At the Black Hat USA 2010 conference in Las Vegas, Barnaby Jack, director of research at IOActive, demonstrated attacks that would allow a criminal to compromise ATMs. The attack techniques could allow hypothetical thieves to steal cash, copy customers' ATM card data, or learn the master passwords of the machines. While one of the attacks required a few seconds to open the ATM and insert a USB drive with code to overwrite the system, the other attack used a remote management feature commonly found on standalone ATMs.
Jack's presentation targeted machines made by Tranax and Triton, but other ATMs likely have similar security issues, he said.
"I found specific vulnerabilities in the ATM machines," Jack said during a press conference following the presentation. "But the attack surface is [similar] across the ATM industry as a whole ... In every ATM system I've looked at, I've been able to find flaws."
Jack said he used fairly simple analyses of the operating system and software commonly found on ATMs to create the exploits he demonstrated on stage. "We are back to 1999 in terms of code quality," he said.
Read the complete story by Robert Lemos at darkreading.com here.