ATMs Can Be Hacked By Phone

Text Size + -

By Jesse Emspak: Subscribe to Jesse's RSS feed

August 5, 2010 5:54 PM EDT

Robbing automatic teller machines has been a rough business, since criminals have usually tried damaging the safe that holds the money. But ATMs can also be attacked remotely, by taking over their software.

Previous image Enlarge Close Next image

Share This Story

Barnaby Jack, director of research at iOactive, a security consulting firm, demonstrated such a hack at the Black Hat conference in Las Vegas. Many ATMs, he said, use Windows CE as the operating system, and to make them cheap enough for local stores the hardware doesn't often have the capability to run a wide range of software.

Jack found he could call the ATM via its internet connection and convince it to let him bypass the password and serial number to get into the system. ATMs support remote access and control in order to make it easier to update software remotely.

Finding an ATM to call is not hard, as even a primitive "wardialer" - basically a machine that calls thousands of numbers at a time - can find ATMs, which often use dial-up connections.

Must Read

Sponsorship Link

Like us on Facebook

From there, Jack was able to program the ATM to dispense money with a "jackpot" command. Theoretically someone with a modem connected to a laptop - or even a Wi-Fi connection - could drive past an ATM for which he knows the phone number and have it dispense cash.

The problem exists only for ATMs that appear in retail stores as stand-alone units. "hole in the wall" versions (the ones used mostly by big banks) are much more secure from these kinds of attack as they are often on local area networks.

Jack added that the hacking wasn't something that was as difficult to do if one can read some assembly code. "I had to reverse-engineer the protocol," he said. "I spent a good amount of time on it."

But that said, he noted that he isn't the only one who thought of this particular line of attack.

Another method is to open the ATM itself, using a master key. That offers access to the computer inside the machine. Jack was able to use a simple USB drive to upload software that let him take control of the ATM.

Jack said he notified the distributor of the ATMs he used in his tests, which were manufactured by Triton Technologies and Tranax Technologies. A patch was issued, and the problem seems to be fixed.

A bigger problem, he said, is that there are many other types of machine that use dial-up connections. Some point of sale systems, for example, are vulnerable to attacks like this one.

Attempts to reach Tranax were unsuccessful. Triton's vice president of engineering, Bob Douglas, said his company's ATM machines were more vulnerable to having software uploaded through the physical access to the machine -- Jack's second method -- but that has changed since Jack brought that vulnerability to the company's attention. The ATMs now ask for an authentication to prove the software is from Triton.

Douglas said that for remote attacks, there are already measures in place so that the ATM will query the computer responding to a call to make sure that it is the right one.

He also noted one problem with the phone-based attack is locating the ATM you want to get money from, since tracing the phone number would only get you an area code. Denial of service attacks, however, would be a more common threat.

Douglas agreed that the reason ATMs tend to use relatively primitive operating systems is that they can't be too expensive. Using Windows XP, for example, would cost much more than the CE version because of license fees to Microsoft. Triton is discussing with Microsoft how to better secure the operating systems from remote attacks.

Customers are also switching over to ATMs that connect via IP to the Internet, bypassing dial-up connections. But Douglas noted ATMs can be in a given location for years, so the changes will take time.

This article is copyrighted by International Business Times, the business news leader