Barnaby Jack – How To Make An ATM Spew Out Money
The Accurate Source To Find Transcript To Barnaby Jack – How To Make An ATM Spew Out Money.”
[Barnaby Jack – How To Make An ATM Spew Out Money]
[Barnaby Michael Douglas Jack (November 22, 1977 – July 25, 2013)] Source: LYBIO.net
In a theatrical demonstration earlier this year, Barnaby Jack, Director of Research at IOActive Labs, showed how he could take control of an ATM and among other things make it spit out money. Here, Jack, explains why and how he performed the stunt.
When you think of ATM security, you typically think about like physical security, right? Is the ATM bolted down properly? Are the cameras in place? You don’t typically think about the actual underlying software on the ATM. So I figured it was about – about right time that someone actually pulled these things apart, looked at the software and see if there’s vulnerabilities there and once I actually tore the lid off and found out how many vulnerabilities actually exists there, it was quite shocking in a way.
Jack used his discoveries to design two different attacks against standalone ATMs. Here he demonstrates them.
[Barnaby Jack:] Source: LYBIO.net
The first attack is a walk-up style attack. Now, all of these standalone ATMs, they ship over a master key. So this master key will open the top compartment, which allows access to the motherboard. It won’t open the safe or anything like that, but this one key will open all the ATMs from that same Manufacturer. And now that you have access to the motherboard, you can now update the software locally. So as long as that software adheres to the correct format, the ATM will happily overwrite its software with this new code. Now, of course, this new code will allow you to dump from the entire dispenser and do other notorious deeds.
And the other attack is the remote attack. Now, all of these standalone ATMs, they support remote management or remote configuration. So you can log into your ATM, change your splash screen, retrieve the settings and all that type of thing. Gennerally, to be able to do this, you require a combination of passwords, a serial number, and what have you. I found the vulnerability, which will allow me to bypass all of these passwords and then upload my own software onto the ATM remotely and, of course, my own software will capture credit card details, dump from the dispenser and all that type of thing.
And the worst part about this is, is these ATM’s chip of this functionality enabled by default. And the reason they enable this functionality is so they can – is ironically enough, so they can ship security patches to these ATM’s.
[Barnaby Jack:] Source: LYBIO.net
It takes a specialized skill set to actually come up with these attacks, and for myself, it was about eight months of fairly constant work. But I am not naive enough to think that I am the only person who could do this. And the thing is, with this type of attacks, it only takes one person to come up with that attack and then they can distribute that software to whoever else. So it only takes one person to do it. To this – at the moment we haven’t seen any of these exploits replicated, but it’s certainly possible at the moment the ATM manufacturers have shipped patches to their ATM, but of course, with the actual ATM owners who have applied those patches is a different story.
Barnaby Jack – How To Make An ATM Spew Out Money. These attacks, and for myself, it was about eight months of fairly constant work. But I am not naive enough to think that I am the only person who could do this. Complete Full Transcript, Dialogue, Remarks, Saying, Quotes, Words And Text.