Besides ordering it to spit out money, attackers can silently harvest account data from anyone who uses the machines. It allows an attacker to gain full control of the ATMs. The remote style of attack is more dangerous because an attacker doesn't need to open up the ATMs. It's to raise the issue and have ATM manufacturers be proactive about implementing fixes". He didn't go into much more detail because he said the goal of his talk "isn't to teach everybody how to hack ATMs. Jack said the problem was that outsiders were permitted to bypass the need for a password.
Jack also hacked into ATMs by exploiting weaknesses in the way ATM makers communicate with the machines over the internet. He then inserted a program he had written into one of them, commanding the ATM to dump its vaults. He used his key to unlock a compartment in the ATM that had standard USB slots. Then he compared the keys he got to pictures of other keys, found on the internet. He figured this out by ordering three ATMs from different manufacturers for a few thousand dollars each. Jack found that the physical keys that came with his machines were the same for all ATMs of that type made by that manufacturer. Jack, who works as director of security research for Seattle-based IOActive, showed in a theatrical demonstration two ways he can get ATMs to spit out money.
He used the extra year to craft more dangerous attacks. His talk was one of the conference's most widely anticipated, as it had been pulled a year ago over concerns that fixes for the ATMs would not be in place in time.
0 kommentar(er)
