Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 916
- Points
- 113
Actually, the word “hacker” is used here in a positive context, not implying a computer hacker. It's quite the opposite - network security specialist Jack Barnaby learned how to hack ATMs in order to point out to developers the main vulnerabilities of the system. In general, Jack found an easy way to learn how to hack ATMs (which is probably the dream of every second teenager) - he simply bought two ATMs at an auction from two different manufacturers, Tranax Technologies and Triton.
According to Jack, he then spent a whole year studying the software and hardware of these devices. Now he can withdraw bills from any ATM of the models he has studied until they run out in the ATM itself. In general, outwardly it all looks even simpler than in the movie “Terminator 2” (yes, yes, I know that this is just a trick by the director; you can’t hack an ATM in this way). So, the hacker presented two ways to hack ATMs - the first allows you to log into the system using a telephone modem, and the second method allows you to remove bills without having to enter a password for a credit card.
Jack assures that the vulnerabilities he found are very critical, but information about them has already been transferred to manufacturers.
In the case of Tranax ATM, the hacker found a critical remote access vulnerability that allows full access to the system without the need for a password. To exploit the vulnerability, a corresponding exploit was written, which was called Dillinger. Accordingly, another exploit was written for the second type of ATM - Scrooge.
The first exploit allows exploiting a vulnerability in remote ATM access technology. The second is a rootkit that introduces a backdoor into the system that is not shown in the list of running applications. You can call it by entering a combination of button presses or a specially made card.
By the way, Triton's ATMs do not have a remote access vulnerability (at least the hacker didn't find one). But the hardware of this device is standard, and the motherboard, which provides access to the money, is protected by a standard key that Jack bought for $10 on the Internet. Basically, all this allowed the hacker to install a backdoor on the system as a system update.
More detailed information, unfortunately, is not available; the hacker did not make his work publicly available. By the way, after his appeal to the manufacturers, Triton management reacted quickly, promptly installing updates that closed the vulnerability. But Tranax remains silent for now.
By the way, Jack was supposed to speak at the last conference, but his speech was canceled at the last minute as a result of some technical difficulties.
Interestingly, most ATMs from these manufacturers that are installed in public areas do not have protection against the vulnerabilities that Jack found. But new ATMs are delivered with closed “holes”.
According to Jack, he then spent a whole year studying the software and hardware of these devices. Now he can withdraw bills from any ATM of the models he has studied until they run out in the ATM itself. In general, outwardly it all looks even simpler than in the movie “Terminator 2” (yes, yes, I know that this is just a trick by the director; you can’t hack an ATM in this way). So, the hacker presented two ways to hack ATMs - the first allows you to log into the system using a telephone modem, and the second method allows you to remove bills without having to enter a password for a credit card.
Jack assures that the vulnerabilities he found are very critical, but information about them has already been transferred to manufacturers.
In the case of Tranax ATM, the hacker found a critical remote access vulnerability that allows full access to the system without the need for a password. To exploit the vulnerability, a corresponding exploit was written, which was called Dillinger. Accordingly, another exploit was written for the second type of ATM - Scrooge.
The first exploit allows exploiting a vulnerability in remote ATM access technology. The second is a rootkit that introduces a backdoor into the system that is not shown in the list of running applications. You can call it by entering a combination of button presses or a specially made card.
By the way, Triton's ATMs do not have a remote access vulnerability (at least the hacker didn't find one). But the hardware of this device is standard, and the motherboard, which provides access to the money, is protected by a standard key that Jack bought for $10 on the Internet. Basically, all this allowed the hacker to install a backdoor on the system as a system update.
More detailed information, unfortunately, is not available; the hacker did not make his work publicly available. By the way, after his appeal to the manufacturers, Triton management reacted quickly, promptly installing updates that closed the vulnerability. But Tranax remains silent for now.
By the way, Jack was supposed to speak at the last conference, but his speech was canceled at the last minute as a result of some technical difficulties.
Interestingly, most ATMs from these manufacturers that are installed in public areas do not have protection against the vulnerabilities that Jack found. But new ATMs are delivered with closed “holes”.
