Barnaby Jack, director of security research at IOActive Labs, demonstrated last week at the annual Black Hat conference just how vulnerable ATMs are. He demonstrated on two ATMS, both using the Microsoft Windows CE operating system. This disappoints me: I don’t use Windows computers to do on-line banking because I don’t trust their security. (To be safer, you should download a bootable Linux CD and boot from it when you wish to bank on-line. Reboot Windows when you’re done banking.)
Mr. Jack demonstrated two attacks on standalone or “hole in the wall” ATMs: one remote and one local. (He’s unsure if these attacks work on bank ATMs.) The remote attack required that the attacker know the phone number of the ATM’s dial-up modem. Many ATMs use a dial-up modem to communicate with their banks. (A simple war-dialing program would get you started on this attack.) Some ATMs have IP addresses: if they reside behind NAT (Network Address Translation) routers and firewalls this would help protect them. Then he showed that he could bypass the ATM’s authentication program to gain control of the ATM.
What is Black Hat?
The local attack began by entering a supervisory sequence of keystrokes through the ATM keypad, which brought up an administrator menu that allowed him to eject banknotes from the ATM. Some ATMs allow a specially coded card to gain supervisory access.
One principle of system security is that the owner restrict physical access to the system. The ATM would be more secure from local attack if it required that service personnel first open a locked panel before punching in a security code to gain supervisory control. This raises another principle: there will always be a security versus convenience compromise.
ATMs are immobile shared devices; the bad guys have moved to individual users’ mobile devices. Smartphones are a new playground for criminals: during one Black Hat presentation, a wallpaper application for the Android smartphone installed its spiffy self and promptly uploaded its user’s personal data to a site in China. Maybe the fact that Apple insists that it certify every iPhone app makes sense, after all.
Roundup: A week of hacker news from Black Hat and Defcon (courtesy VentureBeat)
Visit my website: http://russbellew.com
Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695