Skip to comments.ATM hacked to make it spew cash (electronic voting machine hacked
Posted on 08/01/2010 1:03:27 PM PDT by goldendays
ATM hacked to make it spew cash
New Zealand computer security expert Barnaby Jack has shown "hacking" into an automatic teller machine can be easy with the right software.
Jack, director of security testing at Seattle-based computer security consultant IOActive Inc, hauled two ATMs on to a Las Vegas conference stage and demonstrated how, with the press of a button, an ATM could spew out all its cash.
"I hope to change the way people look at devices that from the outside are seemingly impenetrable," Jack told the Black Hat computer security conference, CBS reported.
The 32-year-old Aucklander - currently living in the United States - showed one that even allowed a hacker to connect to the ATM through a telephone modem and, without knowing a password, instantly force it to disgorge its entire supply of cash.
Jack said he bought the pair of standalone ATMs over the internet and then spent years poring over their software code.
The vulnerabilities and programming errors he unearthed during that process, Jack said, let him gain complete access to those machines and learn techniques that can be used to open the built-in safes of many others made by the same manufacturers.
"Every ATM I've looked at, I've found a game-over vulnerability that allows an attacker to get cash from the machine," Jack said. "I've looked at four ATMs. I'm four for four."
Voting machines must remain secure throughout their entire service lifetime, and this study demonstrates how a relatively new programming technique can be used to take control of a voting machine that was designed to resist takeover, but that did not anticipate this new kind of malicious programming, said Hovav Shacham, a professor of computer science at UC San Diegos Jacobs School of Engineering and an author on the new study presented on August 10, 2009 at the 2009 Electronic Voting Technology Workshop / Workshop on Trustworthy Elections (EVT/WOTE 2009), the premier academic forum for voting security research. In 2007, Shacham first described return-oriented programming, which is a powerful systems security exploit that generates malicious behavior by combining short snippets of benign code already present in the system.
Computer scientists led by Hovav Shacham, a UC San Diego professor, hacked an electronic voting machine and stole votes using a malicious programming approach that had not been invented when the voting machine was designed. The computer scientists employed "return-oriented programming" to force a Sequoia AVC Advantage electronic voting machine to turn against itself and steal votes. Credit: UC San Diego Jacobs School of Engineering The new study demonstrates that return-oriented programming can be used to execute vote-stealing computations by taking control of a voting machine designed to prevent code injection. Shacham and UC San Diego computer science Ph.D. student Stephen Checkoway collaborated with researchers from Princeton University and the University of Michigan on this project. With this work, we hope to encourage further public dialog regarding what voting technologies can best ensure secure elections and what stop gap measures should be adopted if less than optimal systems are still in use, said J. Alex Halderman, an electrical engineering and computer science professor at the University of Michigan. The computer scientists had no access to the machines source codeor any other proprietary informationwhen designing the demonstration attack. By using just the information that would be available to anyone who bought or stole a voting machine, the researchers addressed a common criticism made against voting security researchers: that they enjoy unrealistic access to the systems they study. Based on our understanding of security and computer technology, it looks like paper-based elections are the way to go. Probably the best approach would involve fast optical scanners reading paper ballots. These kinds of paper-based systems are amenable to statistical audits, which is something the election security research community is shifting to, said Shacham. Ads by Google Virus and Trojan Remover - Download Free Trojan & Virus Scan Recommended and Used By The Experts - www.pctools.com
You can actually run a modern and efficient election on paper that does not look like the Florida 2000 Presidential election, said Shacham. If you are using electronic voting machines, you need to have a separate paper record at the very least. Last year, Shacham, Halderman and others authored a paper entitled You Go to Elections with the Voting System You have: Stop-Gap Mitigations for Deployed Voting Systems that was presented at the 2008 Electronic Voting Technology Workshop. This research shows that voting machines must be secure even against attacks that were not yet invented when the machines were designed and sold. Preventing not-yet-discovered attacks requires an extraordinary level of security engineering, or the use of safeguards such as voter-verified paper ballots, said Edward Felten, an author on the new study; Director of the Center for Information Technology Policy; and Professor of Computer Science and Public Affairs at Princeton University. Return-Oriented Programming Demonstrates Voting Machine Vulnerabilities To take over the voting machine, the computer scientists found a flaw in its software that could be exploited with return-oriented programming. But before they could find a flaw in the software, they had to reverse engineer the machines software and its hardwarewithout the benefit of source code. Princeton University computer scientists affiliated with the Center for Information Technology Policy began by reverse engineering the hardware of a decommissioned Sequoia AVC Advantage electronic voting machine, purchased legally through a government auction. J. Alex Haldermanan electrical engineering and computer science professor at the University of Michigan (who recently finished his Ph.D. in computer science at Princeton) and Ariel Feldmana Princeton University computer science Ph.D. student, reverse-engineered the hardware and documented its behavior. It soon became clear to the researchers that the voting machine had been designed to reject any injected code that might be used to take over the machine. When they learned of Shachams return-oriented programming approach, the UC San Diego computer scientists were invited to take over the project. Stephen Checkoway, the computer science Ph.D. student at UC San Diego, did the bulk of the reverse engineering of the voting machines software. He deciphered the software by reading the machines read-only memory. Simultaneously, Checkoway extended return-oriented programming to the voting machines processor architecture, the Z80. Once Checkoway and Shacham found the flaw in the voting machines softwarea search which took some timethey were ready to use return-oriented programming to expose the machines vulnerabilities and steal votes. The computer scientists crafted a demonstration attack using return-oriented programming that successfully took control of the reverse engineered software and hardware and changed vote totals. Next, Shacham and Checkoway flew to Princeton and proved that their demonstration attack worked on the actual voting machine, and not just the simulated version that the computer scientists built. The computer scientists showed that an attacker would need just a few minutes of access to the machine the night before the election in order to take it over and steal votes the following day. The attacker introduces the demonstration attack into the machine through a cartridge with maliciously constructed contents that is inserted into an unused port in the machine. The attacker navigates the machines menus to trigger the vulnerability the researchers found. Now, the malicious software controls the machine. The attacker can, at this point, remove the cartridge, turn the machines power switch to the off position, and leave. Everything appears normal, but the attackers software is silently at work. When poll workers enter in the morning, they normally turn this type of voting machine on. At this point, the exploit would make the machine appear to turn back on, even though it was never actually turned off. We overwrote the computers memory and state so it does what we want it to do, but if you shut off the machine and reboot from ROM, the exploit is gone and the machine returns to its original behavior, explained Checkoway. The computer scientists tested a machine that is very similar to machines that are used today in New Jersey and Louisiana. These New Jersey and Louisiana machines may have corrected the specific vulnerabilities the computer scientists exploited, but they have the same architectural limitations. The researchers highlight the possibility that current voting machines will be vulnerable to return-oriented programming attacks similar to the attack demonstrated in this study. This work shows how difficult it is to design voting machines that will remain secure over time. Its impossible to anticipate what new kinds of attacks will be discovered in the future, said Halderman http://www.physorg.com/news169133727.html
Hard copy voting is the only way to allow for any meaningful audit of the vote - and as we all know that has “issues” as well.
Anybody who seriously believes that electronic voting can be made free of cheating must follow the golden rule of computer fools; Garbage In, Gospel Out.
“He who votes decides nothing. He who counts the votes decides everything.” - Joseph Stalin
Computer security is a moving target (as is security of any kind).
What a creative designer can build a creative crook can hack.
After buying ATMs and the code it was easy after 2 years of hacking. It wouldn't be so easy if he could not recreate the vulnerabilities.
Something is stinking here.
The poster joined7-20 and is posting this article. WHY.
In a cursory link check of the memlinin deficient one, he apparently spent some time in NZ at what sounded like an anarchist commune.
His fam was involved with some sort of weirda** cult in Aust.
Went to the PDF site and they are talking about all kinds of subjects from elections to senators records on spending.
seems like we have a ring of anarchists getting geared up for a huge cyber-attack.
BTW..If ATM's could be programmed to spit out money, wouldn't we hear about that happening everyday?
All that work just to steal the votes on one single machine? Just how is this supposed to correlate to a nationwide electronic voting catastrophe? Besides that, any decent security precautions will involve tamper-evident seals that the HUMAN BEINGS will verify on election morning, before any machine is placed in service (and yes, I’m biased: I work with electronic voting equipment.)
Cyber security is a real issue. If you think that all we have to worry about is the script kiddie down the street with lots of time on your hand, you are mistaken. People like Barnaby Jack have made careers out of looking into the products that are dumped into the market, and exploring thier vulnerabilties, then going back the the manufacturers and showing them how to make thier products more secure. Security is a nusiance to most manufacturers ... they want to concentrate of features and benefits and time to market.
An interesting sidenote you can get by reading other articles on this ... Barnaby Jack was supposed to give this talk at this conference last year, but did not ... the manufacturers have had a full year to fix the software.
Yes, but having two ATMs and the software code to go along with them made his job easy to exploit whatever vulnerabilities that are found.
Do you think organized crime does not buy ATMs to try to figure out how to exploit them?
Do you think corrupt political hacks don't have voting machines to figure out how to exploit them?
Who gives a rip HOW ... the point is that he proved it COULD BE DONE.
Lets put is a different way ... if your account was cleaned out by a criminal who learned how to exploit it ... would you be OK if he had just done it by accident? That seems to be what you are alluding.
Did you know that modern ballistics math was invented by Napoleon's army firing cannon with precise powder and ball weights at different angles? Yes, we have theoretical mathematicians with formulas who can figure it out without firing a single shot now ... but the formulas had to match the statistical data that was acquired. Lots of stuff is “discovered” with brute force methods, then refined into elegant theories later. Your discounting of this ... for any reason ... is incomprehensible. Be glad that someone out there like Barnaby Jack is protecting your interests.
“the voting machines processor architecture, the Z80. I built my first PC in 1982 and it ran a Z80 chip. Talk about OLD. The machine I built ran a form of DOS (not MSDOS). Put in perspective, there were no cell phones then, there was no public internet, there was no public fiberoptic networks. Modems of that day were analog not digital devices, and as such very limited in speed, all of them used existing twisted pair copper phone lines.”
That’s actually a good thing. Slow, simple.
The code for counting votes is Apple II+ stuff.
Do you think organized crime does not buy ATMs to try to figure out how to exploit them?
The point and only point is that it was not "easy" to do unless you get hold of the source codes and the hardware (ATMs) to recreate the environment to exploit any possible vulnerabilities or uncover bugs in the system. Even that, it took 2 years of hacking according to the article. It's the same way that all software gets fixed. Debuggers have to recreate the circumstances, by understanding the problems, that created the holes by bugs and/or vulnerabilities so they can plug the holes. You read too much into my post.
A former ATM mechanic/service technician in San Antonio devised a way to do this back in the late 80s. He didn’t use a computer, didn’t know how to hack, just had a knack.
He was able to fix up a card where the magnetic code had been adjusted somehow to allow universal entry to the ATM. He’d go to stores and filling stations and empty the ATMs.
He got caught in an unusal way. Since he knew all about the cameras, he always covered the lens, often with shaving cream at an outdoor bank ATM. One time while he was preparing to do his thing a serious accident occurred in the street nearby. He went over and played good samaritan with the injured until the ambulances got there. Then he went back to the ATM but in his rush, he forgot that he hadn’t covered the lens. Soon the FBI was circulating a picture of him in the neighborhoods and he was identified for the reward posted by the banks.
During his incarceration, he was let out of jail to demonstrate to the bank and ATM manufacturers exactly how he did it. I don’t know if this got him a lighter sentence.
If he had left San Antonio to ply his larceny in other towns across the country, he’d probably still be doing it today.
Yeah, some social engineering, a magnetic strip reader, a camera, tape, etcetera could go along ways to do larceny around ATMs. Thankfully, banks have insurance coverage called ‘banker’s blanket bonds’.