Black Hat: Hacker Tricks ATMs Into Raining Cash


Security researcher Barnaby Jack on Wednesday showed how easy it can be to trigger a waterfall of cash from a standard bank ATM using readily-available software applications.

In a presentation at the Black Hat USA 2010 conference in Las Vegas, Jack, director of research at IOActive, a Seattle-based security consulting company, used software to trick two standard ATMs into spitting out wads of cash while displaying "jackpot" on the screens.

According to a Wednesday report from Venturebeat, Jack was able to hack two ATMs built around the Windows CE operating system and either ARM or XScale processors.

He did so by using a common universal key and a USB stick to load a rootkit software application, along with another program to take over the ATMs. Jack claims to have hacked at least four different ATM machines, a couple of which have since been patched, VentureBeat said.

Jack also disclosed a couple of easy countermeasures to his hack, including physical locks with unique keys on the ATMs to stop thieves from easily accessing the machines. Vendors should also use a trusted software environment to prevent software hacks, VentureBeat said.

In Jack's description of his presentation on the Black Hat 2010 Website, he says he was originally scheduled to give his ATM hacking demo last year, but the talk was pulled at the last minute "due to circumstances beyond my control."

Jack also notes that most ATM attacks depend on external devices to skim data from customers' ATM cards, or on physically removing the ATMs to steal the cash, and that attacking the ATM software is rare.

However, Jack noted that this scenario was featured in one of Hollywood's most famous films.

"I've always liked the scene in Terminator 2 where John Connor walks up to an ATM, interfaces his Atari to the card reader and retrieves cash from the machine. I think I've got that kid beat," he wrote.