Latest News: Technology |  Celebrity |  Movies |  Apple |  Cars |  Business |  Sports |  TV Shows |  Geek

Trending

Filed under: News

 

14 Year Olds Hack ATM In Lunch Hour - This is How it Happened

Jun 11 2014, 9:00am CDT | by

1 Updates
14 Year Olds Hack ATM In Lunch Hour - This is How it Happened
Photo Credit: Forbes
 
 

YouTube Videos Comments

Recommend Your Tweet as Top Tweet:

Full Story

14 Year Olds Hack ATM In Lunch Hour - This is How it Happened

Over my morning coffee I saw rumblings on Naked Security’s Twitter feed of a couple of teenagers hacking an ATM. Matthew Hewlett and Caleb Turon, two ninth-graders, discovered an old ATM operators manual online and decided over their lunch hour to give it a go. The two boys nearly got in trouble when returning late to class but thankfully someone wrote them a note:

Please excuse Mr. Caleb Turon and Matthew Hewlett for being late during their lunch hour due to assisting [Bank of Montreal] with security .

The old manual the boys found described a number of features of the ATM including the operator mode (which is exactly what it sounds like). Of course, the functionality in operator mode is sensitive (it exposes cash balances, customer charges, transactions etc) and is therefore protected by a password. The two boys decided to give the manual a go and so during their lunch hour strolled up to a Bank of Montreal ATM. To their surprise they were able to unlock operator mode (despite the age of the manual) and then bashed in the first rubbish 6 character password they could think of- which also worked. null . Such failures are all to common occurrences with a wealth of different devices I test – I’ve even seen it on a system that was a key part of a power grid.

At this point things could have gone really badly for the two boys but they made the very sensible decision to go and inform the bank of the security failure. At first the bank did not believe the two boys so they moved in to live demonstration mode (I have had to demonstrate security problems with live demonstrations to make people believe they exist throughout my career). As the boys described it to the Winnipeg sun:

We both went back to the ATM and I got into the operator mode again. Then I started printing off documentation like how much money is currently in the machine, how many withdrawals have happened that day, how much it’s made off surcharges.Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent.

The boys also changed the welcome message of the ATM to state “Go away. This ATM has been hacked”. A wonderfully creative and flamboyant demonstration that made me a little proud. Also note that these boys did this working with the bank and responsibly disclosed the issue – a move that also makes me happy and hopeful. The bank issued a statement to the Winnipeg Sun :

Customer information and accounts and the contents of the ATM were never at risk and are secure.

This is certainly not the first ATM hack, but the simplicity of it should act as a wake up call. I’ve written previously  that basic security failures such as weak passwords, simple configuration problems and use of archaic standards leaves a surprising number of devices and critical infrastructure vulnerable. Bank of Montreal certainly is not alone in these issues and there are undoubtedly other attack vectors that apply to these systems – consider that a surprising number of them still run bizarre bespoke versions of Windows XP. One of my favourite demonstrations of ATM security was by the late Barnaby Jack and is well worth a watch:

I have recently conducted an assessment of a variety of Internet of things (IoT) devices including printers, routers, CCTV, webcams, tablets and even plant monitors. These kinds of failures are widespread in the myriad of devices that fall outside the traditional definition of a PC. This is a great reminder that we all need to be vigilant and consider security basics not just the latest sexy headline about a nation state attack. Congratulations to the two boys for the find, the responsible disclosure and I hope they recognise that they show great promise to be future penetration testers helping the world find and fix more of these failures.

Follow @jameslyne on Twitter.

 

iPad Air Giveaway. Win a free iPad Air.

You Might Also Like

Updates


Sponsored Update


Advertisement


More From the Web

Shopping Deals

 
 
 

<a href="/latest_stories/all/all/31" rel="author">Forbes</a>
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.

 

 

Comments

blog comments powered by Disqus

Latest stories

Star Wars: Episode VII X-Wing fighter jet teased by J.J. Abrams
Star Wars: Episode VII X-Wing fighter jet teased by J.J. Abrams
Director J.J. Abrams has revealed an updated model of the legendary X-Wing fighter jet that is expected to debut in theaters next year.
 
 
Yuki Togashi Takes NBA Summer League By Storm
Yuki Togashi Takes NBA Summer League By Storm
Diminutive 5'7" guard Yuki Togashi made a big splash in the 2014 NBA Summer League.
 
 
Mariah Carey is a Sexy Digital Genie in a Bottle
Mariah Carey is a Sexy Digital Genie in a Bottle
Singer Mariah Carey appears on your iPhone when you scan a Butterfly beverage bottle. Now you can meet the real Mariah Carey at a Summer party in New York.
 
 
Conan O&#039;Brien and Dave Franco Tinder Adventure is Hilarious
Conan O'Brien and Dave Franco Tinder Adventure is Hilarious
Conan O'Brien teamed up with Dave Franco to join Tinder. Hilarity ensues, making the video go viral. Watch the segment of the Conan show below.
 
 
 

About the Geek Mind


Read more about The Geek Mind.