Barnaby Jack showed a live demonstration of how he hacked two different Windows CE-based ATMs on stage during a talk this afternoon at the Black Hat security conference in Las Vegas. Jack was scheduled to give the talk a year ago, but it was canceled after an ATM vendor objected to his then-employer, Juniper Networks. This year, Jack switched jobs to IOActive. The ease with which he hacked the machines should be a wake-up call for banks.
Jack showed how you could walk up to an ATM, break into it using a common universal key, and then use a universal serial bus (USB) stick to load a rootkit, or hacking software, that could compromise the machine’s security. On stage, he showed how he could run a program that could talk over the machines and get them to display “jackpot!” on the ATM screen and then spit out bills.
The crowd laughed and applauded throughout the attack. He said that the vulnerable machines included those running the Windows CE operating system from Microsoft on ARM or XScale-based chips. By taking over the machines, Jack said he could pretty much do anything with them, like playing movies on the screens. (See our roundup of all Black Hat and Defcon stories).
There are some easy countermeasures, such as putting physical locks on the machines with unique keys so it would be easier to prevent walk-up attacks. The keys are easily available on the internet, Jack said. The devices also ought to use a trusted software environment.
“They were developed without secure principles in mind,” Jack said. As he closed, he got a roar of applause.
In a press conference afterward, Jack said that he hacked the Trannax and Triton ATM machines and notified them of the problems before announcing the details of the attack. Triton patched its machines in November, sending updates out to customers. Trannax also addressed the problems. But Jack said that he has been able to hack four different kinds of ATMs that are widely used today. He did not identify which ones.
Bank ATMs are harder to attack because they have video cameras. But many ATMs have no security cameras and are hidden in places where they are easy to compromise without detection.
Triton engineer Jack Douglas attended the press conference and said that the company offers a unique key for customers to use on their ATMs, but many don’t use it because they want one key to work on many different ATMS.
Jack said that his change in employers did not affect his decision to talk this year. He said he was grumpy that his attack talk was pulled last year. But he said it was good thing because it gave ATM companies a chance to deal with their bugs. Still, there are probably a lot of vulnerable machines out there.
Jack said he was inspired by the scene in a Terminator movie where a hacked ATM spews money.