An attack was also performed on the Tranax device, which is designed to accept software upgrades over an Internet phone link. Jack showed that a vulnerability in the machine’s software allowed him to bypass its authentication system and break in remotely.
Jack said it is possible to find ATMs by using a computer to call one phone number after another; he was able to locate numerous machines within a couple of hours by searching through a 10,000-number exchange. An attacker could then exploit the software vulnerability to install control software known as a rootkit. To withdraw money, the attacker would visit the ATM later with a fake card or steal information from other users.
Jack urged manufacturers to improve the physical locks protecting ATM motherboards and disable the ability to upgrade firmware remotely. He also suggested that the devices’ code be reviewed thoroughly. “I want to change the way people look at devices that are seemingly impenetrable,” he said.
Bob Douglas, vice president of engineering at Triton, said the company has developed a defense against Jack’s attack. The fix was released in November of last year, but Douglas couldn’t say what percentage of customers had implemented it. He added that the company plans to review its code and does sell ATMs with the option for a higher-security lock. Jack said he’s also been in touch with Tranax about the vulnerabilities he found in its machines.