Using tools dubbed Dillinger and Scrooge, a security researcher showed how to hack an automated teller machine in front of a crowd of hackers and security professionals today. Barnaby Jack showed a live demonstration of how he hacked two different Windows CE-based ATMs on stage during a talk this afternoon at the security conference in Las Vegas. Jack was scheduled to give the talk a year ago, but it was to his then-employer, Juniper Networks. This year, Jack switched jobs to IOActive. The ease with which he hacked the machines should be a wake-up call for banks. Jack showed how you could walk up to an ATM, break into it using a common universal key, and then use a universal serial bus (USB) stick to load a rootkit, or hacking software, that could compromise the machine’s security.
On stage, he showed how he could run a program that could talk over the machines and get them to display “jackpot!” on the ATM screen and then spit out bills. The crowd laughed and applauded throughout the attack. He said that the vulnerable machines included those running the Windows CE operating system from Microsoft on ARM or XScale-based chips. By taking over the machines, Jack said he could pretty much do anything with them, like playing movies on the screens. (See our stories). There are some easy countermeasures, such as putting physical locks on the machines with unique keys so it would be easier to prevent walk-up attacks.
The keys are easily available on the internet, Jack said. The devices also ought to use a trusted software environment. “They were developed without secure principles in mind,” Jack said. As he closed, he got a roar of applause.
In a press conference afterward, Jack said that he hacked the Trannax and Triton ATM machines and notified them of the problems before announcing the details of the attack. Triton patched its machines in November, sending updates out to customers. Trannax also addressed the problems. But Jack said that he has been able to hack four different kinds of ATMs that are widely used today. He did not identify which ones. Bank ATMs are harder to attack because they have video cameras. But many ATMs have no security cameras and are hidden in places where they are easy to compromise without detection.
Triton engineer Jack Douglas attended the press conference and said that the company offers a unique key for customers to use on their ATMs, but many don’t use it because they want one key to work on many different ATMS. Jack said that his change in employers did not affect his decision to talk this year. He said he was grumpy that his attack talk was pulled last year. But he said it was good thing because it gave ATM companies a chance to deal with their bugs. Still, there are probably a lot of vulnerable machines out there.
Jack said he was inspired by the scene in a Terminator movie where a hacked ATM spews money.
README.md Dillinger Dillinger is a cloud-enabled, mobile-ready, offline-storage, AngularJS powered HTML5 Markdown editor. Type some Markdown on the left.
See HTML in the right. Magic New Features!.
Import a HTML file and watch it magically convert to Markdown. Drag and drop images (requires your Dropbox account be linked) You can also:. Import and save files from GitHub, Dropbox, Google Drive and One Drive.
Drag and drop markdown and HTML files into Dillinger. Export documents as Markdown, HTML and PDF Markdown is a lightweight markup language based on the formatting conventions that people naturally use in email. As writes on the The overriding design goal for Markdown's formatting syntax is to make it as readable as possible. Files. The idea is that a Markdown-formatted document should be publishable as-is, as plain text, without looking like it's been marked up with tags or formatting instructions.
This text you see here is actually written in Markdown! To get a feel for Markdown's syntax, type some text into the left window and watch the results in the right. Tech Dillinger uses a number of open source projects to work properly:. HTML enhanced for web apps!.
awesome web-based text editor. Markdown parser done right.
Fast and easy to extend. great UI boilerplate for modern web apps. evented I/O for the backend. fast node.js network app framework.
the streaming build system. HTML to Markdown converter. duh And of course Dillinger itself is open source with a on GitHub.
Installation Dillinger requires v4+ to run. Install the dependencies and devDependencies and start the server.
Barnaby Jack hit the jackpot at Black Hat on Wednesday. Exploiting bugs in two different ATMs, the researcher from IOActive was able to get them to spit out money on demand and record sensitive data from the cards of people who used them. Barnaby Jack demonstrates his ATM exploit at Black Hat on Wednesday.
He showed the attacks on two systems he had purchased himself - the type of generic ATMs typically found in bars and convenience stores. Criminals have been hitting this type of machine for years, using ATM skimmers to record card data and PINs, or in some cases simply pulling up a truck and hauling the machines away. Patches have already been developed the systems, built by ATM-makers Triton and and Tranax, Jack said. Triton patched the issue in November 2009, said Bob Douglas, Triton's vice president of engineering. Douglas showed up at Black Hat to attend the talk and a subsequent press conference.
Tranax could not immediately be reached for comment. Tranax has had security problems before. In 2006, that a Virginia Beach, Virginia, criminal used a keypad code to reprogram a Tranax machine into thinking it was dispensing $5 bills. Then, using an anonymous prepaid debit card, he withdrew $20 bills, but was only debited for one-quarter of the money he took. A manual showing how to do this, was available on the Web.
But according to Jack there's an easier, much more alarming way to get the money out. Criminals can connect to the machines by dialing them up - Jack believes a large number of them have remote management tools that can be accessed over a telephone - and then launching an attack. After experimenting with his own machines, Jack developed a way of bypassing the remote authentication system and installing a homemade rootkit, named Scrooge, that lets him override the machine's firmware. He also developed an online management tool, called Dillinger, that can keep track of compromised machines and store data stolen from people who use them. Criminals could find vulnerable ATMs by using open-source 'war-dialling' software to call hundreds of thousands of numbers, looking for those that respond by saying they have the vulnerable management software installed. Criminals have already used a similar technique over the Internet to break into vulnerable point-of-sale systems.
Jack's tools are just proof-of-concept software, designed to show how vulnerable the machines really are, he said. 'The goal of the talk is to spark discussion on the best ways to remediate,' he said. 'It's time to give these devices an overhaul,' Jack said. 'Companies who manufacture the devices aren't. They haven't had 10 years of continual attacks against them.' The machines Jack hacked were, however, based on Microsoft's Windows CE operating system. In an dramatic on-stage demonstration at Black Hat, he connected remotely to an ATM and ran a program called Jackpot that caused the ATMs to spit out cash, while playing a tune and splashing the word 'Jackpot' across the screen of the machine.
Dillinger Atm
In a second demo, he walked up to the machine, opened it with a key he had obtained on the Internet, and installed his own firmware. A single, standard key can open many different types of machines, he said, presenting another serious security problem. He demonstrated the remote attack on an unpatched Tranax system; the hands-on attack was on an older Triton machine, he said. Jack had planned to deliver the talk at last year's conference, but it was pulled after ATM vendors asked for more time to patch the issues he'd discovered.
He got the green light for the talk after leaving his former employer, Juniper Networks, and taking a job with IOActive, a company that sells - among other things - The security researcher seems to have had a good time researching ATM bugs. When a delivery man showed up, asking him why on earth he'd want a machine delivered to his home, Jack quipped, 'Oh I just don't' like the transaction fees, mate.' Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on.
Robert's e-mail address is.