July 30, 2010

Blackhat News - Triton and Tranax Sing the Blues

Imagine ATMs spewing out all of their cash and letting you view admin passwords and account PINs. The news every year from Blackhat usually includes one of these demos (and it does again).

Finextra: Researcher shows off ATM 'jackpot' hacks

Barnaby Jack, a researcher at security firm IOActive, was forced to pull his demonstration at the event last year after the cash machine manufacturer called for more time to find patches.

This year he went ahead with the exhibition, hacking ATMs from Triton and Tranax - both of which run on Microsoft's Windows C.

To 'jackpot' the Triton machine he used a key available for sale online to open it up and install a USB containing malware which forced it to spew out all its notes.

The Tranax ATM was hacked through a vulnerability in its remote monitoring system which enabled him to exploit software that uses the Internet or phone lines to take control of it. He then uploaded code forcing the machine to spit out all of its cash and letting him view administrative passwords and account PINs.

"I've always liked the scene in Terminator 2 where John Connor walks up to an ATM, interfaces his Atari to the card reader and retrieves cash from the machine. I think I've got that kid beat," says Jack.

Triton and Tranax have both issued fixes for the vulnerabilities.

a title="Finextra: Researcher shows off ATM 'jackpot' hacks" href="http://www.finextra.com/news/fullstory.aspx?newsitemid=21653">Full Article

Posted by staff at July 30, 2010 03:49 PM