Menu
Mr. Butch and Sayaka Kanda are First iPhone 6 Customers in Japan

Mr. Butch and Sayaka Kanda are First iPhone 6 Customers in Japan

The Big Bang Theory Season 8 Premieres Monday as Double Pack

The Big Bang Theory Season 8 Premieres Monday as Double Pack

Alibaba BABA Shares Priced at $68

Alibaba BABA Shares Priced at $68

Miley Cyrus New Butt Gets in Trouble with Law

Miley Cyrus New Butt Gets in Trouble with Law

Larry Ellison Steps Down as CEO of Oracle

Larry Ellison Steps Down as CEO of Oracle

14 Year Olds Hack ATM In Lunch Hour - This is How it Happened

Jun 11 2014, 9:00am CDT | by , in News

14 Year Olds Hack ATM In Lunch Hour - This is How it Happened
Photo Credit: Forbes
 
 

YouTube Videos Comments

Full Story

14 Year Olds Hack ATM In Lunch Hour - This is How it Happened

Over my morning coffee I saw rumblings on Naked Security’s Twitter feed of a couple of teenagers hacking an ATM. Matthew Hewlett and Caleb Turon, two ninth-graders, discovered an old ATM operators manual online and decided over their lunch hour to give it a go. The two boys nearly got in trouble when returning late to class but thankfully someone wrote them a note:

Please excuse Mr. Caleb Turon and Matthew Hewlett for being late during their lunch hour due to assisting [Bank of Montreal] with security.

The old manual the boys found described a number of features of the ATM including the operator mode (which is exactly what it sounds like). Of course, the functionality in operator mode is sensitive (it exposes cash balances, customer charges, transactions etc) and is therefore protected by a password. The two boys decided to give the manual a go and so during their lunch hour strolled up to a Bank of Montreal ATM. To their surprise they were able to unlock operator mode (despite the age of the manual) and then bashed in the first rubbish 6 character password they could think of- which also worked. null . Such failures are all to common occurrences with a wealth of different devices I test – I’ve even seen it on a system that was a key part of a power grid.

At this point things could have gone really badly for the two boys but they made the very sensible decision to go and inform the bank of the security failure. At first the bank did not believe the two boys so they moved in to live demonstration mode (I have had to demonstrate security problems with live demonstrations to make people believe they exist throughout my career). As the boys described it to the Winnipeg sun:

We both went back to the ATM and I got into the operator mode again. Then I started printing off documentation like how much money is currently in the machine, how many withdrawals have happened that day, how much it’s made off surcharges.Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent.

The boys also changed the welcome message of the ATM to state “Go away. This ATM has been hacked”. A wonderfully creative and flamboyant demonstration that made me a little proud. Also note that these boys did this working with the bank and responsibly disclosed the issue – a move that also makes me happy and hopeful. The bank issued a statement to the Winnipeg Sun:

Customer information and accounts and the contents of the ATM were never at risk and are secure.

This is certainly not the first ATM hack, but the simplicity of it should act as a wake up call. I’ve written previously that basic security failures such as weak passwords, simple configuration problems and use of archaic standards leaves a surprising number of devices and critical infrastructure vulnerable. Bank of Montreal certainly is not alone in these issues and there are undoubtedly other attack vectors that apply to these systems – consider that a surprising number of them still run bizarre bespoke versions of Windows XP. One of my favourite demonstrations of ATM security was by the late Barnaby Jack and is well worth a watch:

I have recently conducted an assessment of a variety of Internet of things (IoT) devices including printers, routers, CCTV, webcams, tablets and even plant monitors. These kinds of failures are widespread in the myriad of devices that fall outside the traditional definition of a PC. This is a great reminder that we all need to be vigilant and consider security basics not just the latest sexy headline about a nation state attack. Congratulations to the two boys for the find, the responsible disclosure and I hope they recognise that they show great promise to be future penetration testers helping the world find and fix more of these failures.

Follow @jameslyne on Twitter.

 

You Might Also Like

Updates


Sponsored Update


Advertisement


More From the Web

Shopping Deals

 
 
 

<a href="/latest_stories/all/all/31" rel="author">Forbes</a>
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.

 

 

Comments

blog comments powered by Disqus

Latest stories

Lindsay Price Welcomes Second Baby with Curtis Stone
Lindsay Price Welcomes Second Baby with Curtis Stone
Lindsay Price gave birth to Curtis Stone's second child on Tuesday, September 16th in Los Angeles.
 
 
Victoria Beckham beats Emma Watson to become UK's Top Fashion Icon
Victoria Beckham is currently the top fashion symbol in the United Kingdom beating other notable personalities such as Emma Watson and Kate Moss.
 
 
Janelle Evans Says She was Denied Covering Jace&#039;s Birth
Janelle Evans Says She was Denied Covering Jace's Birth
Janelle Evans Says she was Denied Covering Jace's Birth
 
 
Free coffee offered by McDonald&#039;s
Free coffee offered by McDonald's
Partipating McDonald's restaurants in the U.S. are giving away free coffee every morning for two weeks.
 
 
 

About the Geek Mind

The “geek mind” is concerned with more than just the latest iPhone rumors, or which company will win the gaming console wars. I4U is concerned with more than just the latest photo shoot or other celebrity gossip.

The “geek mind” is concerned with life, in all its different forms and facets. The geek mind wants to know about societal and financial issues, both abroad and at home. If a Fortune 500 decides to raise their minimum wage, or any high priority news, the geek mind wants to know. The geek mind wants to know the top teams in the National Football League, or who’s likely to win the NBA Finals this coming year. The geek mind wants to know who the hottest new models are, or whether the newest blockbuster movie is worth seeing. The geek mind wants to know. The geek mind wants—needs—knowledge.

Read more about The Geek Mind.