Fast Company

Hackapalooza: ATM Spews Cash, Android App Swipes User Data, Digital Game Badges Battle

Black Hat

News from this year's Black Hat conference is already hitting the wires, but here are a few extra gems for you, all about hacking ATMs and how Apple's closed-door App Store now seems a really neat idea after a malicious Android app has struck.

Cash Waterfall

The efforts of a researcher dubbed Barnaby Jack to demonstrate an ATM hack deserves particular attention, since Jack actually "performed" the hack live on stage at Black Hat, on two different ATM types, no less. It was actually due to be performed last year, but it's such a contentious issue that an ATM manufacturer objected enough to raise the matter with Jack's then-employer. This year, working for a different firm, he was free to show exactly how easy the hack was.

And it's shockingly easy, it would seem: No theatrics with stolen fork-lift trucks or backhoes to snatch ATMs out of glass store frontages are needed. All you do is bust into the ATM's chassis with a low-security universal key, locate the USB port that's typically used to service the machine, and shove in a USB data key loaded with the rootkit hacking code on it, and watch the money spew forth. Obviously the magical hacking trickery is in the details of this code, but the hack works on Windows CE-based hardware, so there must be millions of snippets of sample code strewn around the darker corners of the Internet, thanks to Windows' long history of use.

Apparently Windows CE machines on ARM or XScale chipsets are vulnerable, and once in the hacker can do pretty much anything (the ATM's core is just a PC after all) like showing movies or, in Jack's case, scrolling the word "Jackpot!" as the device throws money out.

How can ATM makers react? By slapping damn big locks on the metal chassis for a start. The particular makers affected by Jack's hack are probably already secure, since in the best habits of a community-minded hacker he alerted them to the details before demonstrating how.

Android Attack

Mobile security firm Lookout also has bad hacking news, but this time it's too late to take protective action: A malicious Android app, that was supposedly an innocuous screen wallpaper app giving users cutesy photos, was actually a sophisticated cover. The real purpose of the app from Jackeey Wallpaper wasn't to plaster your Android phone with Star Wars backdrops, but to sniff out your private data. This is stuff like your browsing history, SMSs, and even really personal stuff like your voicemail password. All the data was then surreptitiously fired off to a site in China to be used for who-knows-what nefarious purposes.

Advice for anyone who thinks they may be affected is probably to keep an eye on your phone bills, change all your passwords, and keep your Android version fresh. But this advice needs to be broadcast pretty widely: Lookout thinks that the app was downloaded anywhere between 1.1 million and 4.6 million times (the figure is rough as Android doesn't report exact data like this).

Malicious apps like this are actually fairly easy to get onto the Android platform, due to its open submissions policy, and though Google can do a good job of policing them after they've hit, it's obvious from this example that millions of people can be affected in the interim. Such sneakery is also possible on the Apple iPhone, but due to Apple's strict app approval policy, and the overall closed-door format of the iPhone in terms of code, it's much less likely to occur. Score one for Apple against the Android army!

defcon ninjaBattling Badges

Apart from these serious bits of news, there's other, more positive stuff coming out of the hacker world, like the sneak peak of the DefCon 18 Ninja Party Badge. If its title befuddles you, then don't worry--it's a befuddling notion right from the get-go. The idea is that attendees of the Ninja Networks parties would get given a free lapel badge that's actually a sophisticated little mini-sized Android-powered computer, complete with LCD display. The circuitry carried a game that lets players wirelessly "fight" with other badge-holders, earning experience points as they do. The gizmos also interact with other pre-installed devices at the venue, giving the game a location-based angle, and there are reward lights that mimic the colors used for items in the online multiplayer-game World of Warcraft.

Why's this curio exciting, apart from for the people attending the event though? Because it's actually very sophisticated, was cooked up pretty quickly, and it gives a good indication of one direction for the future of computer gaming: As a hardware/software mashup that combines multiple play elements, including clever location-based stuff. The devices you use will probably be your smartphones, rather than dedicated hardware, but the overall gaming experience will be the same. It sounds like geeky fun.

To keep up with this news, follow me, Kit Eaton, on Twitter.

Add New Comment

2 Comments

  • BobbyWong

    Kit, your "Android Attack" is inaccurate:

    - Jacky Wu's wallpaper app never stole anything; device info collected with user approval is for personaliztion
    - Venture Beat has since retracted their misreporting
    - Google has cleared the app as safe and reinstated it

    This story was overblown fron the get go, predicated on some rather racist "China FUD". Ask yourself this, are all servers in China inherently evil?