14 Year Olds Hack ATM In Lunch Hour - This Is How It Happened

Posted: Jun 11 2014, 9:00am CDT | by , in News

14 Year Olds Hack ATM In Lunch Hour - This is How it Happened
Photo Credit: Forbes

Over my morning coffee I saw rumblings on Naked Security’s Twitter feed of a couple of teenagers hacking an ATM. Matthew Hewlett and Caleb Turon, two ninth-graders, discovered an old ATM operators manual online and decided over their lunch hour to give it a go. The two boys nearly got in trouble when returning late to class but thankfully someone wrote them a note:

Please excuse Mr. Caleb Turon and Matthew Hewlett for being late during their lunch hour due to assisting [Bank of Montreal] with security.

The old manual the boys found described a number of features of the ATM including the operator mode (which is exactly what it sounds like). Of course, the functionality in operator mode is sensitive (it exposes cash balances, customer charges, transactions etc) and is therefore protected by a password. The two boys decided to give the manual a go and so during their lunch hour strolled up to a Bank of Montreal ATM. To their surprise they were able to unlock operator mode (despite the age of the manual) and then bashed in the first rubbish 6 character password they could think of- which also worked. null . Such failures are all to common occurrences with a wealth of different devices I test – I’ve even seen it on a system that was a key part of a power grid.

At this point things could have gone really badly for the two boys but they made the very sensible decision to go and inform the bank of the security failure. At first the bank did not believe the two boys so they moved in to live demonstration mode (I have had to demonstrate security problems with live demonstrations to make people believe they exist throughout my career). As the boys described it to the Winnipeg sun:

We both went back to the ATM and I got into the operator mode again. Then I started printing off documentation like how much money is currently in the machine, how many withdrawals have happened that day, how much it’s made off surcharges.Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent.

The boys also changed the welcome message of the ATM to state “Go away. This ATM has been hacked”. A wonderfully creative and flamboyant demonstration that made me a little proud. Also note that these boys did this working with the bank and responsibly disclosed the issue – a move that also makes me happy and hopeful. The bank issued a statement to the Winnipeg Sun:

Customer information and accounts and the contents of the ATM were never at risk and are secure.

This is certainly not the first ATM hack, but the simplicity of it should act as a wake up call. I’ve written previously that basic security failures such as weak passwords, simple configuration problems and use of archaic standards leaves a surprising number of devices and critical infrastructure vulnerable. Bank of Montreal certainly is not alone in these issues and there are undoubtedly other attack vectors that apply to these systems – consider that a surprising number of them still run bizarre bespoke versions of Windows XP. One of my favourite demonstrations of ATM security was by the late Barnaby Jack and is well worth a watch:

I have recently conducted an assessment of a variety of Internet of things (IoT) devices including printers, routers, CCTV, webcams, tablets and even plant monitors. These kinds of failures are widespread in the myriad of devices that fall outside the traditional definition of a PC. This is a great reminder that we all need to be vigilant and consider security basics not just the latest sexy headline about a nation state attack. Congratulations to the two boys for the find, the responsible disclosure and I hope they recognise that they show great promise to be future penetration testers helping the world find and fix more of these failures.

Follow @jameslyne on Twitter.

This story may contain affiliate links.


Find rare products online! Get the free Tracker App now.

Download the free Tracker app now to get in-stock alerts on Pomsies, Oculus Go, SNES Classic and more.

Latest News


The Author

Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.




comments powered by Disqus