Intelligent Machines

How to Make an ATM Spit Out Money

A computer security researcher demonstrates attacks on cash machines.

Yesterday, during a flashy presentation at the Black Hat security conference in Las Vegas, a computer security expert showed several ways to break into ATMs.

Hitting jackpot: Barnaby Jack, director of research for IOActive, readies an ATM for a demonstration at the Black Hat conference in Las Vegas.

Barnaby Jack, who is director of research at IOActive Labs, made cash pour from a machine for minutes on end. After studying four different companies’ models, he said, “every ATM I’ve looked at, I’ve found a ‘game over’ vulnerability that allowed me to get cash from the machine.” He’s even identified an Internet-based attack that requires no physical access.

This story is part of our July/August 2010 Issue
See the rest of the issue
Subscribe

The same talk was supposed to take place at last year’s Black Hat conference, but it was pulled at the last moment. In his presentation, which did not reveal the exact details of how he performed the attacks, Jack named two vendors–Triton and Tranax–and said he had been in contact with both about fixing the problems.

Jack demonstrated the attacks on two ATMs that he bought online and drove to Las Vegas from his company’s headquarters in San Jose. The hardware kit that he used in the demonstration cost less than $100 to make.

In one part of his presentation, he demonstrated a way for a thief to gain physical access to the ATM made by Triton. The device’s main circuit, or motherboard, is protected only by a door with a lock that is relatively easy to open (Jack was able to buy a key online). He then used a USB port on the motherboard to upload his own software, which changed the device’s display, played a tune, and made the machine spit out money.

An attack was also performed on the Tranax device, which is designed to accept software upgrades over an Internet phone link. Jack showed that a vulnerability in the machine’s software allowed him to bypass its authentication system and break in remotely.

Jack said it is possible to find ATMs by using a computer to call one phone number after another; he was able to locate numerous machines within a couple of hours by searching through a 10,000-number exchange. An attacker could then exploit the software vulnerability to install control software known as a rootkit. To withdraw money, the attacker would visit the ATM later with a fake card or steal information from other users.

Jack urged manufacturers to improve the physical locks protecting ATM motherboards and disable the ability to upgrade firmware remotely. He also suggested that the devices’ code be reviewed thoroughly. “I want to change the way people look at devices that are seemingly impenetrable,” he said.

Bob Douglas, vice president of engineering at Triton, said the company has developed a defense against Jack’s attack. The fix was released in November of last year, but Douglas couldn’t say what percentage of customers had implemented it. He added that the company plans to review its code and does sell ATMs with the option for a higher-security lock. Jack said he’s also been in touch with Tranax about the vulnerabilities he found in its machines.

Tech Obsessive?
Become an Insider to get the story behind the story — and before anyone else.

Subscribe today

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus ad-free web experience, select discounts to partner offerings and MIT Technology Review events

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.