Important Lessons From the Black Hat ATM Hack

A security researcher named Barnaby Jack amazed attendees at the Black Hat security conference by hacking ATM machines in a session titled “Jackpotting Automated Teller Machines Redux”. There are some important lessons to be learned from the hacks Jack demonstrated, and they apply to more than just ATM machines.

Founder: Black Hat Reflects a Changing Industry

Jack’s exploits–one involving physical access to the ATM machine using a master key available online, and the other dialing in remotely to gain access–focused on ATM machines from Triton and Tranax. However, the issue is not necessarily limited to these two. Jack explained to his audience that he has yet to find an ATM machine that he couldn’t crack and retrieve cash from.

It’s an impressive hack. Who wouldn’t like to just walk up to an ATM machine and cause it to spew money as if you’d hit the jackpot on a Vegas slot machine? But, most businesses don’t own ATM machines, so why should IT admins care about the ATM hack?

The answer is that it’s not just about ATM machines. The ATM machine is just one sensational example of poor physical security combined with poor digital security on a legacy or niche platform. Computers are everywhere, but many of them are not monitored for security issues or updated on a regular basis to protect them.

Toralv Dirro, a security researcher with McAfee, explained in a blog post “Most people tend to ignore the fact that a lot of today’s devices and machines are running fairly standard computers and operating systems internally. ATM machines, cars, medical devices, even your TV may have such a computer inside, allowing updates over a network. Software unfortunately has flaws.”

Dirro goes on to explain that the more complex the system is, the more likely it is to have flaws that can be discovered and exploited given enough time. Many of these systems–particularly systems such as the software running the ATM machine at the corner gas station–are fairly complex and need to be periodically updated to ensure they are secure and protected.

There are also national security implications. Many of the utilities like water and electricity, chemical processing plants, manufacturing facilities, trains and subways, and other elements of the critical infrastructure that form the backbone of productivity, commerce and security for the country rely on archaic, legacy systems that are not frequently updated, yet likely have exploitable holes for an attacker that looks hard enough.

To make matters worse, many of these systems were originally standalone, but have been connected to the Internet over time, making it possible to access and exploit them remotely. The ATM machine hack demonstrates the need to provide better security for these systems.

It is unrealistic to expect these legacy and niche systems to be constantly updated. Running firewalls or common antimalware protection is also highly impractical. However, as Dirro points out, “the future is in using Application Control, Configuration Control and Change Control to lock down those systems, so you can still make authorized updates and changes but not run unauthorized code from an attacker.”