ATM hacking is nothing new. Like any human-designed system, they’re bound to contain a flaw or two, or simply fail with time against faster, better technologies. Unlike most hardware, though, ATMs seem to occupy a special place in the imaginations of people who derive sick pleasure from watching supposedly impregnable devices get splayed wide open like a roasted duck. In the end, who among us could really refuse the awesome power to make cold, hard cash simply appear out of nowhere?
Alas, most ATM hacks of the past have required an attacker to gain physical access to a USB port; an act far too conspicuous in daylight, as it usually involves mangling some part of the machine. This is true even if the goal is not to steal any actual money within, but rather “skim” the payment card details of future law-abiding customers. Even the more rarely performed network-based attacks, while remote, are seemingly rife with risk. Hacking into a bank directly, and then somehow finding a way into a particular ATM would, after all, require a more expansive skillset — not to mention a need to go undetected within a highly guarded environment.
According to Wired, however, at least one researcher has found a way to avoid most of this trouble, drawing cash from ATMs like magic with a simple flick of his wrist. The outlet reported Thursday that Josep Rodriguez, a researcher and consultant at security firm IOActive, has built up a collection of bugs affecting NFC systems — a.k.a. near-field communication — which many modern machines rely on to wirelessly transmit data, including debit and credit card info.
Rodriguez, who’s hired to legally test machines to improve their security, has been able to use NFC readers to trigger what programmers call a “buffer overflow,” or excess of data that corrupts a machine’s memory. This decades-old attack has allowed Rodriguez to exploit ATMs and other point-of-sale machines — think retail store checkout machines — in a variety of ways: capturing payment card info, injecting malware, and even in one case “jackpotting” an ATM, which is exactly what it sounds like:
“Rodriguez has built an Android app that allows his smartphone to mimic those credit card radio communications and exploit flaws in the NFC systems’ firmware. With a wave of his phone, he can exploit a variety of bugs to crash point-of-sale devices, hack them to collect and transmit credit card data, invisibly change the value of transactions, and even lock the devices while displaying a ransomware message.”
According to Wired, Rodriguez has kept his findings under wraps for around a year and is otherwise legally bound not to reveal the identities of certain companies he’s worked for. Nevertheless, being bothered that a decades-old technique is still affecting a host of modern machines, he intends to disclosure more technical details in the coming weeks in an effort to call attention to, as Wired puts it, “the abysmal state of embedded device security more broadly.”
[Wired]