Want to hack a hole-in-the-wall cash machine for free dosh? It's as easy as Windows XP

Bank ATM pen testing reveals alarming results

ATM machines are vulnerable to an array of basic attack techniques that would allow hackers to lift thousands in cash.

This according to researchers at Positive Technologies, who studied more than two dozen different models of ATMs and found (PDF) nearly all would be vulnerable to network or local access attacks that would allow raiders to pillage the cash dispensers.

The study, out today, pitted Positive researchers against 26 machines from various manufacturers and service providers. Among the more noteworthy results:

  • 15 were found to be running Windows XP.
  • 22 were vulnerable to a "network spoofing" attack where an attacker connects locally to the machine's LAN port and conduct fraudulent transactions. Such an attack takes around 15 minutes to complete.
  • 18 were vulnerable to 'black box' attacks where an attacker physically connects a device to the machine and tricks it into spitting out cash. Positive notes these attacks can be carried out in about ten minutes with aftermarket compute boards (such as a Raspberry Pi).
  • 20 could be forced to exit out of kiosk mode via a USB or PS/2 connection. From there, an attacker could access the underlying OS of the machine and execute additional commands.
  • 24 had no data encryption in place on the hard drive, allowing an attacker who had access to the drive (see above) to pull any stored data and configuration info from the machine.

In general, the research found that, for the most part, the protections used by ATMs to prevent theft and tampering were more or less security theater, and anyone who really wanted to get into a machine could often do so in under an hour.

"More often than not, security mechanisms are a mere nuisance for attackers: our testers found ways to bypass protection in almost every case," the researchers said.

"Since banks tend to use the same configuration on large numbers of ATMs, a successful attack on a single ATM can be easily replicated at greater scale."

ATM money shot

IBM, ATMs – WTF? Big Blue to probe cash machines, IoT, vehicles, etc in new security labs


One of the top recommendations the report makes to banks is to harden up the physical security of the machines themselves. By physically securing the cabinets to lock away access to the inputs and compute hardware of the machines, many of the techniques used in the study could be thwarted.

Additionally, the researchers recommend banks keep on top of logging and monitoring security events on their networks.

While many of these physical attacks are largely theoretical – banks take a dim view of customers hanging out at ATMs for longer than a few minutes – the report does highlight the shameful lack of security for ATMs, particularly on the software side.

At this year's DEF CON hacking conference one researcher explained how he'd approached banks about flaws in their ATMs, only to be told such things weren't possible. It was only when he told them he was going public with the research that the flaws were fixed. ®

Similar topics

Other stories you might like

  • UK Home Secretary delays Autonomy founder extradition decision to mid-December

    Could be a Christmas surprise in store from Priti Patel

    Autonomy Trial Autonomy founder Mike Lynch's pending extradition to the US has been kicked into the long grass again by the UK Home Office.

    Lynch is wanted in the US to stand trial on 17 charges of fraud and false accounting. He is alleged to have defrauded Hewlett Packard investors over the sale of British software firm Autonomy in 2011.

    Continue reading
  • Want to buy your own piece of the Pi? No 'urgency' says Upton of the listing rumours

    A British success story... what happens next?

    Industry talk is continuing to circulate regarding a possible public listing of the UK makers of the diminutive Raspberry Pi computer.

    Over the weekend, The Telegraph reported that a spring listing could be in the offing, with a valuation of more than £370m.

    Pi boss, Eben Upton, described the newspaper's article as "interesting" in an email to The Register today, before repeating that "we're always looking at ways to fund the future growth of the business, but the $45m we raised in September has taken some of the urgency out of that."

    Continue reading
  • All change at JetBrains: Remote development now, new IDE previewed

    Security, collaboration, flexible working: Fleet does it all apparently

    JetBrains has introduced remote development for its range of IDEs as well as previewing a new IDE called Fleet, which will form the basis for fresh tools covering all major programming languages.

    JetBrains has a core IDE used for the IntelliJ IDEA Java tool as well other IDEs such as Android Studio, the official programming environment for Google Android, PyCharm for Python, Rider for C#, and so on. The IDEs run on the Java virtual machine (JVM) and are coded using Java and Kotlin, the latter being primarily a JVM language but with options for compiling to JavaScript or native code.

    Fleet is "both an IDE and a lightweight code editor," said the company in its product announcement, suggesting perhaps that it is feeling some pressure from the success of Microsoft's Visual Studio Code, which is an extensible code editor. Initial language support is for Java, Kotlin, Go, Python, Rust, and JavaScript, though other languages such as C# will follow. Again like VS Code, Fleet can run on a local machine or on a remote server. The new IDE uses technology developed for IntelliJ such as its code-processing engine for features such as code completion and refactoring.

    Continue reading

Biting the hand that feeds IT © 1998–2021