Posted on August 7, 2020 at 12:49 PM
At the Black Hat conference in 2010, late Barnaby Jack, who was a renowned security researcher, was able to hack an ATM live by tricking the ATM machine into spitting a stream of dollar bills. The hacking method he used was correctly named “jackpotting.”
10 years on from the blockbuster presentation by Barnaby Jack, security researchers want to present new vulnerabilities in the ATMs at Nautilus.
However, they are not presenting theirs live as Jack did because of the gathering restrictions during this coronavirus pandemic.
Security researchers at Trey Keown and Brenda So at security firm Red Balloon, revealed that their vulnerability pairs enabled them to confuse a popular ATM usually seen in stores rather than those at the banks. The researchers said they trick the machine into dispensing cash at their command.
ATMs have vulnerabilities that stay dormant for several years
The security researchers say the hacker would need to share the same network with the targeted ATMs before they can be successful. But from their research, they found that some of the ATMs may be vulnerable for many years without any action to remedy or patch up the vulnerabilities. And in some extent, the vulnerabilities started existing when the ATMs where first built.
The researchers revealed that the new ATM vulnerabilities target the underlying software of the Nautilus ATMs, which is the 10-years old version of the Windows system that Microsoft no longer supports. The two researchers initially examined a sample ATM to see its functionalities. After a bit of documentation, they had to reverse-engineer the software within to understand how it works.
Initially, they found vulnerability in an ATM software called Extensions for Financial Services (XFS).
ATMs make use of the service to converse with different hardware components such as cash dispensing unit and card reader.
However, the bug was not in XFS itself, but in the way the manufacturer of the ATM executed the software layer into their ATMs.
The researcher discovered that when a hacker sends a specially designed malicious request to the network, it can quickly trigger the ATM machine to dump the cash inside.
Apart from this vulnerability, there was another vulnerability the two researchers exploited. The second vulnerability was discovered in the remote management software of the ATM, which was in-built to allow ATM owners effectively organize and manage the different ATM systems.
The ATM owners use the tool to update the ATM software and check how much cash is left in the machine. It helps the owners keep records of dispensing cash and the right time to add more cash to the machine. When the hacker triggers the bug, it can allow the hacker access to a weak ATM setting.
Hackers can infiltrate ATMs with malicious apps
So researcher revealed that it was possible for the hacker to use a malicious hacker-controlled server to interchange the ATM’s payment processor, especially if the ATM is vulnerable. The hackers can siphon funds from the ATM machine after switching to the malicious server.
“By pointing an ATM to a malicious server, we can extract credit card numbers,” So pointed out.
Bloomberg initially reported the ATM vulnerability last year, when they secretly revealed their observations to Nautilus. In the report, the researchers said close to 800,000 ATMs in the United States were vulnerable before the update. The researchers said Nautilus did not respond when they contacted the firm.
Jackpotting operations rare but possible
Although most jackpotting attacks are hardly successful, what the late Jack achieved showed it is very much possible to hijack vulnerable ATMs and reconfigure them to start dispensing cash. There have been very few successful jackpotting attacks in recent years.
However, hackers have been using different techniques to achieve the same jackpotting purpose in the past. Three years ago, a group was seen carrying out jackpotting operations across Europe, stealing millions of Euros in the process.