovative configuration--including an embedded PC-based platform, Microsoft® Windows® CE 5.0 operating system with Triton's X2 technology--makes it as powerful as it is affordable and reliable. It has a large storage capacity for journaling, and is expandable to meet future compliance and application needs.

    They can be configured for either phone or ip network, and they're not that expensive, especially if you buy it used at a bar or restaurant bankruptcy.

  3. Re:Interesting Hacks... by blisteringsilence · · Score: 5, Informative

    Disclaimer: I own about 30 of these machines, and work as a repair tech for a statewide area. It's a nice side income. Let's start at the beginning. This hack requires that a machine be connected to the outside via phone. This is increasingly going away. I would guess that 40% of the machines I work on are connected via internet now, as opposed to 15% a year ago. My first comment is that the remote management software that is being exploited isn't turned on in the vast majority of the machines that are out there. Whether it's triton connect, or tranax's remote access, all of the processors that I've encountered require that it be disabled for the machine to work. This software was important 4 or 5 years ago from a machine management standpoint, but with realtime internet tracking of machine status, there's just no reason for it to be enabled. Now, as to the comment about keys not being unique per device: A key on an ATM opens two areas: the "computer" module on top of the safe, and the bit of plastic that obscures the safe dial. A service technician (like me) is most of the time a freelancer who's in this for some side cash. When I go to a customer's location, my goal is to fix the problem and get out. As I almost never need to get to the vault of the machine, I have a keyring that has the standard sized keys for all of the machines I work on. An access password or vault combination can be obtained by a call to the owner of the machine. A unique key, however, cannot. Moreover, as many older machines require access to the processing unit in order to fill the machine (you have to hit a physical button to get into that menu), you have to make it easy for your armored service to access the top as well as the vault. It's unreasonable to expect a vaulting company to haul around 60 or 70 keys to fill the machines that they have on their list for that day.

  4. Re:Why go through all that trouble of hacking? by blisteringsilence · · Score: 5, Informative

    The store owner buys or leases the machine. However, they don't change the default service password that's listed in the owners manual. A manual you can buy on line.

    Well, I guess if I'm going to criticize, I'll start here. No PCI-compliant machines allow you to go through the configuration process without inputting 3 different levels of new password. The attack you describe above might have worked 2 years ago. No longer. Sorry. And you don't have to buy the manual, they're (mostly) available for free.

    There have been several incidences of someone coming into a small store, typing in the series of key presses to get to the service menu, entering the default password, and wham, the machine gives them all the cash! It's quick and easy with no messing hacking necessary.

    No there haven't. The only exploit that could be executed in person was the following:
    1. Thief buys prepaid $200 visa card with PIN.
    2. Thief accesses the service menu of the machine (using default or socially engineered password).
    3. Thief changes the machine's internal systems to think it's holding $5 bills instead of $20 bills.
    4. Thief exits service menus.
    5. Thief puts in card and withdraws $200. Since the machine thinks it's holding $5's, it dispenses 40 total $20 bills ($800). The thief makes off with a net of $600.

    However, this exploit is no longer possible, as the master keys that allow an ATM to communicate with the processor are now erased when you change the denomination of bills the ATM dispenses.

    The process you describe has never worked. There is an option in a service menu called "test dispense," but it kicks the bill into the reject bin, not into the cash pickup.

    Please try again.