Forgot your password?
typodupeerror
Security The Almighty Buck

Hacker Develops ATM Rootkit 181

Posted by CmdrTaco
from the well-that-doesn't-make-me-feel-better dept.
alphadogg writes "One year after his Black Hat talk on automated teller machine security vulnerabilities was yanked by his employer, security researcher Barnaby Jack plans to deliver the talk and disclose a new ATM rootkit at the computer security conference. He plans to give the talk, entitled "Jackpotting Automated Teller Machines," at the Black Hat Las Vegas conference, held July 28 and 29. Jack will demonstrate several ways of attacking ATMs, including remote, network-based attacks."
This discussion has been archived. No new comments can be posted.

Hacker Develops ATM Rootkit

Comments Filter:
  • by WrongSizeGlass (838941) on Thursday May 06, 2010 @07:52AM (#32110138)
    I'm stuffing all my cash under my mattress from now on. If you can't trust a Deibold ATM, what can you trust?
  • Lawsuit? (Score:4, Interesting)

    by _PimpDaddy7_ (415866) on Thursday May 06, 2010 @07:54AM (#32110152)

    Can the banks file a lawsuit at him?

    I can't stand companies not taking security seriously.

    Remember when ATMs first came out? The data being sent from ATM to the bank's systems had NO encryption.

    • Re:Lawsuit? (Score:5, Insightful)

      by Capt James McCarthy (860294) on Thursday May 06, 2010 @08:01AM (#32110232) Journal

      Can the banks file a lawsuit at him?

      I can't stand companies not taking security seriously.

      Remember when ATMs first came out? The data being sent from ATM to the bank's systems had NO encryption.

      Why? For pointing out security flaws? I know people love litigation as a means to prevent actions, however once information can be presented at a conference, any conference, don't you think that the cat is already out of the bag somewhere else.

      Everyone should know that a lock can be picked. It's just a matter of return for a thief. Making the lock so time consumable to pick that it's not worth it. So the ATM manufactures have to create security that is not worth the criminals time. Now if these hacks are easy, then I think the consumers have a right to hold the banks accountable.

      • Re:Lawsuit? (Score:5, Insightful)

        by _PimpDaddy7_ (415866) on Thursday May 06, 2010 @08:03AM (#32110252)

        Don't you remember Verizon and other companies SUED people when they showed their websites were UNSECURE?

        • Re:Lawsuit? (Score:5, Informative)

          by MBGMorden (803437) on Thursday May 06, 2010 @08:28AM (#32110522)

          Don't recall that one. Depends on the circumstances though. I remember a ton of other cases where the "showing they were insecure" part included hacking into the network in question. That's illegally accessing a computer system.

          It'd be akin to you telling your neighbor that his lock sucks and him just dismissing your idea.

          One of two possible scenarios then play out:

          a. You show at the next town meeting that your neighbor - John Q. Noob, is using a Lockatron LT-200 front door lock, and then proceed to show pictures, diagrams, and and example lock and how to pick it.

          b. He comes home the next day, and you're standing in his living room yelling "I TOLD YOU THE LOCK WASN'T ANY GOOD!!!!".

          A is fine. He'll get pissed and change his lock. B is trespassing. Too often in computer security terms people consider them the same action, and they aren't.

          • Re:Lawsuit? (Score:5, Interesting)

            by Bakkster (1529253) <Bakkster...man@@@gmail...com> on Thursday May 06, 2010 @09:05AM (#32110930)

            The problem is that it's a catch-22: usually the only way to find these vulnerabilities is to exploit them in the first place. And companies often don't grant access to white-hats because they think their systems are secure (or at least want to believe so), which can't be disproven until said hackers show them wrong.

            One would hope that a company wouldn't press charges unless there was malicious intent (he dispensed and pocketed several hundred dollar for himself to 'test' the system). Of course, this is America, and I have nowhere near that much faith in our corporations or justice system...

            • Re:Lawsuit? (Score:5, Insightful)

              by hrieke (126185) on Thursday May 06, 2010 @10:16AM (#32111620) Homepage

              No, the real reason is liability.
              If you sell the machine and believe it to be secure and sell it as such with out the review & audit, and then it's proven to be insecure, fine, unknown bug.
              If you audit the machine with white hat hackers, they tell you of issues, you sell the machine anyways, it's hacked, you're on a very big hook.

              • by Bakkster (1529253)

                Exactly, and so the only way for people like us to have dependably secure systems to use (ATMs, banks, CCs, anything with a logon or PII) is for white-hat hackers to break the law. That needs to be fixed, one way or the other.

      • Re:Lawsuit? (Score:4, Informative)

        by baKanale (830108) on Thursday May 06, 2010 @08:23AM (#32110474)

        Financially bankrupting someone for pointing out security flaws might dissuade others from doing so in the future, for fear of the same consequences.

        • Re: (Score:3, Funny)

          by halcyon1234 (834388)

          Financially bankrupting someone for pointing out security flaws might dissuade others from doing so in the future, for fear of the same consequences.

          Not a chance. To get the cash to pay the fines, he'll just break into a bunch of ATMS.

          "Here's your $100,00, in $20 and $50s."

          • And pray tell me which ATM has $50 bills Most ATM's i withdraw, especially, the Wells machines have a max $20 bill. Dumb ass machines
        • Re:Lawsuit? (Score:4, Interesting)

          by Lumpy (12016) on Thursday May 06, 2010 @09:00AM (#32110872) Homepage

          No it doesnt, you point out the flaws without any info about you attached. I.E. Publish all the info outside the country.

          Honestly it blows my mind that any Computer nerd tries to do the white hat thing and tell a company about a problem. Simply send it in a letter that is untraced and say, "I'm publishing this in 90 days. you are getting a heads up because I'm a nice guy"

          Then in 90 put it on the net.

          They cant sue you if they have no idea who you are. Problem is most of these white hats are looking more for street "cred" and getting their name out than actually being a good guy.

          • Re:Lawsuit? (Score:4, Insightful)

            by HungryHobo (1314109) on Thursday May 06, 2010 @10:01AM (#32111454)

            In the case of academics getting their names on the publications is more than an ego thing- it actually influences their chances of staying employed.

          • I tend to agree with your approach, if we had less people trying to get cred, and more that did exactly as you mentioned, you have 90 days to fix your bug or i go REALLY public with a how to video that way even your grandmother can do this hack, then they have no choice.

      • Re: (Score:3, Insightful)

        by Daley_G (1592515)
        As much as it's true that a thief won't bother with something that's not worth his time, there's another side of the coin to keep in mind. If it costs considerably more to make something more secure, the customer isn't going to purchase the product to begin with. I've gotta believe that the banks have accepted a certain amount of risk, and therefore they've determined what those ATM's are worth to them given the cost of the unit itself as well as the cost of dealing with any issues that arise - including p
        • Re: (Score:3, Insightful)

          As much as it's true that a thief won't bother with something that's not worth his time, there's another side of the coin to keep in mind. If it costs considerably more to make something more secure, the customer isn't going to purchase the product to begin with.

          I've gotta believe that the banks have accepted a certain amount of risk, and therefore they've determined what those ATM's are worth to them given the cost of the unit itself as well as the cost of dealing with any issues that arise - including penetration.

          Very good point. So how do you deal with that concerning your customers? Do you warn them with a signed statement that says there is a risk of theft on atm systems? Or are banks willing to eat the cost of a break in (reimbursement) when it happens and not warn customers.

          • by vegiVamp (518171)
            Regardless of anything else, if you break into an ATM you're not gonna take the time to extract the money from victim accounts, you just tell it to start spitting bills.
      • by mapkinase (958129)

        Let's make off-line analogy:

        Ominpresent part of off-line security system nowadays is a security camera. Suppose you know that a particular building has blind spots that could be used by perpetrators to avoid identification during their physical approach to the building before or after attack.

        Would it be ethical to publicize those blind spots?

    • Re: (Score:3, Insightful)

      by Yvanhoe (564877)
      Can the clients of the banks file lawsuits at them ? I can't stand companies not taking security seriously.
      • Re: (Score:3, Interesting)

        by bws111 (1216812)
        On what grounds? If you have been the victim of a fraud, and the bank didn't correct it, you can probably sue them. If you haven't been the victim of a fraud, but you just think their security is too lax, then don't use them. Kind of hard to rail at someone else for not taking security seriously when by definition you yourself aren't taking security seriously if you trust someone you consider non-trustworthy.
    • Re:Lawsuit? (Score:5, Interesting)

      by Ubergrendle (531719) on Thursday May 06, 2010 @08:26AM (#32110502) Journal
      It would depend upon the nature of hte hack. The promotional materials for his speech are light on details. Is this a top end ATM from NCR, or a white label generic ATM which are little more than PCs with a cash handler attached? What level of physical access does he need to the cabinet? Is this an internal exploit (implying you get your software/rootkit installed as part of a distribution) or he looking an something more subtle?

      I'll reserve judgement on his expose until i read of the details; i understand why he wouldn't want to advertise the juicy details before his presentaiton, but on the other hand I'm skeptical around what he's implying.
      • by zmollusc (763634)

        Lol. The 'top end' NCR ATM is little more than a pc with a cash handler glued on. Also the cash handler is somewhat flaky and fragile and seems like a prototype rather than something that had been developed for and made on a production line.
        Mind you, Wincor Nixdorf aren't much better, although they look like they have been designed with CAD.

    • Re:Lawsuit? (Score:5, Interesting)

      by evilandi (2800) <andrew@aoakley.com> on Thursday May 06, 2010 @08:59AM (#32110868) Homepage

      Remember when ATMs first came out? The data being sent from ATM to the bank's systems had NO encryption.

      Dude, it was the 1950s.How were they supposed to encrypt punch cards? Colour them in?

      The data was "sent" using the secure process of having a burly security guard open the little door at the back and carry the deposits, punch cards and microfilm (they took a photo of all deposits) over to the back office.

  • hmm... (Score:3, Interesting)

    by Pojut (1027544) on Thursday May 06, 2010 @07:55AM (#32110162) Homepage

    I know this is the sort of thing that goes on at black hat conferences, but could this guy potentially get in some sort of legal trouble for demonstrating what he has found?

    • Re: (Score:3, Insightful)

      by Ephemeriis (315124)

      I know this is the sort of thing that goes on at black hat conferences, but could this guy potentially get in some sort of legal trouble for demonstrating what he has found?

      I'm sure he can.

      Which is stupid.

      Because if he knows this stuff he probably isn't the only one. And just the news that these machines can be hacked is going to have other people trying to figure out what he knows, even if he doesn't say anything. So whether he opens his mouth or not really isn't going to change how secure these machines are.

      All it will do, hopefully, is scare the manufacturers into improving their security.

    • by Abcd1234 (188840)

      I know this is the sort of thing that goes on at black hat conferences, but could this guy potentially get in some sort of legal trouble for demonstrating what he has found?

      I would think only if he shows himself, either in pre-recorded video or live, actually performing the hack on a real ATM. At that point, he could be charged under the computer fraud and abuse act. But simply doing a presentation on the topic, with details of the hacks? No, I don't think there's any law, yet, that makes *that* illegal,

    • Probably yes ...

          Any case would be trying to prove he used protected information illegally or actually hacked an ATM for gain ..... ...he can't be prosecuted for publishing known information (freedom of the press)

    • by Opyros (1153335)
      Ask Dimitri Sklyarov [wikipedia.org].
  • ATM machine (Score:5, Funny)

    by Anonymous Coward on Thursday May 06, 2010 @07:55AM (#32110164)

    You almost made it through the whole summary without saying it.

  • by drc003 (738548) on Thursday May 06, 2010 @07:58AM (#32110200)
    ...just get a deal going with McAfee? Then there systems would be completely safe and always online!
  • by Dystopian Rebel (714995) * on Thursday May 06, 2010 @07:59AM (#32110212) Journal

    "from the well-that-doesn't-make-me-feel-better dept."

    Where's the zip, the punch in your writing? This is the news business! If Larry Wall can be funny AND write Perl code, so can you!

    Suggestions:

    "from the All Your ATM Are Belong To Us dept"

    "from the Who Says Cybercrime Doesn't Pay dept."

    "from the Your Money Is In Good Hands -- NOT dept"

    "from the Can We Have Human Tellers Again dept"

    "from the It'll Be The Debit Of Me dept."

  • Same hack that was used on diebold voting systems?

  • by tecker (793737) on Thursday May 06, 2010 @08:18AM (#32110414) Homepage
    The title says it is multi-platform but doesnt mention that anywhere in the article. So is this one that runs on CustomFW, Windows and Linux based ATMS?

    To me it would seem better to create a system that would raise the "your-not-with-OUR-bank-so-we-can-stiff-you" charge (charge em 3.50 for the transation then send 2 back to the bank per normal). Slow but would make money over time if EVERY atm had your code.
    • Re: (Score:3, Insightful)

      by IBBoard (1128019)

      You get charged for using ATMs that aren't from your own bank? What weird kind of economy is that? The only way you generally get charged in the UK is a) if you're using a credit instead of a debit card (and then it is your card company charging you "cash advance" fees), b) if you're using one of those "convenience" ATMs that are in a pub etc or c) if you're not in the UK, at which point it is to "cover" international fees and talking with other banks in other countries (apparently).

      • by cayenne8 (626475)
        "You get charged for using ATMs that aren't from your own bank? "

        Absolutely!! Actually, I'm surprised that isn't a universal thing..guess you learn something new every day,eh?

        Yep, usually if you use an ATM that is not from your bank, that ATM will charge you about $2.50 fee at time of transaction, and later, your bank will charge you another $3 or so for using an out of bank machine.

        That's why when choosing a bank, I first look to see how many ATM's they have around town (and the country if it happens t

        • by tecker (793737)
          Wow your bank charges you AGAIN for using a non-bank atm? My bank actually refunds them because they found it was cheaper for people to use others ATMs and then refund then upkeep their small network.
  • by ThrowAwaySociety (1351793) on Thursday May 06, 2010 @08:28AM (#32110512)

    Can anyone determine if these are Automated ATM Machines?

    I'd better be careful entering my personal PIN number into these from now on.

    • Re: (Score:2, Funny)

      by mutube (981006)

      Yes, they're Automated Automated Teller Machines. It's the extra level of automation that is really insecure.

      I remember when things were only automated once. Simpler times.

      (Your question was so daft I'm half waiting for a 'Whoosh!')

    • by TJamieson (218336)

      Ugh, no kidding. That's one of my biggest language pet peeves. (sig related)

    • Re: (Score:3, Funny)

      by spidrw (868429)
      I find it best to use part of my vehicle's VIN number when picking out my personal PIN number for use at the automated ATM machines. That way I can just read the reflection off my dash when punching the numbers into the LCD display.
  • What OS? (Score:4, Insightful)

    by AlecC (512609) <aleccawley@gmail.com> on Thursday May 06, 2010 @08:40AM (#32110660)

    As far as I can tell, all ATMs are based on data processing OSes - either ones with a desktop heritage then multi-processing and networking added on (Windows) or with a data processing/networking heritage with desktop added on (*nix families). It seems to me that they ought to be based on real-time control OSs, such as those used in the automotive and aerospace industry, I don't see how an ATM is any more complicated than a Digital Engine Control system, especially for state-of-the art engines. People who design such systems know about reliability, which can include security in a limited function machine. The problem with general-purpose machines is that they have generalized functionality, just hidden away. Such systems can be subverted and the extra functionality exploited. Machines built from the ground up to do only what they have to do do not have the functionality to be subverted.

    I see no reason why such fixed-function machines should be much more expensive that those based on general purpose machines. There is an up-front cost in getting started, probably compensated by reduced security testing later. Wat will be harder is all the dreams the marketing people will have, of using the ATM to do other things, such as sell insurance. It will do only what it is built to do. Inflexible, but secure.

    • Re: (Score:2, Interesting)

      by spidrw (868429)
      I managed to crash an ATM once (not a good feeling when you just deposited 50 big checks). When it rebooted, there was the Start menu. Before the 'ATM software' fired up I was able to easily open a command prompt and even get IE going. Then the ATM stuff went full screen and everything was hunky dory - except for my deposit.
  • by Scholasticus (567646) on Thursday May 06, 2010 @08:41AM (#32110670) Journal
    John Connor did this way back in '91 ... which means the machines ... oh shit.
  • MITM? (Score:3, Insightful)

    by ArcCoyote (634356) on Thursday May 06, 2010 @08:44AM (#32110714)

    I'm wondering if this is more of a Man-in-the-Middle attack on the ATM's communication with the EFT network.

    The ATMs I've seen that aren't stuck right in a bank building's wall use some form of dial-up, be it a land line or a GSM modem.

  • by Rogerborg (306625) on Thursday May 06, 2010 @08:46AM (#32110734) Homepage
    Threaten to disclose the vulnerabilities, get paid hush money to pull your presentation (again). Rinse, repeat.
  • I hope (Score:3, Funny)

    by pjbgravely (751384) <pjbgravely2@nOSPAm.gmail.com> on Thursday May 06, 2010 @08:58AM (#32110864) Homepage Journal
    I hope they didn't use my hack where I type in 790 and get all the money I want.
  • ATM Security (Score:3, Insightful)

    by MC68040 (462186) <henric@digi[ ]-bless.com ['tal' in gap]> on Thursday May 06, 2010 @09:08AM (#32110960) Homepage

    I live in Europe, during my time having all sorts of cards that works in ATM's I've came to the conclusion that.. Most of them seem to run Windows (I've seen more BSOD's than its decent to mention).
    I'm not wanting to get in to a debate about Windows security here; rather the point that there are plenty of rootkits for any given platform on the go today.

    The interesting point would be the actual attack vector; getting in to a bank's internal network to access the ATM nodes would mean (from my point of view) that the ATM's are pretty uninteresting, however what else might lurk on the bank's network would be worth a lot more? On the other hand, if you could perform the "hack" quickly with just regular customer access to the machine, that'd be interesting... (thinking of terminator movie here...) ;)

    According to my bank balance that is my... well, I've no cents left, damn recession!

    • Imagine if you tell your partner "at 2am it's gonna dispense all the money, make sure you're standing there with a big bag to catch it all".

      That's be very interesting to most thieves.

      • by MC68040 (462186)

        > Imagine if you tell your partner "at 2am it's gonna dispense all the money, make sure you're standing there with a big bag to catch it all".

        Sure, that is not my main point, however valid :) A big bag of cash is of course nice, but what you can perhaps access without being detected for some time, is another point. Hence the importance of the attack vector [in my point].

        An empty ATM machine with no logs; where the money went to should sound off immediate alarm bells...

        Fair game if you empty half a countr

  • All this attempted security through obfuscation by these companies is ridiculous, this talk will fill the room at the conference this year and with good reason. Hopefully, but unlikely, the ATM manufacturers have been talking with Barnaby over the past year so that the exploits he will unveil are remedied.

    By the way people, though the banks are the front, the ultimate responsibility for ATM device security lies in the manufacturer.

The difficult we do today; the impossible takes a little longer.

Working...