CheatAd !

It is certainly many teenage hacker daydream: to hack ATMs and makes them spit out cash. As impossible as it seems, security researcher Barnaby Jack demonstrates how he bypassed the security of two ATMs during the Black Hat conference.

Barnaby Jack, director of security testing at Seattle-based IOActive, wouldn’t name any specific ATM manufacturers during his talk. However, in the interview afterwards he revealed that the two machines on-stage were built by Triton and Tranax, which he bought over the Internet and then spent years poring over the code.

The vulnerabilities and programming errors he unearthed during that process, Jack said, let him gain complete access to those machines and learn techniques that can be used to open the built-in safes of many others made by the same companies. With that information, he wrote two pieces of software to exploit that programming error: a utility called Dillinger, which attacks an ATM remotely, and one called Scrooge, a rootkit that inserts a backdoor and then conceals itself from discovery.

He said both Tranax and Triton had patched the security vulnerabilities since he brought them to the companies’ attention a year ago.

Jack was originally scheduled to give his ATM hacking demo last year, but the talk was pulled at the last minute after an ATM vendor complained to Juniper Networks, his then-employer.