上周,在美國(guó)拉斯韋加斯舉行的電腦安全專業(yè)大會(huì)“黑帽大會(huì)”上,一位計(jì)算機(jī)黑客向觀眾展示了不用銀行卡就能讓ATM機(jī)瘋狂吐鈔的“絕技”�,讓現(xiàn)場(chǎng)觀眾看得目瞪口呆。這位黑客名叫杰克���,其實(shí)是一位資深的計(jì)算機(jī)安全研究人員,他花了兩年的時(shí)間研究各種獨(dú)立ATM機(jī)���,并找到了這些設(shè)備的漏洞��。他發(fā)現(xiàn)同一廠商制造的同一型號(hào)ATM機(jī)使用的鑰匙都是一樣的����,他在展示時(shí)用鑰匙打開一臺(tái)ATM里含有標(biāo)準(zhǔn)USB裝置的部件,插入他自己寫的破解程序���,然后順利操控ATM電腦��,讓機(jī)器自己吐出鈔票��。杰克展示的另一種攻擊方式則更具威脅性����,他是通過網(wǎng)絡(luò)對(duì)ATM系統(tǒng)進(jìn)行遠(yuǎn)程操控���,利用ATM廠商與ATM機(jī)網(wǎng)絡(luò)連接中的漏洞入侵ATM機(jī)的電腦系統(tǒng)��,不用任何密碼便能自如操控ATM機(jī)����。杰克在會(huì)上沒有深入說明入侵ATM方法的具體操作細(xì)節(jié)�,以及涉及的ATM廠商。他強(qiáng)調(diào),他“不是在教大家破解ATM機(jī) ”�����,而是要讓ATM廠商提高警覺����。
 |
|
A hacker has discovered a way to force ATMs to disgorge their cash by hijacking the computers inside them.
|
A hacker has discovered a way to force ATMs to disgorge their cash by hijacking the computers inside them.
The attacks demonstrated Wednesday targeted standalone ATMs. But they could potentially be used against the ATMs operated by mainstream banks.
Computer hacker Barnaby Jack spent two years tinkering in his Silicon Valley apartment with ATMs he bought online. These were standalone machines, the type seen in front of convenience stores, rather than the ones in bank branches.
His goal was to find ways to take control of ATMs by exploiting weaknesses in the computers that run the machines.
He showed off his results here at the Black Hat conference, an annual gathering devoted to exposing the latest computer-security vulnerabilities.
His attacks have wide implications because they affect multiple types of ATMs and exploit weaknesses in software and security measures that are used throughout the industry.
Jack, who works as director of security research for Seattle-based IOActive Inc, showed in a theatrical demonstration two ways he can get ATMs to spit out money:
- He found that the physical keys that came with his machines were the same for all ATMs of that type made by that manufacturer. He figured this out by ordering three ATMs from different manufacturers for a few thousand dollars each. Then he compared the keys he got to pictures of other keys, found on the internet.
He used his key to unlock a compartment in the ATM that had standard USB slots. He inserted a program he had written into one of them, commanding the ATM to dump its vaults.
- He hacked into the machines by exploiting weaknesses in the way ATM makers communicate with the machines over the internet. Jack said the problem is that outsiders are permitted to bypass the need for a password. He didn't go into much more detail because he said the goal of his talk "isn't to teach everybody how to hack ATMs. It's to raise the issue and have ATM manufacturers be proactive about implementing fixes."
The remote style of attack is more dangerous because an attacker doesn't need to open up the ATMs.
It allows an attacker to gain full control of the ATMs and not only order it to spit out money, but also to silently harvest card data from anyone who uses the machines. It also affects more than just the standalone ATMs vulnerable to the physical attack, and could potentially be used against the kinds of ATMs used by mainstream banks.
Jack said he didn't think he'd be able to break the ATMs when he first started probing them.
Jack said the manufacturers whose machines he studied are deploying software fixes for both vulnerabilities, but added that the prevalence of remote-management software broadly opens up ATMs to hacker attacks.
相關(guān)閱讀
法男子入侵奧巴馬微博賬號(hào)被捕
英一提款機(jī)雙倍吐錢 百人排隊(duì)取款
(Agencies)
(中國(guó)日?qǐng)?bào)網(wǎng)英語點(diǎn)津 Helen 編輯)
