September 22, 2006

Using some information obtained from a YouTube video and a simple four-keyword Google search engine query, a thief can now find certain step-by-step instructions on how to successfully hack into and take full control of thousands of bank ATMs scattered around North America.

More specifically, and following up on a CNN report, a criminal actually reprogrammed an ATM at a gas station to dispense $20 bills instead of $5 bills.

A New York-based security researcher did some old-fashioned online sleuthing and discovered that the operation manual for that specific model of ATM could be legally obtained in just 15 minutes.

Dave Goldsmith, CEO and founder of penetration testing company Matasano Security, in New York didn't say how he obtained the operator's manual, which contained master passwords and other extremely sensitive data about the cash-dispensing machines. However, a brief analysis shows that a simple Google query will return a 102-page PDF file that provides a full road map to the hack!

Goldsmith, a respected researcher who co-founded @Stake and previously led Symantec's Security Academy, said he traced clues from the video to identify the make and model of the ATM, a Tranax Mini-Bank 1500 Series and he then started an experiment to see how easy it would be to legally obtain an operator's manual.

Goldsmith said he first dug around on Tranax Technologies' Web site and found a knowledge base article that mentioned that the ATM is programmed with passwords that can be easily found in the operator's manual.

"If you get your hand on this manual, you can basically reconfigure the ATM if the default password was not changed. My guess is that most of these mini-bank terminals are sitting around with default passwords untouched," Goldsmith said.

Officials at Tranax did not respond to any requests for comment. According to a note on the company's Web site, Tranax has shipped 70,000 ATMs, self-service terminals and transactional kiosks around the U.S.

The majority of those shipments are of the flagship Mini-Bank 1500 machine that was rigged in the Virginia Beach heist.

In the operator's manual freely available on the Web site of a Canadian reseller, a section titled "Programming" provided the specific key sequence that will pop up a screen on the ATM that asks for the master password.

It then lists three default master passwords, and then service and operator passwords that could be used to successfully hijack and possibly rig a machine.

The manual also contains instructions on how to enter a diagnostic mode, how to program the ATM's number keys to spit out cash withdrawals and how to change the passwords to take future ownership of the machine.

"This isn't a vulnerability," Goldsmith explained. "It's someone exploiting a policy weakness, where ATM owners install these things and never change the default password."

"If you maintain one of these devices, make sure that you are not using the default password. If you are, change it immediately," Goldsmith wrote in a blog entry that details some of his findings.

A section of the manual titled "Transaction Setup" provides a walk-through of how to configure the ATM to dispense cash and set up the cassettes within the machine that stores the cash.

According to Tranax, the Mini-Bank model 1500 can dispense a maximum of 40 notes per transaction, limiting a criminal's withdrawal at a single machine and using a single card.

However, as Goldsmith noted, a thief with access to machines with default passwords could launch a major crime spree. It is also likely that some operator manuals for other ATM brands are readily available, Goldsmith said.

A quick Google search for several other mini ATM machine models also produced user manuals with default passwords, although some require that the attacker have physical access to the power settings on the machine.

The episode underscores how easy it is to use the power of search engines to find sensitive security information. In the past, Google queries have been used to find security flaws in Web-facing applications, default passwords in Oracle databases and even live malware samples seeded on forums and other malicious sites.

Source: eWeek