11 with 11 posters participating
For years, security researchers and cybercriminals have hacked ATMs by using all possible avenues to their innards, from opening a front panel and sticking a thumb drive into a USB port to drilling a hole that exposes internal wiring. Now, one researcher has found a collection of bugs that allow him to hack ATMs—along with a wide variety of point-of-sale terminals—in a new way: with a wave of his phone over a contactless credit card reader.
Josep Rodriguez, a researcher and consultant at security firm IOActive, has spent the last year digging up and reporting vulnerabilities in the so-called near-field communications reader chips used in millions of ATMs and point-of-sale systems worldwide. NFC systems are what let you wave a credit card over a reader—rather than swipe or insert it—to make a payment or extract money from a cash machine. You can find them on countless retail store and restaurant counters, vending machines, taxis, and parking meters around the globe.
Now Rodriguez has built an Android app that allows his smartphone to mimic those credit card radio communications and exploit flaws in the NFC systems’ firmware. With a wave of his phone, he can exploit a variety of bugs to crash point-of-sale devices, hack them to collect and transmit credit card data, invisibly change the value of transactions, and even lock the devices while displaying a ransomware message. Rodriguez says he can even force at least one brand of ATMs to dispense cash—though that “jackpotting” hack only works in combination with additional bugs he says he has found in the ATMs’ software. He declined to specify or disclose those flaws publicly due to nondisclosure agreements with the ATM vendors.
“You can modify the firmware and change the price to one dollar, for instance, even when the screen shows that you’re paying 50 dollars. You can make the device useless, or install a kind of ransomware. There are a lot of possibilities here,” says Rodriguez of the point-of-sale attacks he discovered. “If you chain the attack and also send a special payload to an ATM’s computer, you can jackpot the ATM—like cash out, just by tapping your phone.”
PIN or the data from EMV chips. And the fact that the ATM cashout trick would require an extra, distinct vulnerability in a target ATM’s code is no small caveat, Nohl says.
But security researchers like the late IOActive hacker Barnaby Jack and the team at Red Balloon Security have been able to uncover those ATM vulnerabilities for years and have even shown that hackers can trigger ATM jackpotting remotely. Red Balloon CEO and chief scientist Ang Cui says that he’s impressed by Rodriguez’s findings and has little doubt that hacking the NFC reader could lead to dispensing cash in many modern ATMs, despite IOActive withholding some details of its attack. “I think it’s very plausible that once you have code execution on any of these devices, you should be able to get right to the main controller, because that thing is full of vulnerabilities that haven’t been fixed for over a decade,” Cui says. “From there,” he adds, “you can absolutely control the cassette dispenser” that holds and releases cash to users.