Hackers study vulnerabilities as ATMs spit cash
By Jim Finkle
LAS VEGAS (Reuters) - A security expert showed off techniques for breaking into ATMs, causing machines to spit out cash to a cheering crowd at an annual gathering of hackers.
"I hope to change the way people look at devices that from the outside are seemingly impenetrable," Barnaby Jack, director of research at security consulting firm IOActive Labs, told a standing-room-only crowd before launching the demonstration using equipment he purchased over the Internet.
He spent over a year learning to break into stand-alone automated teller machines found at gas stations, bars and retail establishments.
At the annual Black Hat conference, Jack showed how he could upload his home-brewed piece of software dubbed Dillinger -- named after the infamous bank robber -- to an ATM made by privately held Tranax Technologies. After he infected the ATM, he approached the machine and instructed it to start dispensing cash.
Jack used a key available over the Internet to open the case of an ATM from privately held Triton Systems, then inserted a USB thumb drive that forced the machine to spit out its entire jackpot.
The ATMs he tested run on Windows CE, a version of Microsoft Corp's ubiquitous operating system widely used in specialized computers, such as ATMs.
He said both the ATM makers have issued software that would prevent hackers from repeating the same attacks he performed onstage, but he added that ATMs from all manufacturers are still vulnerable to attack.
"I'm not naive enough to think I'm the only person who can do it," he said. Continued...