Hacker tricks ATM into doling out free cash

 

Gallery

By Reuters

Posted on 29 Jul 2010 at 08:22

A security expert showed off techniques for breaking into ATMs, causing machines to spit out cash to a cheering crowd at Black Hat in Las Vegas.

"I hope to change the way people look at devices that from the outside are seemingly impenetrable," Barnaby Jack, director of research at security consulting firm IOActive Labs, told a standing-room-only crowd before launching the demonstration using equipment he purchased over the internet.

I'm not naive enough to think I'm the only person who can do it

He spent over a year learning to break into stand-alone bank machines found at gas stations, bars and retail establishments.

At the annual Black Hat conference, Jack showed how he could upload his home-brewed piece of software dubbed Dillinger - named after the infamous bank robber - to an ATM made by privately held Tranax Technologies. After he infected the ATM, he approached the machine and instructed it to start dispensing cash.

Jack used a key available over the internet to open the case of an ATM from privately held Triton Systems, then inserted a USB thumb drive that forced the machine to spit out its entire jackpot.

The ATMs he tested run on Windows CE.

He said both the ATM makers have issued software that would prevent hackers from repeating the same attacks he performed onstage, but he added that ATMs from all manufacturers are still vulnerable to attack.

"I'm not naive enough to think I'm the only person who can do it," he said.

He also said he believed that the ATMs used by financial institutions were also vulnerable, but that he had not simulated any attacks because he had not been able to get hold of any bank ATMs.

Bob Douglas, vice president of engineering for Triton, said he was not aware of any successful attacks on his company's equipment.

Officials with Tranax could not be reached for comment.