Onstage at the Black Hat Security Conference in Las Vegas, a hacker forced two Windows CE-based ATMs to spew cash -- but the attack reportedly came via the devices' firmware, not their Microsoft operating systems. Meanwhile, Microsoft used the event to announce a collaboration with Adobe regarding security, plus a free tool known as the Enhanced Mitigation Experience Toolkit (EMET).

As reported by the Associated Press and Forbes, among others, the attack compromising two Windows CE ATMs was to have taken place at last year's Black Hat conference, but was postponed so that unnamed device manufacturers could fix the flaws in their systems. The exploit by security researcher Barnaby Jack (pictured below) is said to have involved standalone ATMs as found in convenience stores and bars, rather than the larger models employed by banks.


Researcher Barnaby Jack forced ATMs to spew cash
Source: Forbes
(Click to enlarge)

In order to develop his attacks, Jack purchased two of the ATMs via eBay, opened them up, and discovered that it was possible to "upgrade" their firmware at will via a USB drive. As it turned out, physical access was easy, since a key provided for one ATM by its manufacturer provided to open up all others of the same model, Jack is said to have discovered.

Jack, now director of security testing for Seattle-based IOActive Inc, reportedly attached a debugger to the ATMs' motherboards, then used the information gained to develop his own firmware for the devices that allowed him to take control. "You can walk up and within two seconds you can dump money onto the floor," Jack was quoted as saying by Forbes.

Jack is also said to have demonstrated a potentially more dangerous remote attack, which relies on compromising ATM management tools that can be accessed using a telephone. Fewer details were provided about this exploit, but Jack reportedly said criminals could locate vulnerable ATMs by using "war dialing" software to call hundreds of thousands of phone numbers."

"It's time to give these devices an overhaul," Jack was quoted as saying by Computerworld. "Companies who manufacture the devices aren't Microsoft. They haven't had 10 years of continual attacks against them."

In a pre-event interview with Forbes, Jack is said to have added, "Every ATM I've looked at, I've compromised. [But] there's only so many ATMs you can fit in your apartment before your girlfriend gets mad that they don't go with the furniture."

While the identities of the targeted ATMs were concealed on state, Jack disclosed their manufacturers to reporters after his talk, according to Forbes. Triton -- targeted with a firmware "upgrade" -- is said to have responded by ensuring that its devices require digital signatures to be included in any new firmware. Tranax, meanwhile, is said to have disabled remote access to its ATMs.

New Microsoft initiatives

Perhaps breathing more easily knowing that Jack's successful attacks on ATMs weren't related to Windows, Microsoft used the Black Hat Security Conference to announce two new security initiatives.

Microsoft's Enhanced Mitigation Experience Toolkit

One of these is a tool known as the Enhanced Mitigation Experience Toolkit (EMET), a Windows program (above) that provides protection for older applications that cannot be recompiled to enhance their security. According to Microsoft, EMET version 2 will be released next month, and offers the following security mitigation technologies:

• Dynamic Data Execution Prevention (DEP) -- DEP has been available since Windows XP, but doesn't allow apps to be opted in unless they were complied with a special flag. EMET allows applications compiled without that flag to also be protected.
  
  
• Structure Exception Handler Overwrite Protection (SEHOP) -- SEHOP protects against the most common technique for exploiting stack overflows in Windows. This mitigation has shipped with Windows since Vista SP1, and Windows 7 allows the ability to turn it on and off per process. EMET provides the Windows 7 capabilities on any platform back though Windows XP.
  
  
• Heap Spray Allocation -- When an exploit runs, it often cannot be sure of the address where its shellcode resides and must make a case when taking control of the instruction pointer. To increase the odds of success, most exploits now use heapspray techniques to place copies of their shellcode at as many memory locations as possible. This mitigation blocks the use of addresses most common in today’s exploits.
  
  
• Null Page Allocation -- This is similar technology to the heap spray allocation, but designed to prevent potential null dereference issues in usermode. Currently there are no known ways to exploit them and thus this is a defense in depth mitigation technology.
  
  
• Export Address Table Access Filtering -- This mitigation is designed to break nearly all shell code in use today. Before a piece of shellcode can do anything useful, it generally has to locate Windows APIs first. This mitigation blocks a common current technique shellcode uses to do this.
  
  
• Mandatory Address Space Layout Randomization (ASLR) -- ASLR randomizes the addresses where modules are loaded to help prevent an attacker from leveraging data at predictable locations. The problem with this is that all modules have to use a compile time flag to opt into this. EMET forces modules to be loaded at randomized addresses for a target process, regardless of the flags it was compiled with.

Microsoft's second security iniative is an extension of its ongoing Microsoft Active Protections Program (MAPP). In fall 2010, Adobe will join Microsoft and share its vulnerability information with the 65 global MAPP members, offering advanced protections to hundreds of millions of people.

Mike Reavey, director of the Microsoft Security Response Center at Microsoft, stated, "Microsoft acknowledges that the constantly changing threat landscape requires a new approach to security -- collaboration and shared responsibility are key as past individual efforts are no longer enough. We’re excited about extending the benefits of MAPP to Adobe users as we’ve seen clear evidence of its impact in advancing customer protections."

Further information

Reports on Barnaby Jack's successful attacks on ATMs may be found on the Forbes website, here, Computerworld site, here, and in an Associated Press story, here.

More information on Microsoft's Enhanced Mitigation Experience Toolkit may be found on the company's website, here and here.

More information on the Microsoft Active Protections Program may be found on the company's website, here. Further coverage of the new Microsoft-Adobe partnership may be found on the eWEEK website, here.

---

Related stories:

• Bootable USB stick includes encrypted Windows Embedded OS
• Microsoft provides security updates
• Windows Embedded Standard gets security update

Discuss Security conference features ATM hacks, security fixes   >>> Be the FIRST to comment on this article!

>>> More News Articles          >>> More By Jonathan Angel