Researcher Discovers ATM Hack, Gets Silenced 229
Al writes "A researcher working for networking company Juniper has been forced to cancel a Black Hat presentation that would have revealed a way to hack into ATMs. The presentation focused on exploiting vulnerabilities in devices running the Windows CE operating system, including some ATMs. The decision to cancel was made to give the vendor concerned time to patch the problem, although the company was notified 8 months ago. The article mentions a growing trend in ATM hacking: In November 2008 thieves stole nearly $9 million from more than 130 cash machines in 49 cities worldwide. And earlier this year, the second biggest maker of ATMs, Diebold, warned customers in an advisory that certain cash machines in Eastern Europe had been loaded with malicious software capable of stealing financial information and the secret PINs from customers performing ATM transactions."
Re:Ridiculous (Score:5, Interesting)
No, they don't... but it depends on the hack.
If it gives out free money, only harming the company which didn't seem to care, then no, don't give them any more time.
If the hack gives them access to innocent people's account details, and they'd be out money, and/or time fighting the bogus withdrawals, then yes, give them time to fix it.
No surprise here... (Score:3, Interesting)
It is quite unsurprising, really. We see the same thing going on in the SCADA security space. The book, Hacking Scada: Industrial Network Security From the Mind of the Attacker [hackingscada.com] , has been held up for at least a year past it's original planned publication date for similar thinking.
Improve functionality? (Score:3, Interesting)
It's an ATM.
It reads a card, checks your balance and pokes money out a slot.
What increased functionality is there?
(well, yes, it takes in deposits, too, but...)
Really, why aren't these things running the most limited OS possible?
Running WinXP on them is just silly. I would have thought WinCE would
be more locked down, but apparently not.
The comment about OS/2 machines being more secure is interesting.
I'd rather have IBM running my cash machines than Microsoft.
Never fear, BH presentation likely (Score:5, Interesting)
Re:Ridiculous (Score:5, Interesting)
Being as the exploit is already in the fucking wild and being actively exploited, preventing the information from being presented is completely and totally pointless.
Re:Ridiculous (Score:5, Interesting)
Not really. Despite the exploit being out there, there is likely only a few malicious people that know about it. If the hack requires physical access to the machine, this means the number of machines that are exploited is less. As other people have mentioned.... once the exploit is significantly more public, that will increase the number of malicious people that know about it and increases the number of exploited machines.
There's a lot of people who can apply exploits. There aren't as many that can discover them.
Re:WinCE when you say that (Score:3, Interesting)
One big reason to update from OS/2 to Windows is that its a lot easier to add new functionality to the Windows version of the ATM software than it is to add new functionality to the older OS/2 ATM software.
Examples of new functionality ATM operators may want or need to add:
1.Advertising (for loans, credit cards etc) whilst the ATM talks to all the computers and you wait for your money to come out
2.Prepaid credit vouchers of various kinds (e.g. for prepaid mobile phones)
3.Changes in the law (this last one happened recently here in Australia where there is now a new rule where if you use an ATM that doesn't belong to your bank, the owner of the ATM charges you the fee and not the bank where your account is. Also, the ATM is required to display the cost of this new "direct charge")
4.Better accessibility for disabled people (e.g. deaf or blind)
Re:If it's an exploit for ATM *Machines*... (Score:3, Interesting)
Re:Ridiculous (Score:2, Interesting)
"The presentation focused on exploiting vulnerabilities in devices running the Windows CE operating system, including some ATMs. The decision to cancel was made to give the vendor concerned time to patch the problem, although the company was notified 8 months ago."
My guess is that Microsoft is not excited about fixing bugs in CE, and would rather just extend their "security through obscurity" strategy to include censoring researchers.
Re:If it's an exploit for ATM *Machines*... (Score:2, Interesting)
I like how the article you reference states that they're designing a "Proto-prototype".
So! By that logic, they have developed a proto-prototype of a generalized machine maker machine that can be used to construct proto-nano-pin-number-generating-atm-machines using proto-nano-assemblers running on AC current.
This is worse than spaceballs: the video tape.
Now became then, just now. ...everybody got that?
How it works. (Score:4, Interesting)
The hack is based on the assumption that if you make a withdrawal from an ATM and don't take the money you forgot to take it, so the machine takes the money back and refunds the amount to your account.
The thing is that the machine doesn't have a way to count how much bills it takes back, so you can just take the bills from the middle and you will get a full refund.
Supposedly this also works if you take the money right before the ATM pulls back in the money.
Re:Ridiculous (Score:3, Interesting)
I do agree that publicizing this is not the ideal solution, the sad thing is that Diebold / Sequoia was aware of the issue almost a year now and coming from a company with security minded products why is it I as the person the situation affects cannot do anything to avoid this situation? Is there a visual appearance of these particular machines I can use to determine if I want to take the risk or not? Maybe a visual screen layout? If so then I'm happy to let them do what they please but now that I am informed I want to make a decision based on that. The chance to do so is all I'm asking.