Confessions of an ATM Hacker
I caught up this week with Barnaby Jack, the so-called ethical hacker who cracked the operating systems of two retail ATMs during last month's Black Hat Technical Security Conference in Vegas. Jack, who heads research for IOActive Labs, a privately held computer and network security firm in San Francisco, hacked two commonly deployed off-premises ATMs -- the Triton RL2000 and Tranax 1700.
His actions have been praised by some, criticized by others. Ethical hackers like Jack play a critical role in security, some argue. Others question his motives, as well as his right to publicly expose system vulnerabilities found in products manufactured by private entities.
"You have to walk a really fine line," Jack tells me, when it comes to ethical hacking. "But I'm sure I'm not the only one who can come up with these sorts of attacks. And then it would stay more underground and pose a more serious threat, I think."
On the Triton, Jack exposed weaknesses in physical security, as the cabinet within the ATM enclosure that houses the PC was easily opened with a universal key. After gaining access to the PC, Jack infected the operating system with malware he had saved to a thumb drive. On the Tranax, he compromised the remote-management channel and used it to remotely transport the malware, which subsequently infected and conquered the ATM's operating system.
Jack is quick to point out that he did not go public with any information about the hacks until after he had contacted both manufacturers, giving each adequate time to develop software upgrades and patches. In fact, he actually hacked the Triton machine a year ago, while he was working as a security researcher for Juniper Networks, which designs and sells Internet protocol products and services.
But Juniper pulled in the reins on Jack, keeping him from going public with the hack at the Black Hat security conference in 2009. "I guess we jumped the gun at Black Hat (last year)," he explains. "We didn't want to go up there and basically show how ATMs can be hacked without having any sort of mitigation in place."
So Jack and Juniper let the hacks go, for the time being. And Jack spent the next year researching different type attacks and ATMs. "People had thought that there was legal pressure and that sort of thing, but that was all hearsay," Jack says.
After notifying Triton about some of the security flaws found in its RL2000, Jack says Triton signed with Juniper to help it develop some fixes.
"They could've shut down the talk and kept everything kind of hidden away," Jack says. Instead, however, Triton worked with Juniper and was later comfortable, Jack says, with going public about the hack and the vulnerabilities. "Now that these ATM manufacturers are aware of these software vulnerabilities, they're actually going to be proactive about sort of keeping the patches up to date."
Since Black Hat, Triton has issued several marketing messages that explain the hack and how deployers can protect their networks.
Still, some ATM deployers have questioned Jack's right to test the machines at all. They also question his motives: Is his company just trying to drum up business? My short answer to that is, "Yes." It's always about business. So, if Jack's motives served a greater purpose, does that trump the underlying motivation to build business? You tell me.
Here's the way I see it. Jack's job is to test ATM systems. If he identifies vulnerabilities in a system that's being sold to numerous institutions and retailers throughout the country, how could he not expose those risks? If millions of cardholders are compromised because Jack fails to tell a vendor and the community, would he have done the "right" thing by staying silent? I don't think so. And I don't think the industry really thinks so either.
Honestly, I think manufacturers and vendors should be glad when ethical hackers such as Jack bring system security holes to their attention.