Some Windows CE-based ATMs especially generous (and vulnerable to hackers)
By Joseph L. Flatley 
posted July 29th 2010 12:02PM
posted July 29th 2010 12:02PM
Speaking at the Black Hat conference in Las Vegas, a fellow named Barnaby Jack (really!) used custom software to hack Windows CE-based ATMs on stage. After using an industry standard key to gain entry to the machines (apparently many ATM owners are too lazy to install new locks) Jack was able to load a rootkit on the device using a USB thumb drive. From that point, it was just a matter of running another program that caused all the cash therein to shoot out in a comical manner. The machines used in the presentation were manufactured by Trannax and Triton, both of which have have had a chance to send a security patch to customers prior to the demonstration. However, there are four different machines in common use that are still vulnerable. And no, he won't tell us which ones.
that sucks
@Nanosman1994 Au contraire - it blows (money)!
@Nanosman1994
He already has the key to the ATM so why doesn't he just reach in and grab the money? Am I missing something?
@Nanosman1994 It does, but pretty much no computing device is secure once you have physical access to the hardware.
If they were doing this just from the normal entry keypad, that's a whole other thing. No real story here.
@Nanosman1994 because on these machines there is an outer door which covers an internal safe. It's just a flimsy plastic door on the machine we have at work. But once you open that door you can pull the screen forward where all the computery bits sit.
@Nanosman1994
This is totally bogus. Seriously, it's like blaming Microsoft for the oil spill in the Gulf because BP's IT department can't keep a critical computer running.
This is dumb. When you buy a house you change the locks because you don't know who has keys. Who wouldn't think to do that on an ATM?
@Unimpressed The money is in a vault, not necessarily where the PC core is. Some ATMs actually have the cores in the vaults, but it makes it more of a pain for servicers as there is a whole different level of security concern when you have to open the vault door and expose the cash vs just doing some work on dispensers, printers, or the PC.
@Nanosman1994
The fact that those 2 companies have issued the patch and not Microsoft, proves that the bug has been in the ATM application and not the windows CE.
And I am seek of anti-microsoft applism propagenda on engadget.
@Nanosman1994
I'ld rather ship the whole ATM to my yard and use a sledge hammer.
Direct!
@wmac Oh you are so patient
@wmac WTF..... Why do you have to drag Apple into this? Nobody has mentioned Apple (yet). I am pissed off at the unnecessary flame baiting.
@JojoMojo
You should be pissed at yourself for the trolling.
@James How so? Why do we have to bring up Apple in a completely unrelated article? Hatred is fried your brain, my dear.
@JojoMojo
Check your recent comments youre a troll or at the very least your are in love with feeding trolls and starting arguments. I didnt even notice he said anything about apple until you pointed it out trying to get people to bash on apple or microsoft.
Windows bleeding money? is that even possible?? lol
@serge
It may be an irrational anger, but I get pissed off every time the Bank of America ATM WindowsChimes at me. DING. DING. DING. DING.
For one, I hate the idea that the ATM is running Windows (and made by Diebold, no less!) I just don't have a ton of faith in that combination.
But damn, man! Don't DING at me to take my money/card/receipt until you actually PRODUCE said items for the taking.
A friend of mine is/was at that conference. I'll have to ask him about this.
And I thought these types of things were only possible in the movies.
@Bud92
Remember the good 'ol days when you had to shove a credit card attached to a long IDE cable attached to a big black box that cycled through pin numbers, locking each one in succession as it discovered the correct digit, while your cyborg warrior body gaurd from the future watched your....oh wait.....
@WUSS smoking cigs and checking out honeys at the galleria? Those were the best
@WUSS
EASY MONEY
It's imperative that I figure out how to do this...
@Joseph9307
I once saw on the tv that they could change the money taken from the machine. They hacked the $10 an $20 case in the machine, so when you withdraw $10 it gives you $20, but if someone else takes $20 then all he/she gets is $10 ;) .
Asshole Took My $!
@squaremon It's okay, your bank is FDIC insured! (wtf does that even mean)
@WUSS
funny dude in corduroy
I feel like some dismantling would be required to plug in a usb device. Surely someone would catch the guy during that time.
@dschu012 Ignore that comment. I see he used a key.
If ever we needed a video walk-thru, this is it!! I would have been funny seeing the money shoot out.
@iPhone 4 I think you should be more worried about your antenna than this
@arash There is no problem. It is clearly marked where you are not suppose to touch.
Windows CE also let the dreamcast play burnt games which took Sega out of the console business an let the xbox evolve. Then microsft copied the dreamcast to the max. Just ranting that's all lol.
@niZmo
fake Donald Melanson says: Actually, the Utopia bootdisc exploit was due to the Katana SDK, not the Windows CE SDK.
@niZmo It's true that the Dreamcast was WinCE compatible but that had nothing to do with playing burnt games. Hell, most games didn't even use it; it was only used in low-performance games like Chu Chu Rocket. The reason that Dreamcast piracy was so easy and widespread was because the system had no copy protection other than the GD-ROM disk format.
Windows CE. It only prints money!
If only he didn't tell anyone that you can hack an ATM and just go to ATMs taking out cash.
In China, fake ATM are everywhere in the street.
@techlord
thats a scary thought ... how do people tell the difference?
@darthgault
http://timesofindia.indiatimes.com/articleshow/6084112.cms
@pple is poo Yes, but they tell you it is Authentic, Real China...
@pple is poo Real China has long been replaced by the new fake China. In all seriousness though on the one hand it's kind of sad that I'll never be able to visit the China of old with it's ancient houses, structure, and history oozing from every crevice.
On the other hand the new megacities are pretty mindblowing, if horribly choked with pollution. Just bring a mask!
Windows CE on ATM's who's the idiot who made this decision?
This PR from 2007 sheds some light on it...
"Triton describes the RL2000 as a compact, affordable, off-premise ATM with more functionality than most low-cost machines. Additionally, the device is said to be the company's most flexible ATM to date.
The RL2000's configuration, which includes an embedded PC-based platform, Microsoft Windows CE 5.0 operating system, and Triton's proprietary "X2 technology," makes the device both reliable and convenient, the company said.
Available with a "level 1 vault option" (700 lbs. "24-hour safes"), and coming with optional backlit, mid- or high-topper graphic signs for improved visibility and increased transaction volume, the RL2000 is expandable to meet future compliance and application needs, according to the company. In addition, the RL2000 has a large storage capacity for transaction journaling and comes with an optional 8-inch VGA color display for advertising and screen-customizing capabilities.
Triton, one of the largest ATM manufacturers in the world, claims to have been the first to bring Windows CE to the ATM market.
The RL2000 is expected to reach market in 2007. Pricing was not disclosed."
@Boyo
Window CE obviously have a critical security flaw but you also need to ask who are the idiots that keep a generic key on their ATMs.
@Boyo I'm going to go on a limb (a short one) and say you've never worked with embedded operating systems before. It'll just be easier to say that it was the software running on top of CE that got hacked, not the operating system.
@AndrewNeo You are incorrect in your assumption.
@Boyo More full featured ATMs use mostly XP these days. Previously they ran OS2. Think large bank ATMs vs what you find in convenient stores.
It's only the lower end hardware that runs embedded stuff.
@Boyo
considering Windows CE 5.0 hit EOL 5 years ago, I hardly think Microsoft has any responsibility in this.
@Boyo
Sir, you have not idea.
The problem is that Windows CE have active the function of autorun by default.
Disabling the autorun feature is enough to keep the system safe. So, it is responsibility of the manufacturer to do a proper configuration.
if you have a key to open up the machine, why can't you just take the money by hand?
Isn't it akin to breaking in through a window in a house to unlock the front door?
@bartnd Just a guess, maybe the cash isn't stored where any technician doing maintenance can simply take it.