LAS VEGAS — Using home-brewed software tools and exploiting a gaping security hole in the authentication mechanism used to update the firmware on automated teller machines (ATMs), a security researcher hacked into ATMs made by Triton and Tranax and planted a rootkit that dispensed cash on demand.
Barnaby Jack, Director of Research at IOActive Labs, used a laptop with a custom-built software tool called “Dillinger” (named after the famous bank robber) to overwrite the machine’s internal operating system, take complete control of the ATM and send commands for it to spew cash on demand.
At the Black Hat security conference here, Jack demonstrated two different attacks against Windows CE-based ATMs — a physical attack using a master key purchased on the Web and a USB stick to overwrite the machine’s firmware; and a remote attack that exploited a flaw in the way ATMs authenticate firmware upgrades.
He did not provide any technical details that would allow anyone to reproduce the attack techniques but suggested that a skilled hacker could exploit these weaknesses if ATM manufacturers continue to create software with gaping security holes.
Although the attacks were demonstrated against ATMs made by Tranax and Triton, Jack warned that his attacks could have been performed against a wide variety of ATM brands and called on the financial services sector to invest in code reviews, blackbox audits and penetration tests.
“There are attack vectors in all these standalone or hole-in-the-wall ATMs,” Jack warned, noting that many ATMs are protected by a master key that can be bought for $10.78 on hundreds of web sites. “With this master key, I can walk up to a secluded ATM and have access to USB [and] SD/CF slots. In some cases, opening and inserting my USB key was faster than installing a skimmer,” he said.
The most impressive attack, which used the “Dillinger remote ATM attack/admin tool, was done via a laptop connected to the ATM. It launched an exploit against an authentication bypass vulnerability in the ATM’s remote monitoring feature (this is enabled by default on all ATMs) and allowed the hacker to retrieve ATM settings, master passwords, receipt data and the location and name of the business hosting the ATM.
The Dillinger tool came with a graphical UI that included features to “Retrieve Track Data,” or simply “Jackpot!”. A click of the Jackpot button and the commandeered ATM started spewing cash on demand.
“If someone inserts a card on that machine, I can capture and save the track data remotely,” Jack said, explaining that his rootkit runs on a device hidden in the background. The rootkit even sets up a hidden pop-up menu that can be activated by special key sequence. The menu functions included instructions to “dispense cash from each cassette,” “print stats on remaining bill counts,” and “Exit!”
After his talk, Jack suggested that TM makers offer upgrade options on physical locks or a unique key for each ATM. He also recommended the use of executable signing at kernel level to block his attack vector.
To mitigate remote attacks, Jack said ATM manufacturers should disable the on-by-default remote monitoring feature on the machines.