Skip to main content

How one small hack turned a secure ATM into a cash-spitting monster


During a panel titled "Breaking Embedded Devices," IOActive researchers demonstrated how any machine with a chip or internet connection can be compromised. Embedded systems are particularly at risk: These are mass-produced items that have one role in a machine, such as dispensing cash from an ATM or checking how much ink is in a printer, and are therefore overlooked in terms of security, Ng reported.

More about cybersecurity

The ATM—a popular Opteva model from Diebold Nixdorf—contained a security flaw located near its speakers, IOActive found. This spot offered an opening that criminals could loosen to expose a USB port.
"It's a little bit like a magic trick, but no kidding, it took seconds to getting the ATM to open," Mike Davis, the director of embedded systems security at IOActive, told Ng. Davis said he alerted Diebold Nixdorf to the issue, but the company "didn't consider it enough of a security issue to address," as it was not located near the part of the ATM where the cash is stored, and therefore was not a concern.
To prove that it was a major flaw, IOActive's team plugged a netbook into the exposed USB port and added in code to the ATM's Automatic Funds Distributor—a bot in the embedded system that determines how much money to release. They were able to reverse engineer the bot, and lead the machine to empty out all of the cash it contained.
IOActive said that it has tried to work with Diebold Nixdorf to test out security flaws on other machines, but the company declined the help, Ng reported. The machine that was hacked was built in 2008 or 2009, and never received security patches or maintenance, a spokeswoman for Diebold Nixdorf told Ng.
"Like any connected device that does not receive proper maintenance and patching—especially one nearly 10 years old—the risk for it to be compromised increases," the spokeswoman said.The company did not say how many of its ATMs from that time period were still in use. In most cases, the spokeswoman said, it's the job of the financial institution to keep ATM software up to date. It remains unclear if this vulnerability has since been fixed, Ng reported.
A number of connected devices have proven hackable in recent years, including carsdronesrouterssmart home gadgets, and even guns. With Gartner predicting that 8.4 billion connected devices will be in use worldwide this year, security issues abound. It's extremely important for manufacturers to ensure Internet of Things (IoT) devices are secure, and for enterprise and consumer users to have security protocols in place.
istock-506664622.jpg
Image: iStockphoto/selensergen

The 3 big takeaways for TechRepublic readers

1. At a BlackHat 2017 panel, security firm IOActive demonstrated how it was able to hack an ATM to cause it to release all of its cash.
2. The firm was able to do this by exploiting an exposed USB near the ATM's speakers, and using code to reverse engineer the machine's funds distributor bot.
3. This demonstrates how important it is for companies to secure embedded systems and Internet of Things devices.

Comments

Post a Comment

Popular posts from this blog

IMPORTANCE AND ADVANTAGES OF SIWES

STUDENTS INDUSTRIAL WORK EXPERIENCE SCHEME (SIWES) The Industrial Training/Students Industrial Work Experience Scheme, IT/SIWES is a new Directorate under the Vice-Chancellor’s Office.  It was established on 20th April, 2012 The Students Industrial Work Experience Scheme (SIWES) is a skills training programme designed to expose and prepare students of universities and other tertiary institutions for the Industrial Work situation they are likely to meet after graduation.  It is also a planned and structured programme based on stated and specific career objectives which are geared towards developing the occupational competencies of participants (Mafe, 2009).  Consequently, the SIWES programme is a compulsory graduation requirement for all Nigerian university students offering certain courses. The Students Industrial Work Experience Scheme (SIWES), is the accepted training pro...
1 comment
Read more

Hack Instagram Account with ighack

Ighack is a secure Instagram account hacking application that allows you to hack Instagram password free. The best part of the application is that it does not require any survey or download. It is available free on the internet. I addition to being free to use, this app is compatible with every device. The application has a reputation of being authentic and untraceable. Let us look into the procedure needed to follow for hacking Instagram passwords. Step 1: Visit the website ighack.net and click on ‘Start Hack’ option. Step 2: Enter the user name of the target’s Instagram account when the system asks you to do so and click the ‘Hack’ button. Step 3: Allow the application to do the rest. The ighack server establishes contact with Instagram server and searches for the password in the Instagram database by matching the username ID. Step 4: On extraction of the data, the installed software program automatically decrypts the data. Step 5: The system delivers the password to...
1 comment
Read more

How to Crack a Password

What is Password Cracking? Password cracking is the process of attempting to gain Unauthorized access to restricted systems using common passwords or algorithms that guess passwords. In other words, it’s an art of obtaining the correct password that gives access to a system protected by an authentication method. Password cracking employs a number of techniques to achieve its goals. The cracking process can involve either comparing stored passwords against word list or use algorithms to generate passwords that match In this Tutorial, we will introduce you to the common password cracking techniques and the countermeasures you can implement to protect systems against such attacks. Topics covered in this tutorial What is password strength? Password cracking techniques Password Cracking Tools Password Cracking Counter Measures Hacking Assignment: Hack Now! What is password strength? Password strength is the measure of a password’s efficiency to resist password crackin...
Post a Comment
Read more