Hacker Develops Multi-platform Rootkit for ATMs
One year after his Black Hat talk on Automated Teller Machine security vulnerabilities was yanked by his employer, security researcher Barnaby Jack plans to deliver the talk and disclose a new ATM rootkit at the computer security conference.
He plans to give the talk, entitled "Jackpotting Automated Teller Machines," at the Black Hat Las Vegas conference, held July 28 and 29.
Jack will demonstrate several ways of attacking ATM machines, including remote, network-based attacks. He will also reveal a "multi-platform ATM rootkit," and will discuss things that the ATM industry can do to protect itself from such attacks, he writes in his description of the talk, posted this week to the Black Hat Web site.
Jack was set to discuss ATM security problems at last year's conference, but his employer, Juniper Networks, made him pull the presentation after getting complaints from an ATM maker that was worried that the information he had discovered could be misused.
The security researcher found a straightforward way of getting around Juniper's objections, however. Last month, he took a new job as director of security research with IOActive.
ATM machines do get compromised, but in a roundabout way. Thieves often hit them by installing card skimmers on them to extract magnetic stripe data from the cards. Then, using a hidden video camera, they steal login numbers. Using all of this information, the crooks can build their own duplicate cards and empty bank accounts.
But Jack's talk looks at a new area: bugs in the software used to run the machines.
He's taken advantage of the extra year provided by Juniper's ban to do more research. "Last year, there was one ATM; this year, I'm doubling down and bringing two new model ATMs from two major vendors," Jack says in his talk description. The security researcher couldn't immediately be reached for comment.
Jack doesn't say which ATMs he plans to discuss, but it could be any major vendor, according to Black Hat Director Jeff Moss. "He's got a living room full of a lot of different brands of ATMs, and they all seem to suffer from one or the other problem," he said.
ATMs haven't received a lot of serious scrutiny by security researchers, so Jack's talk will break new ground, Moss said. "Apparently you can make all the money come out," he said.