Ever watched a Whirlpool washing machine explode after bouncing around the back yard for 3:42 minutes, a chunk of heavy metal ripping it to shreds from the inside out?
There’s a hacker responsible for this appliance torture, which he’s now expanded to include rigging an ATM so you can play Doom on it (this involves less trauma than the washing machine, in that the ATM survives).
He says this about what he calls his engineering/scrap metal recycling work:
I have a Tenancy to Destroy that which is not useful or repairable, or simply disobeys me. so be sure to watch my motor/appliance destruction videos if you are into stress testing things to the MAX! [sic]
Over the weekend, Aussie50 posted a YouTube video showing off an ATM with its guts exposed, its original PIN pad turned into an arcade controller, the side panel used to select weapons.
Its screen now eschews balances and transfers in favor of the familiar sight of a hand wrapped around a gun, going around dark corners and blasting stuff.
Were you aware that ATMs – at least the NCR Personas ATM model Aussie50 and his software/wiring/logic partner Julian picked up – have a stereo soundboard in the back?
Aussie50 now knows that.
Sound system aside, questions abound.
For one, can we play with it?
That might be on the cards: Aussie50 said in the YouTube comments that he’s mulling getting a coin mechanism to install below the card reader.
But more security-focused is the question of where the hardware reconfiguration artist got this ATM.
Did he pick it up on eBay?
Also, should we worry about malicious hackers getting their hands on ATMs and rigging them so as to swindle funds?
The answer, of course, is that they’ve already figured that stuff out.
Recent examples of attackers getting into the juicy guts of publicly accessible ATMs abound.
One memorable incident, from June, involved two Canadian 14-year-olds who came across an old ATM operators manual online, used its instructions to get into the machine’s operator mode, broke into a local market’s bank ATM on their school lunch break, printed off documentation regarding how much money was inside and how many withdrawals had been made that day, and changed the surcharge amount to one cent.
In the case of that daring duo, I was initially blindsided by the fact that they were precocious tots who reported it to the bank without attempting to profit off their new-found knowledge.
They could have wound up in a world of trouble, and/or they could have broken the system they were playing with.
For example, as Naked Security’s Paul Ducklin pointed out, the kids could have unwittingly triggered a mechanical test sequence that resulted in it spitting out banknotes, which would have left them in the tricky position of having turned into bank robbers.
Given that Aussie50’s hobby involves scrap metal recycling, we’ll assume that he legally procured his ATM of Doom – therefore, he didn’t need prior authorization to access somebody else’s ATM’s computer system (and innards!).
Otherwise, if he were playing with somebody else’s hardware, one would hope he’d get the go-ahead from the owner(s) of the system he targeted.
That’s how so-called “white-hat” hackers do it, Paul pointed out:
True "white hat" penetration testers don't take the first step without making sure that the scope of their work is known and condoned in writing by their customer. (They don't call it the "get out of jail free" letter for nothing.)
Images from Aussie50’s video on YouTube.