Forgot your password?
typodupeerror
Security The Almighty Buck

Kids With Operators Manual Alert Bank Officials: "We Hacked Your ATM" 378

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes "Two 14-year-olds hacked a Bank of Montreal ATM after finding an operators manual online that showed how to gain administrative control. Matthew Hewlett and Caleb Turon alerted bank employees after testing the instructions on an ATM at a nearby supermarket. At first the employees thought the boys had the PIN numbers of customers. 'I said: "No, no, no. We hacked your ATM. We got into the operator mode,"' Hewlett was quoted as saying. Then, the bank employees asked for proof. 'So we both went back to the ATM and I got into the operator mode again,' Hewlett said. 'Then I started printing off documentations like how much money is currently in the machine, how many withdrawals have happened that day, how much it's made off surcharges. Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent.'"
This discussion has been archived. No new comments can be posted.

Kids With Operators Manual Alert Bank Officials: "We Hacked Your ATM"

Comments Filter:
  • Not surprising. (Score:5, Insightful)

    by Z00L00K (682162) on Monday June 09, 2014 @03:48PM (#47197351) Homepage

    I'm not even mildly surprised that this was possible.

  • Hacked? (Score:3, Insightful)

    by Anonymous Coward on Monday June 09, 2014 @03:48PM (#47197355)

    So....
    they had the manual with passwords....

    this is hacked.... how?

    • by Shatrat (855151) on Monday June 09, 2014 @03:52PM (#47197391)

      The default passwords shouldn't be used, and without a key someone shouldn't be able to gain management access to the device.

      • by ganjadude (952775) on Monday June 09, 2014 @03:59PM (#47197485) Homepage
        it is insane how many devices out there are still using default passwords. It seems to me that th eonly items im seeing ship with unique PWs by default these days are cheap WIFI routers surprisingly. I cant tell you how many coke machines out there can be taken over by simple keypresses. My best friend was a cooke distributer, and none of their machines were on a different default PW, always made getting a coke trivial for him however
        • Re:Hacked? (Score:5, Insightful)

          by PopeRatzo (965947) on Monday June 09, 2014 @04:29PM (#47197845) Homepage Journal

          I cant tell you how many coke machines out there can be taken over by simple keypresses.

          I notice you're not sharing the password with us thirsty readers.

          C'mon, bro.

        • by mythosaz (572040) on Monday June 09, 2014 @04:34PM (#47197907)

          I've seen one discussion after another discussing passwords and button press combinations on soda machines, but have never, ever, seen one work.

          I call shenanigans.

          Soda machines are mostly electro-mechanical rather than computer controlled. Either the switch is active to allow button presses to dispense soda, or they're not. You don't program them from the outside. You set the DIPs to the vend prices per column (if it's multi-price) and lock it back up.

          • by Jarik C-Bol (894741) on Monday June 09, 2014 @06:11PM (#47198497)
            Which is interesting, because even the old "electromechanical" machines would suffer from hiccups. There was an old machine at my school that, quite reliably, after you paid for one, would give you two Dr. Peppers when you pushed the button for it. It also would give you as many diet cokes as you cared to own, assuming you kept pressing the button as quickly as possible after you fed it your change; if you stopped, it would reset and lock out. If you pushed the Dr Pepper button and the Diet Coke button at the same time, about 1 time in 5 you would get 2 Dr Pepper and a Diet Coke.
            the point is, this was an old machine, while you mashed the buttons, it made this horrendously loud clicking and clattering, so you could only get so many from it before you attracted the attention of the people in the office nearby. I gave up at 6 Diet Cokes, partially because who wants to drink 7 Diet Cokes, and partially because the secretary was glaring at me.
        • by JaredOfEuropa (526365) on Monday June 09, 2014 @04:44PM (#47197977) Journal
          I'm surprised such changes can be made from the front panel of the machine. I'd say that any administrative mode should only be accessible by a switch or keypad inside the machine's strongbox.
      • by Jarik C-Bol (894741) on Monday June 09, 2014 @06:02PM (#47198455)
        Exactly.
        This is another device, but the principles involved are the same. Where I work we have a coin sorting machine, sort of like a coin star. This particular model dispenses cash instead of a receipt that you take to the counter to cash in, the way a lot of the bigger chains are. With our machine, there is a keyed lock that opens a little flipper door that houses a separate physical keypad that controls all the admin functions. Public user access to the machine is restricted to a touch screen with a extremely limited interface (basically language choice, start, and finish, once the machine is done counting).

        I'm surprised that ATM's don't use a similar setup. In my mind, it should be another step obfuscated by being a port behind a little locked door that allowed the operator to plug in a customized interface. (say, a non standard USB port that matched to a non standard keyboard/pointing device that the operator would plug in, preventing a successful lock pick from having quick general access to the machine, as a specialized hardware attachment would be needed.

        Remember, this device reads bank cards and conducts financial transactions, protecting your customers saves a lot of money in the long run.
    • Hacked? (Score:3, Informative)

      by Anonymous Coward on Monday June 09, 2014 @03:52PM (#47197393)

      It's "hacked", because they did something that (in theory) only administrators are supposed to be able to do. That's really all the definition anyone needs.

      Similarly, if an admin leaves the root passwords as "admin:admin", and someone logs in, that someone has hacked the system.

      • Re:Hacked? (Score:5, Funny)

        by Richy_T (111409) on Monday June 09, 2014 @04:04PM (#47197539) Homepage

        That's the password on my luggage.

      • by laird (2705) <lairdp@gma i l . com> on Monday June 09, 2014 @04:09PM (#47197589) Journal

        True, it's a "hack" but it's a pretty trivial hack.

        • Re:Hacked? (Score:5, Insightful)

          by Yakasha (42321) on Monday June 09, 2014 @04:17PM (#47197695) Homepage

          True, it's a "hack" but it's a pretty trivial hack.

          They are the ultimate script kiddies. Kids, using a script published by the manufacturer.
          Even putting "trivial" in front diminishes the glory of hacking.

          • by unrtst (777550) on Monday June 09, 2014 @10:04PM (#47199771)

            True, it's a "hack" but it's a pretty trivial hack.

            They are the ultimate script kiddies. Kids, using a script published by the manufacturer.

            Even putting "trivial" in front diminishes the glory of hacking.

            Isn't this all very similar to the phreaking of the 70's/80's, or hacks resulting from simply reading IBM manuals or the rainbow series? Or is everyone too old to remember that?
            FWIW, I do think this is trivial, and it's simply a poorly setup ATM, but taking advantage of obscure weaknesses is a time honored tradition AFAIK, and I bet the kids even learned a fair bit from doing this (unlike a script kiddie that just downloads and blindly executes other peoples work).

      • by meerling (1487879) on Monday June 09, 2014 @04:20PM (#47197737)
        The neither hacked nor cracked it, they used the built in an approved method as outlined in the Operators Manual. The only questionable part was that they were not authorized to do so, except maybe when they demonstrated it to the bank personnel because they were requested to by an authorized person.
        • Re:Hacked? (Score:5, Informative)

          by Pieroxy (222434) on Monday June 09, 2014 @04:41PM (#47197953) Homepage

          The definition of hacking, the legal one, in many places at least in europe is defined pretty much as the following: Being somewhere you're not supposed to, while knowing you're not supposed to, and then snooping around instead of just leaving. I guess it's the digital alternative of 'breaking and entering'. Just because you found a post-it with the lock of the front door on the ground, it doesn't make it right to go in. Common sense should kick in at some point, so if you do it anyways, justice assumes common sense did kick in and you entered willfully. THAT makes it illegal.

          That's pretty much common sense.

    • Re:Hacked? (Score:4, Insightful)

      by TheCarp (96830) <`ten.tenaprac' `ta' `cjs'> on Monday June 09, 2014 @03:59PM (#47197491) Homepage

      A better question is: This is secured.....how?

      Having access to a manual shouldn't provide access to the machine if it has been configured properly. Any passwords in the manual should sure as shit not work after the machine is installed and open to the public.

      It may be fair to say these kids are not really much of hackers....but if that is the case then there are a few things the ATM designers or bank administrators (or both) are not either.

      • by geekoid (135745) <dadinportland.yahoo@com> on Monday June 09, 2014 @04:04PM (#47197529) Homepage Journal

        You have 100s of machines, dozens of employees, who need legitimate access. How do you share the passwords on all those machine?
        Is your solution cost effective? Does it account for areas with bad reception?
        Plus, if you made 10K a week keeping your front door open, but you spent 30K a year replacing any stolen item, would you lock your door?

        • by raymorris (2726007) on Monday June 09, 2014 @04:20PM (#47197747)

          First, dozens of people shouldn't have administrative access to a particular ATM at once. Where I work, most systems have one or two people with passwords. If both people get hit by a bus, you can boot from a USB stick and proceed from there, but only two people have admin accounts.

          Regarding the logistics of controlling who has access to what, every organization with more than a very few employees needs to manage who has access to what, and that's been true for thousands of years. It's very much a solved problem. Most companys use Active Directory for this purpose. Since ATMs already have card readers, an obvious answer for routine maintenance is to have the employee swipe their employee ID card. The ATM then uses its existing network connection to authorize access via AD. Back in the days of Benjamin Franklin, the solution was a key rack held by a designated employee. Other remployees would check out the keys they needed to use that day. It's kind of an interesting problem, but one that has been solved since roughly the Roman empire or so.

          • by matria (157464) on Tuesday June 10, 2014 @12:16AM (#47200329)
            When I was in the Navy, there was a key rack in the wachstander's office (barracks watch). Oncoming watchstanders called in to base security to report status, including the presence of all keys, at regular intervals. One petty officer who was a good friend of the barracks chief kept the keys to the barracks back door in her room so she could let her boyfriends in. I was always getting in trouble when I stood watch because I refused to falsify my reports. I would report the key missing, and base security would come blasting into the barracks to find the key, and I had no trouble telling them where it was. I still have the scars, after more than 40 years, from the several times I was assaulted in the barracks because of it.
        • by AK Marc (707885) on Monday June 09, 2014 @05:23PM (#47198243)

          How do you share the passwords on all those machine?

          The same way they do for WiFi routers (and have done for 10+ years). You put it on the machine. There are doors locked with keys, and you expect them to have the keys to the ATM, so have the password on the inside of the door. Only if someone is already inside can they see it.

          Is your solution cost effective?

          Yes.

          Does it account for areas with bad reception?

          Yes

          Plus, if you made 10K a week keeping your front door open, but you spent 30K a year replacing any stolen item, would you lock your door?

          And if it cost $0 to prevent all theft, how stupid would you have to be to not secure it?

          The typical Slashdot response. "I can't think of an easy way to fix the problem so it must be impossible." No, you are just stupid. Putting the password on the machine, but locked where it would already be "compromised" to view is free, easy, and has been used in other areas for decades. My routers come with non-default passwords from the factory, with the randomly generated initial (and after reset) password on the device, where physical security is already compromised if someone sees it.

          If it's as impossible as you imply, go ahead and tell me what's wrong with my idea. I can only presume you'll make up some fake physical security problem. But I've never seen an ATM that didn't require keys of some kind.

          Better, You could have a card and PIN that identified the maintenance person. The ATMs are wired back and authenticate transactions, so why not authenticate the maintenance person, and only open for authorized maintenance people at times in the maintenance schedule?

          I can think of lots of ways to do this that scale well to 10,000,000 ATMs. That you can't think of any just proves stupidity, not difficulty.

    • Re:Hacked? (Score:5, Funny)

      by Yakasha (42321) on Monday June 09, 2014 @04:16PM (#47197673) Homepage

      So.... they had the manual with passwords....

      this is hacked.... how?

      Same way I hacked my VCR so it doesn't flash 12:00 anymore!

    • Re:Hacked? (Score:4, Insightful)

      by rogoshen1 (2922505) on Monday June 09, 2014 @04:17PM (#47197699)

      because if they use the verb 'hacked' the authorities will be able to get the absolute maximum penalty, and throw the book at these kids.
      Oh, Canada -- right, never mind. (Stuff like this would be punishable by 20+ years in the US more than likely.)

    • by Jeremy Erwin (2054) on Monday June 09, 2014 @04:23PM (#47197769) Journal

      I recently read Clifford Stoll's Cuckoo's egg and a good many of "Hunter's" exploits were based on nothing more than known service passwords. You'd think that things would have changed since 1989, but apparently the same mistakes are being made.

    • 8B T/yr [hitachiconsulting.com], times $2.22/T [howstuffworks.com].

      I think a problem with a potential downside of $17,760,000,000 is, well, a problem.
  • by JohnnyComeLately (725958) on Monday June 09, 2014 @03:50PM (#47197367) Homepage Journal
    Here lately, seems their day at school would have been moot as they are led to a waiting black SUV. Then, SWAT would move into their house and take everything that plugs into a wall and has Ethernet capabilities. Think I'm joking?
  • by Tokolosh (1256448) on Monday June 09, 2014 @03:50PM (#47197377)

    In the USA anyway, the kids are looking at adult jail time.

  • Does anyone else think that its getting too dangerous to keep some information in a digital form? Is some information destined to forever be kept in a printed form?

  • by Anonymous Coward on Monday June 09, 2014 @03:53PM (#47197397)

    In other news, domestic terrorist ringleaders Matthew Hewlett and Caleb Turon were arrested today in what Department of Homeland Security spokesman Peter Atriot called "a blow for freedom against Jihadists". The two men are believed to diverted funds vital to global banking, thereby aiding and assisting worldwide terror organisations.

  • by Anonymous Coward on Monday June 09, 2014 @03:53PM (#47197401)

    Reading a manual and following step by step instructions which tell you how to get into operator mode is NOT HACKING.. UGH.

  • Relax, folks. (Score:5, Insightful)

    by Anonymous Coward on Monday June 09, 2014 @03:54PM (#47197413)

    This is Canada. As long as they don't try to link good science to administrative policy, the government probably won't care.

  • by Ghostworks (991012) on Monday June 09, 2014 @03:55PM (#47197435)

    Back before the internet, it was common practice to put hard-coded admin passwords in documentation, in case anyone should forget the real password. In some industries (say, construction road signs) it just never occurred to them that anyone would ever care to look it up for a prank. In other industries, like ATMs, the assumption was that documentation was obscure and difficult to lay hands on without writing to a real person who then had to mail a manual to a real address of an existing customer.

    The fact that they still do this is depressing, but doesn't surprise me in the least.

  • by Rodness (168429) on Monday June 09, 2014 @03:57PM (#47197453)

    By "hacked" you mean "followed printed instructions from a user's manual". If that's the new "hacking" then I weep for mankind.

    • by Ionized (170001) on Monday June 09, 2014 @04:09PM (#47197587) Journal

      they were inquisitive, did some research, and experimented on a system, and succeeded in gaining unauthorized access. they then responsibly reported their findings to the device owner.

      what these kids did, while perhaps not quite on par with hacking the gibson, still very much represents the (white hat) hacker ethos at work.

      you, on the other hand, represent the asshat ethos, for downplaying what they did and trying to fiddle fart around with semantics.

  • by g01d4 (888748) on Monday June 09, 2014 @03:59PM (#47197481)

    Their first random guess at the six-digit password worked. They used a common default password.

    When does incompetence become criminal neglect?

  • Demo Disks (Score:5, Interesting)

    by Ronin Developer (67677) on Monday June 09, 2014 @04:03PM (#47197521)

    Years ago, when ATMs were first becoming available, someone I know worked as a security exec for a large bank. Seems back then, each ATM came with a demo disk hat, when inserted into a floppy disk port inside the ATM's housing (but, easily accessed) placed the machine into demo mode and allowed the operator full control of the device. The sales operator could then fully demonstrate ALL the features of the ATM - including the automatic dispensing of cash.

    With furled eyebrows, he asked whatever became of all the demo disks after the ATM was installed..nobody knew...just assumed they were thrown out. He asked if they considered this a problem. And, he was told 'No'. At the time, stealing the ATM was all the rage and his concerns were discounted...until one day when money just started disappearing from ATMs. Seems, somebody else found or had one of those disks and realized what they had.

    Pretty scary these kids could find a manual online and that the command sequence to place it into admin mode could be done from the user console vs a separate terminal. One has to wonder if they could have dispensed cash like a Pez dispensor like was possible with the old demo disks.

  • by infogulch (1838658) on Monday June 09, 2014 @04:10PM (#47197603)
    From this to Highway Sign Hacking [slashdot.org] to that researcher that made a botnet of home routers with default config to ping the whole of ipv4, I really hope admins are getting the point that you can't just drop appliances in public places without adjusting the default configuration. What critical infrastructure is left out there just begging for someone with an operator's manual to wreck it, or even worse, exploit it? Can we get a wake-up call to the administrators of these appliances?
    • by Anonymous Coward on Monday June 09, 2014 @04:25PM (#47197807)

      Honestly, I don't think even a wake-up call would do anything. Prime example from my life:

      I went to a community college for a few years to get gen-eds out of the way cheap before going to a real college. In one of the buildings, there was a break room that was really popular with students despite not really being anything special - some tables and chairs, and that was about it. I had no idea why it was so popular when there were other break rooms on campus that had TVs and better Wi-Fi access and the like.

      A few days in, I found out why. There was an older soda machine in the back of the room, and every so often I'd buy one. Almost every time, I'd wind up getting two (or sometimes three) sodas when I paid for one. At first I thought I was just really lucky, but then I found out that the machine was badly secured. There was a default button combination you could press that would take the machine into admin mode, where you could do things like get it to dispense free drinks. Doing this would cause a bottle to be loaded into position as if someone had paid for it, so the next person to buy a drink would get two.

      Apparently, this was a well-known 'secret' on campus. Even the professors did it. I can't tell you how much money the vending machine owner probably lost, and I'm sure they knew that something was up based on how quickly the stuff was disappearing and how the money didn't add up. This was about seven years ago.

      I went back to the same school to sign up for some classes just a month ago. On my way back, I stopped at that break room, and sure enough, that machine still hasn't had the password changed.

  • by meta-monkey (321000) on Monday June 09, 2014 @04:23PM (#47197767) Journal

    Kids?! More like cybercriminal financial terrorists! Time for a no-knock SWAT raid! Flashbangs, go go go and shoot the dog, too!

  • by Deadstick (535032) on Monday June 09, 2014 @04:25PM (#47197797)

    Seems like an echo of Richard Feynman's famous "I can open your safe" hobby at Los Alamos. Same method: guessing at obvious combinations like birthdates, in the 50% of cases where the lock wasn't still on the factory combination.

  • by Hamsterdan (815291) on Monday June 09, 2014 @04:31PM (#47197871)

    When there's an ATM fraud in a customer's account, the customer is accounted responsible for his own account.

For God's sake, stop researching for a while and begin to think!

Working...