ATM Jackpots

I’d guess that most of you have seen one or more of the small ATMs that have been installed in convenience stores, bars, and restaurants.  Unlike the machines at your bank, which are probably built into a wall, these are free-standing devices; they typically do not have the name of a bank or other financial institution prominently displayed.  I’ve occasionally wondered how secure these machines really were — I’ve assumed that the “strongbox” that contains the actual cash is reasonably secure, as safes go, but I had no idea about the technology bits.

Now a security researcher has demonstrated, at the recent “Black Hat” security conference, that these ATMs aren’t very secure at all.  His presentation is described in an Ars Technica article:

In a city filled with slot machines spilling jackpots, it was a “jackpotted” ATM machine that got the most attention Wednesday at the Black Hat security conference, when researcher Barnaby Jack demonstrated two suave hacks against automated teller machines that allowed him to program them to spew out dozens of crisp bills.

One of the machines was hacked remotely, using a maintenance port that is accessible over the Internet or via Dial-up, depending on how the machine was configured.    This remote monitoring feature is turned on by default, although the vendor has apparently begun advising customers to turn it off for better security.  The other machine was hacked by replacing its software with malicious code loaded from a USB drive inserted into the front of the machine.  The USB connection is behind a locked panel, but the lock can be opened with a key readily available on the Web for about $10; furthermore, every machine from that manufacturer can be opened with the same key.  The excuse for this is really incredibly lame:

Two Triton representatives said at a press conference after the presentation that its customers preferred a single lock on systems so they could easily manage fleets of machines without requiring numerous keys.

By the same logic, it would seem that having no lock at all would be even more convenient.

The two machines Mr. Jack demonstrated at the conference were not unique:

After studying four different companies’ models, he said, “every ATM I’ve looked at, I’ve found a ‘game over’ vulnerability that allowed me to get cash from the machine.”

One expects a certain degree of security sloppiness on PCs and things like social networking sites.  But it is really surprising, and a bit depressing, to see this kind of thing on a machine which anyone with sense must know is an attack target.