The Fraud Blog with Tracy Kitten

Confessions of an ATM Hacker

Confessions of an ATM Hacker

I caught up this week with Barnaby Jack, the so-called ethical hacker who cracked the operating systems of two retail ATMs during last month's Black Hat Technical Security Conference in Vegas. Jack, who heads research for IOActive Labs, a privately held computer and network security firm in San Francisco, hacked two commonly deployed off-premises ATMs -- the Triton RL2000 and Tranax 1700.

His actions have been praised by some, criticized by others. Ethical hackers like Jack play a critical role in security, some argue. Others question his motives, as well as his right to publicly expose system vulnerabilities found in products manufactured by private entities.

"You have to walk a really fine line," Jack tells me, when it comes to ethical hacking. "But I'm sure I'm not the only one who can come up with these sorts of attacks. And then it would stay more underground and pose a more serious threat, I think."

On the Triton, Jack exposed weaknesses in physical security, as the cabinet within the ATM enclosure that houses the PC was easily opened with a universal key. After gaining access to the PC, Jack infected the operating system with malware he had saved to a thumb drive. On the Tranax, he compromised the remote-management channel and used it to remotely transport the malware, which subsequently infected and conquered the ATM's operating system.

Jack is quick to point out that he did not go public with any information about the hacks until after he had contacted both manufacturers, giving each adequate time to develop software upgrades and patches. In fact, he actually hacked the Triton machine a year ago, while he was working as a security researcher for Juniper Networks, which designs and sells Internet protocol products and services.

But Juniper pulled in the reins on Jack, keeping him from going public with the hack at the Black Hat security conference in 2009. "I guess we jumped the gun at Black Hat (last year)," he explains. "We didn't want to go up there and basically show how ATMs can be hacked without having any sort of mitigation in place."

So Jack and Juniper let the hacks go, for the time being. And Jack spent the next year researching different type attacks and ATMs. "People had thought that there was legal pressure and that sort of thing, but that was all hearsay," Jack says.

After notifying Triton about some of the security flaws found in its RL2000, Jack says Triton signed with Juniper to help it develop some fixes.

"They could've shut down the talk and kept everything kind of hidden away," Jack says. Instead, however, Triton worked with Juniper and was later comfortable, Jack says, with going public about the hack and the vulnerabilities. "Now that these ATM manufacturers are aware of these software vulnerabilities, they're actually going to be proactive about sort of keeping the patches up to date."

Since Black Hat, Triton has issued several marketing messages that explain the hack and how deployers can protect their networks.

Still, some ATM deployers have questioned Jack's right to test the machines at all. They also question his motives: Is his company just trying to drum up business? My short answer to that is, "Yes." It's always about business. So, if Jack's motives served a greater purpose, does that trump the underlying motivation to build business? You tell me.

Here's the way I see it. Jack's job is to test ATM systems. If he identifies vulnerabilities in a system that's being sold to numerous institutions and retailers throughout the country, how could he not expose those risks? If millions of cardholders are compromised because Jack fails to tell a vendor and the community, would he have done the "right" thing by staying silent? I don't think so. And I don't think the industry really thinks so either.

Honestly, I think manufacturers and vendors should be glad when ethical hackers such as Jack bring system security holes to their attention.



About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.