A security expert showed off techniques for breaking into ATMs, causing machines to spit out cash to a cheering crowd at an annual gathering of hackers. “I hope to change the way people look at devices that from the outside are seemingly impenetrable,” Barnaby Jack, director of research at security consulting firm IOActive Labs, told a standing-room-only crowd before launching the demonstration using equipment he purchased over the Internet. He spent over a year learning to break into stand-alone automated teller machines found at gas stations, bars and retail establishments.
At the annual Black Hat conference, Jack showed how he could upload his home-brewed piece of software dubbed Dillinger — named after the infamous bank robber — to an ATM made by privately held Tranax Technologies. After he infected the ATM, he approached the machine and instructed it to start dispensing cash. Jack used a key available over the Internet to open the case of an ATM from privately held Triton Systems, then inserted a USB thumb drive that forced the machine to spit out its entire jackpot. The ATMs he tested run on Windows CE, a version of Microsoft Corp's ubiquitous operating system widely used in specialized computers, such as ATMs. He said both the ATM makers have issued software that would prevent hackers from repeating the same attacks he performed onstage, but he added that ATMs from all manufacturers are still vulnerable to attack. “I'm not naive enough enough to think I'm the only person who can do it,” he said.
He also said he believed that the ATMs used by financial institutions were also vulnerable, but that he had not simulated any attacks because he had not been able to get hold of any bank ATMs. Bob Douglas, vice president of engineering for Triton, said he was not aware of any successful attacks on his company's equipment. Officials with Tranax could not be reached for comment. Some 6,000 hackers and security professionals are attending this week's Black Hat conference where they are discussing vulnerabilities in everything from the software that runs PCs and mobile phones to systems that control the electric grid. Organizers promote such research in a bid to publicize weaknesses to users so they can protect against them and encourage software makers, manufacturers and others find ways to plug those holes.