Jack showed how you could walk up to an ATM, break into it using a common universal key, and then use a universal serial bus (USB) stick to load a rootkit, or hacking software, that could compromise the machine’s security. On stage, he showed how he could run a program that could talk over the machines and get them to display “jackpot!” on the ATM screen and then spit out bills.
The crowd laughed and applauded throughout the attack. He said that the vulnerable machines included those running the Windows CE operating system from Microsoft on ARM or XScale-based chips. By taking over the machines, Jack said he could pretty much do anything with them, like playing movies on the screens. (See our roundup of all Black Hat and Defcon stories).
AI Weekly
The must-read newsletter for AI and Big Data industry written by Khari Johnson, Kyle Wiggers, and Seth Colaner.
Included with VentureBeat Insider and VentureBeat VIP memberships.
“They were developed without secure principles in mind,” Jack said. As he closed, he got a roar of applause.
In a press conference afterward, Jack said that he hacked the Trannax and Triton ATM machines and notified them of the problems before announcing the details of the attack. Triton patched its machines in November, sending updates out to customers. Trannax also addressed the problems. But Jack said that he has been able to hack four different kinds of ATMs that are widely used today. He did not identify which ones.
Bank ATMs are harder to attack because they have video cameras. But many ATMs have no security cameras and are hidden in places where they are easy to compromise without detection.
Triton engineer Jack Douglas attended the press conference and said that the company offers a unique key for customers to use on their ATMs, but many don’t use it because they want one key to work on many different ATMS.
Jack said that his change in employers did not affect his decision to talk this year. He said he was grumpy that his attack talk was pulled last year. But he said it was good thing because it gave ATM companies a chance to deal with their bugs. Still, there are probably a lot of vulnerable machines out there.
[aditude-amp id="medium1" targeting='{"env":"staging","page_type":"article","post_id":201806,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,security,","session":"C"}']
Jack said he was inspired by the scene in a Terminator movie where a hacked ATM spews money.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn More