Published On: Mon, Aug 10th, 2020

Hackers contend ‘jackpotting’ flaws duped renouned ATMs into spitting out cash

In 2010, a late Barnaby Jack, a world-renowned confidence researcher, hacked an ATM live onstage during a Black Hat discussion by tricking a money dispenser into spitting out a tide of dollar bills. The technique was reasonably named “jackpotting.”

A decade on from Jack’s blockbuster demo, confidence researchers are presenting dual new vulnerabilities in Nautilus ATMs, despite virtually, interjection to a coronavirus pandemic.

Security researchers Brenda So and Trey Keown during New York-based confidence organisation Red Balloon contend their span of vulnerabilities authorised them to pretence a renouned standalone sell ATM, ordinarily found in stores rather than during banks, into dispensing money during their command.

A hacker would need to be on a same network as a ATM, creation it some-more formidable to launch a successful jackpotting attack. But their commentary prominence that ATMs mostly have vulnerabilities that distortion asleep for years — in some cases given they were initial built.

Barnaby Jack, a late confidence researcher credited with a initial ATM “jackpotting” attacks. Now, 10 years later, dual confidence researchers have found dual new ATM cash-spitting attacks. Credit: YouTube

So and Keown pronounced their new vulnerabilities aim a Nautilus ATM’s underlying software, a decade-old chronicle of Windows that is no longer upheld by Microsoft . To start with, a span bought an ATM to examine. But with small documentation, a twin had to reverse-engineer a program inside to know how it worked.

The initial disadvantage was found in a program covering famous as XFS — or Extensions for Financial Services — that a ATM uses to speak to a several hardware components, such as a label reader and a money dispensing unit. The bug wasn’t in XFS itself, rather in how a ATM manufacturer implemented a program covering into a ATMs. The researchers found that promulgation a specifically crafted antagonistic ask over a network could effectively trigger a ATM’s money dispenser and dump a money inside, Keown told TechCrunch.

The second disadvantage was found in a ATM’s remote government software, an in-built apparatus that lets owners conduct their swift of ATMs by updating a program and checking how most money is left. Triggering a bug would extend a hacker entrance to a exposed ATM’s settings.

So told TechCrunch it was probable to switch a ATM’s remuneration processor with a malicious, hacker-controlled server to siphon off banking data. “By indicating an ATM to a antagonistic server, we can remove credit label numbers,” she said.

Bloomberg initial reported a vulnerabilities final year when a researchers secretly reported their commentary to Nautilus. About 80,000 Nautilus ATMs in a U.S. were exposed before to a fix, Bloomberg reported. A Nautilus orator would not endorse a figure.

Successful jackpotting attacks are singular though not unheard of. In new years, hackers have used a series of techniques. In 2017, an active jackpotting organisation was detected handling opposite Europe, concealment millions of euros in cash.

More recently, hackers have stolen exclusive program from ATM manufacturers to build their possess jackpotting tools.


Send tips firmly over Signal and WhatsApp to +1 646-755-8849 or send an encrypted email to: zack.whittaker@protonmail.com

About the Author