A security researcher at the Black Hat conference has demonstrated a hack technique that caused bank ATMs to vend all their cash.
Giving a presentation at the Black Hat 2010 conference in Las Vegas, security researcher Barnaby Jack demonstrated how it is possible to hack ATM machines into not only providing all their cash but storing card details of would-be customers.
The hack involved gaining access to the internals with a universal key bought off the Internet and then using a USB key loaded with a set of rootkit software. Jack said that he had been due to give the presentation the previous year but due to "circumstances beyond my control" had been forced to cancel the talk.
Jack said the benefit was that he had another year to research ATM attacks. The Black Hat talk demonstrated attacks on two different models of ATM machines both local and remote. The remote attacks were based on the idea that stand alone ATMs are on telephone lines.
"I’ve always liked the scene in Terminator 2 where John Connor walks up to an ATM, interfaces his Atari to the card reader and retrieves cash from the machine. I think I’ve got that kid beat," wrote Jack in the briefing description," wrote Jack.
The goal of the talk, as with others of a similar nature at the Black Hat conference, is to draw attention to security issues and discuss defence strategies. For his part Jack advocated unique ATM hardware keys and protected software environments that would not be vulnerable to the type of attack Jack had demonstrated.