14

DEF CON Safe Mode - Trey Keown and Brenda So - Applied Cash Eviction through ATM Exploitation(www.youtube.com)

posted
by
Avatar
JoeByeThen [he/him, they/them]@hexbear.net
in
Avatar
technology@hexbear.net
4 comments
hidereport

ATMs are networked computers that dispense cash, so naturally they’re uniquely interesting devices to examine. We all remember ATM jackpotting from a decade ago. Unfortunately, it doesn’t look like ATM security has improved for some common models since then.

We present our reverse engineering process for working with an ATM and modifying its firmware. For this, we became our own “bank” by creating software that’s able to speak the obscure protocols used by ATMs. For working with the device software at a low level, we restored JTAG access, defeated code signing, and developed custom debugging tools. We then leveraged this research to discover two 0-day network-based attacks, which we will demonstrate live. The first vulnerability takes advantage of the ATM’s remote administration interface, which can lead to arbitrary code execution and total device compromise. The second vulnerability is in the OEM’s implementation of a common middleware for ATM peripherals. This allows for command injection and jackpotting of ATMs over the network.

The high barrier to entry for even legally opening up one of these devices has left a lot of attack surface area unchecked. Through this talk, we want to shed light on the state of ATM security and encourage the security community to continue to challenge ATM vendors to do better.

Sort:
HotTopControversialNewOld
Avatar
Shinji_Ikari [he/him]@hexbear.net
3 points

I wish the cyber security world was as cool as defcon makes it seem. Whats the point of the “spot the fed” game when everyone is a fed or contractor.

permalink
report
reply
Avatar
JoeByeThen [he/him, they/them]@hexbear.netOP
2 points

Agreed, DARPA and STEM pretty much co-opted the entire hacker culture into being dogs of the system.

permalink
report
parent
reply
Avatar
Shinji_Ikari [he/him]@hexbear.net
2 points

Cyber crime laws basically made it worse than murder to dare to beat security. Now that so much capital is electronic, and large companies are incompetent, they need to throw the book at anyone who dares to poke the hornets nest. Its a real shame black hat hacking has come down to mostly identity theft.

permalink
report
parent
reply
Avatar
JoeByeThen [he/him, they/them]@hexbear.netOP
3 points

That’s one of the reasons I try to recommend leftist who are at least somewhat technically inclined learn more about hacking and whatnot. Cops and feds may be the face of oppression during protests but it’s things like billing systems and credit reporting agencies that make up the day to day form of the boot on our neck.

permalink
report
parent
reply

technology

!technology@hexbear.net

Create post

On the road to fully automated luxury gay space communism.

Spreading Linux propaganda since 2020

Rules:

  • 1. Obviously abide by the sitewide code of conduct. Bigotry will be met with an immediate ban
  • 2. This community is about technology. Offtopic is permitted as long as it is kept in the comment sections
  • 3. Although this is not /c/libre, FOSS related posting is tolerated, and even welcome in the case of effort posts
  • 4. We believe technology should be liberating. As such, avoid promoting proprietary and/or bourgeois technology
  • 5. Explanatory posts to correct the potential mistakes a comrade made in a post of their own are allowed, as long as they remain respectful
  • 6. No crypto (Bitcoin, NFT, etc.) speculation, unless it is purely informative and not too cringe
  • 7. Absolutely no tech bro shit. If you have a good opinion of Silicon Valley billionaires please manifest yourself so we can ban you.

Community stats

  • 1.7K

    Monthly active users

  • 5K

    Posts

  • 61K

    Comments

Community moderators