ATM Security: Where are the Gaps?Staged Hack Raises Questions About Vulnerabilities, Practices
This was the question top-of-mind for industry thought leaders in response to reports of ATM hacking at the Black Hat Technical Security Conference in Las Vegas last week.
During what's been described as a dramatic display at Black Hat, Barnaby Jack, a former employee of Juniper Networks, demonstrated how effortlessly a hacker could infect an ATM, sometimes without physical contact. Two common ATM models - the Triton RL2000 and the Tranax 1700 - were injected with malware, giving the hacker control to spit out all the money he wanted. On the Tranax machine, Jack bypassed the remote authentication system. On the Triton machine, he infected the ATM with malware saved to a thumb drive. In both cases, Jack used a homemade rootkit that attacked the CE Windows operating system, giving him undetected system-administrative privileges.
For Rich Madley, the electronic-funds-transfer manager for Los Angeles-based USC Credit Union ($350 million in assets), reading a news story about compromised ATMs was alarming. "I have two Tritons out there," Madley says. "How vulnerable am I for this to happen to me?"
VulnerabilitiesBob Douglas, vice president of engineering for Mississippi-based Triton Systems, which manufactures the RL2000, says Triton was made aware of the vulnerability last fall; in November, Triton released two patches - the XScale Security 2.2 Update and the X2 Security 2.1 Update.
"[Jack] defeated our authentication methodology," Douglas says. "But the patch we released will take care of it."
California-based Tranax Technologies, which in June filed for bankruptcy, could not be reached for comment. Nicole Sturgill, an analyst for Boston-based TowerGroup who covers the ATM industry, says she is not aware of any updates for the Tranax hack. "They seem to be oddly silent about it," she says. "[But] since financial institutions and credit unions are more likely to use Triton than Tranax, I think the patch should be the answer."
The real problem, however, may be the risk posed for retailers, Sturgill says. "What are the chances that they know they are at risk, unless they've seen this story?"
Jack, who actually hacked the ATMs last year, used the demonstration as a way to get the word out about vulnerabilities to Windows-based machines. Similar hacking techniques are used to break into point-of-sale terminals and systems via the Internet. Vulnerabilities to the Windows OS have been discussed within the ATM industry for the past 10 years, when manufacturers began migrating their platforms from IBM's OS/2 to Microsoft's Windows. IBM stopped supporting OS/2 in 2006, which necessitated the move.
Mike Lee, chief executive of the international ATM Industry Association, says demonstrations that highlight security risks help the industry stay ahead. "We are always looking to raise awareness to continuously improve the security of the ATM," Lee says. "To ensure the most effective protection against a variety of threats - including internal, external, physical and logical threats - the industry advises financial institutions to implement and maintain a comprehensive, multilayered security approach."
New Holes to FillBeyond vulnerabilities to Windows, however, two other disturbing security holes were brought to light:
- Hole No. 1 - The Tranax ATM was hacked remotely, after Jack was able to bypass the machine's remote-monitoring system (RMS). Once in, he took control and was able to collect card numbers.
- Hole No. 2 - Triton's RMS package, Triton Connect, was not bypassed. But the machine's physical security was. With a universal key, Jack was able to open the ATM's enclosure and easily access the PC inside. "Ninety percent of the machines out there have generic top-hat keys or locks," Madley says.
Triton's Douglas says all manufacturers offer unique keys for the physical locks that secure the top of the ATM's enclosure, which is where the PC is located. But few institutions or retailers order unique keys. "Almost always, universal keys are used," he says.
Security gaps posed by the use of universal keys have cropped up in other sectors, namely at pay-at-the-pump gas terminals, where criminals have been able to easily open enclosures and hide skimming devices.
It's more about convenience, Douglas adds, since an institution or retailer has several ATMs. Mixed estates of ATMs, coupled with the number of technicians, service providers and employees who have to access the machines, are the problem. "To have a specific key for each ATM is a pain for them," Douglas says. "But unique keys would offer a clearer security measure that they could take."