Two ATM manufacturers have released software updates to address the remotely exploitable vulnerabilities in their machines’ firmware that IOActive researcher Barnaby Jack demonstrated line on stage at the Black Hat conference last month.
In response to the demonstration, in which Jack was able to bypass the authentication mechanism on the ATMs and then load a small rootkit that he wrote, ATM manufacturers Hantle and Triton have released new versions of their firmware that fix the vulnerability. Both manufacturers are recommending that ATM owners install the updates immediately.
During his talk at Black Hat, Jack showed two separate, but related, techniques he developed for getting vulnerable ATMs to dispense all of the cash in their safes. The first involved using the remote-management interface to upload his Dillinger tool, which enabled him to not only cause the machine to dispense cash, but also allowed him to download all of the track data associated with cards that have been used in the ATM.
The second attack was a local one in which Jack used a master key to open an ATM’s front panel, insert a USB key with his software on it and then use a special key sequence to bring up the management interface for Dillinger. That took roughly 10 seconds in his demonstration.
“There are attack vectors in all these standalone or hole-in-the-wall
ATMs,” Jack warned during his talk, noting that many ATMs are protected by a master key
that can be bought for $10.78 on hundreds of web sites. “With this
master key, I can walk up to a secluded ATM and have access to USB [and]
SD/CF slots. In some cases, opening and inserting my USB key was
faster than installing a skimmer.”
Triton and Hantle also are recommending that customers who aren’t using the ATM’s remote management interface disable that feature to protect against any other remote attacks.