Last week the guys over at Matasano did some seriously great work on ATM hacking. So many blogs were running with it at the time, and I was on the road dealing with a family emergency, that I didn’t cover it here, but I think this is such an excellent example of disclosure working that it deserves a mention. It’s also just a cool story.
It all started with a small article in a local newspaper about a strange gas station ATM with a propensity for doling out a bit more cash than perhaps the account holders were expecting. No mere case of spontaneous mechanical altruism, a little investigation of the video surveillance footage showed some strange behavior on the part of a particular customer who entered a tad more digits than necessary on the keypad to make a withdrawal. From then on every $20 withdrawn was marked on the account as $5. The best part of the story, one that affirms my somewhat cynical views on human behavior, was it took nine days before someone finally reported the charitable ATM! I realize it’s possible that an ATM in a small town gas station might go nine days without use, but I kind of doubt it.
When the article first made the rounds most of us were pretty skeptical- small town papers aren’t always known for the most accurate of reporting, especially where technology is concerned. Personally I wrote it off.
But Dave Goldsmith at Matasano decided it deserved a little more digging, and struck the mother lode.
A little more investigation at the ATM manufacturers website showed these things have master passwords. A mere 15 minutes later Dave acquired a manual for the ATM model in question, including default security codes and instructions for configuring the denominations for the cash trays!!! Yep- all the attacker had to do was tell the ATM the $20 tray held $5 (like any ATM carries fivers anymore) and everyone”s withdrawals, as far as the bank is concerned, they got 3x free money.
Dave posted a summary on the Matasano blog and this rapidly made the rounds, including coverage over at Wired. It’s an example of some great security research.
Here’s why it’s also an example of good full disclosure. (Almost, Dave held the location of the manuals secret, but they aren’t hard to find). This problem wasn’t unknown; some ATM manufacturers published advisories to their clients, but I suspect most of them assumed the risk was so low it wasn’t worth the effort to change the password. Thus a small group of criminals could keep up their nefarious activities, whose costs are eventually passed onto us consumers.
By disclosing enough details of the hack that any bad guy with a modicum of technical skills and the ability to run a Google search could take advantage of it, Dave’s actions should eventually force both ATM manufacturers and their clients to increase security. No ostriches allowed here; I suspect within a few months those default master passwords will be on quite a few less ATMs.
In the short term the risk and cost to the financial institutions supporting those ATMs increases, but after the initial shock the overall security of the system will increase.
This isn’t a 0day- the vulnerability was known and patching no harder than having the tech change the password on his next trip to fill the trays. By exposing this flaw to the public, combined with accurate reports of real exploits, Dave helped make us all a little more secure, but cost a few lucky individuals their free money.
(Wait- doesn’t Diebold make ATMs? What a surprise!)