Two 14-year-old Canadian boys almost got into trouble last Wednesday, but somebody wrote them a nice note explaining that they were late getting back from lunch because they had hacked the bejeezus out of an ATM.
The note began thusly:
Please excuse Mr. Caleb Turon and Matthew Hewlett for being late during their lunch hour due to assisting [Bank of Montreal] with security.
According to the Winnipeg Sun, the two ninth-graders came across an old ATM operators manual online that showed how to get into the machine’s operator mode.
So on Wednesday, over their lunch hour, they thought they’d give it a go.
They went to the Bank of Montreal’s (BMO’s) ATM at the Safeway on Grant Avenue in Winnipeg. Much to their surprise, the dusty old manual’s instructions worked.
When the ATM asked for a password, they plugged in the first lame-o, six-character groaner of a bad password that popped into their heads.
That worked, too.
Much to the boys’ white-hat credit, they then marched right over to a nearby bank branch to let them know.
Staff’s response: no way.
Boys’ response: yes, way.
And then, they proved it.
Here’s how, as Hewlett described it to the Winnipeg Sun:
We both went back to the ATM and I got into the operator mode again. Then I started printing off documentation like how much money is currently in the machine, how many withdrawals have happened that day, how much it's made off surcharges.
Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent.
Then, just for fun, and, well, for the sake of accuracy, Hewlett changed the ATM’s greeting from “Welcome to the BMO ATM” to “Go away. This ATM has been hacked.”
They printed out six documents for BMO, and this time, staff took them seriously.
BMO sent an email statement on Friday in which Ralph Marranca, director of media relations, said the bank was aware of the incident and had taken steps that block unauthorized access.
From the statement sent to the Winnipeg Sun:
Customer information and accounts and the contents of the ATM were never at risk and are secure.
What’s the takeaway? To keep manuals under lock and key, most assuredly, for one.
And o, by the way, surely there shouldn’t be any way for anyone to access anything other than the public-facing functionality through the public facing terminal?
Naked Security has written scads of “DON’T HARDWIRE PASSWORDS!” and “DON’T INCLUDE BACKDOORS!” stories.
If the 14-year-olds’ attack was based on magic sequences that shouldn’t be publicly available, that’s the same sort of failing.
This isn’t the first time that hardwired passwords and backdoors have let attackers into the juicy guts of an ATM, mind you.
As this clip (YouTube video) shows, some guy (who presumably got away with it!) in the US state of Virginia punched in a secret code that told the ATM that its stack of $20 bills were actually $5 bills.
He went on a profitable little spree, asking for multiple $250 withdrawals that each netted him $1,000, according to CNN.
What reason is there to have a magical sequence that let him do that?
Then too, the late, great firmware hacker Barnaby Jack famously concocted his “Jackpot” program, which goaded two ATMs into spitting out money on demand – as well as snitching sensitive data off of people’s bank cards – on stage at the 2010 Black Hat conference.
Jack had a couple ways to, ahem, avoid transaction fees. One was with a homemade rootkit that let him override the machines’ firmware.
He dialed up the machines – at the time, he said that he believed a large number of ATMs have remote management tools that can be accessed over a phone – and then launched the attack.
Again, what reason is there to have a backdoor like that without securing it?
Hardwired passwords, of course, unto themselves constitute a whole category of “O, no, you didn’t!”
Here are just a few places where they’ve have been found lurking like so many cyber cockroaches:
- Inside the horrifically hacked Target, where a shabbily coded service process with a hardwired password conveniently let crooks move data around once they were inside the network.
- Internet-enabled cameras with the two-character password *? used as a hardwired backdoor password to the camera’s real-time video stream.
- D-Link routers with a hardwired master key that lets anyone in through an unsupervised back door.
- A hard-wired Bluetooth pairing PIN (the default password being, duh, 0000) in an Android app used to control a toilet. As Trustwave researchers gravely warned at the time, the backdoor would allow an attacker to cause all sorts of flushing mayhem, to trigger lids to snap closed on people where the sun don’t shine, or to flip on spontaneous bidet or air-dry functions.
We’ll say it again: don’t hardwire passwords. Don’t leave open unsecured backdoors.
As researchers have made clear, you never know what’s going to come through and bite you on the bum.