Jack said he didn’t think he’d be able to break the ATMs when he first started probing them.
“My reaction was, ‘this is the game-over vulnerability right here,’” he said of the remote hack. “Every ATM I’ve looked at, I’ve been able to find a flaw in. It’s a scary thing.”
Kurt Baumgartner, a senior security researcher with antivirus software maker Kaspersky Lab, called the demonstration a “thrill” to watch and said it is important to improving the security of machines that can each hold tens of thousands of dollars in cash. However, he said he doesn’t think it will result in widespread attacks because banks don’t use the standalone systems and Jack didn’t release his attack code.
Jack wouldn’t identify the ATM makers. He put stickers over the ATM makers’ names on the two machines used in his demonstration. But the audience, which burst into applause when he made the machines spit out money, could see from the screen prompts on the ATM that one of the machines was made by Tranax Technologies Inc., based in Hayward, Calif. Tranax did not immediately respond to e-mail messages from The Associated Press.
Triton Systems, of Long Beach, Miss., confirmed that one of its ATMs was used in the demonstration. It said Jack alerted the company to the problems and that Triton now has a software update in place that prevents unauthorized software from running on its ATMs.
Bob Douglas, Triton’s vice president of engineering, said customers can buy ATMs with unique keys but generally don’t, preferring to have a master key for cost and convenience.
“Imagine if you have an estate of several thousand ATMs and you want to access 20 or so of them in one day,” he wrote in an e-mail to the AP. “It would be a logistical nightmare to have all the right keys at just the right place at just the right time.”
Other ATM manufacturers contacted by the AP also did not immediately respond to messages.
Jack said the manufacturers whose machines he studied are deploying software fixes for both vulnerabilities, but added that the prevalence of remote-management software broadly opens up ATMs to hacker attacks.