Sign In

Communications of the ACM

ACM TechNews

Hackers Say 'Jackpotting' Flaws Tricked Popular ATMs Into Spitting Out Cash


View as: Print Mobile App Share: Send by email Share on reddit Share on StumbleUpon Share on Hacker News Share on Tweeter Share on Facebook
An ATM spewing cash.

Security researchers found two "jackpotting" flaws that force Nautilus ATMs to dispense cash on command.

Credit: Broadcom

Security researchers Brenda So and Trey Keown of the Red Balloon security firm unveiled two new "jackpotting" flaws that force Nautilus ATMs to dispense cash on command.

The bugs have lain dormant within the ATMs' underlying software—a 10-year-old version of Windows no longer supported by Microsoft—which the researchers reverse-engineered.

The Extensions for Financial Services software layer contained the first vulnerability, based on its implementation by the manufacturer; Keown said transmitting a malicious request over the network could trigger the cash dispenser and dump the cash inside.

The second flaw resided in the ATM's remote management software, and So said switching its payment processor with a hacker-controlled server to extract data like credit card numbers was possible.

The researchers privately disclosed their findings to Nautilus last year, and Bloomberg reported roughly 80,000 Nautilus ATMs in the U.S. were vulnerable at the time.

From TechCrunch
View Full Article

 

Abstracts Copyright © 2020 SmithBucklin, Washington, DC, USA


 

No entries found