Step aside phishing websites, scams, fake ATM machines, and all various techniques to steal money from one person, someone in the U.S. has successfully hacked into an ATM and taken full control of it so it can command for it to feed out cash on demand. Don’t worry though, this hack wasn’t done by just any professional out there to steal money, it was demonstrated by the Director of Research at IOActive Labs who used a laptop installed with a custom-built software called “Dillinger” to overwrite the ATM’s OS so they can send commands for it to dispense cash as and when they want it.
The demonstration was done at a Black Hat security conference that demonstrated two different attacks on Windows CE Based ATM machines – a physical attack that requires a USB stick and a master key, and a remote attack that exploited a flaw in the way ATMs authenticate firmware upgrades. While the physical attack may seem a little risky – albeit simple – because you’re going to have to walk up to an ATM machine and perhaps risk getting caught in action in the security camera, all the remote attack need is just a laptop.
Of course, there wasn’t any details on how the attack was done, all Barnaby Jack, Director of Research at IOActive Labs did was displayed the UI of the Dillinger tool that included a “Jackpot!” feature that when clicked, can start spewing cash on demand.
The program even allowed the hacker to save and track the data of any users who inserted their card on the hacked machines as the rootkit can run quietly in the background. The menu functions included instructions to “dispense cash from each cassette”, “Exit!” and the most useful tool so you won’t alert the bank because someone’s trying to withdraw more than whatever money they have left inside: a “print stats on remaining bill counts” feature.
(Source: ZDNet)