Security consultant Joseph Rodriguez has found a way to wirelessly hack ATMs. To get an unlimited amount of money, it turned out that the program on the smartphone and the knowledge of the vulnerability of ten years ago were enough.
Several decades ago, there was a common bug that caused a memory buffer overflow and allowed attackers to manipulate the device code. The security hole was successfully repaired, but, as it turned out, the creators of ATMs are stepping on an old rake. Joseph Rodriguez found that many of these devices do not check the size of the data packet sent via NFC to the reader. This allows you to both manipulate money in your account and receive unlimited cash.
“You can change the firmware or the amount, for example, by one dollar, even when the screen shows that you are paying $ 50. You can render the device useless or install some sort of ransomware. If you launch an attack and send a special load to the ATM computer, you can get the jackpot just by holding up your smartphone, ”explains Joseph.
At the time of the discovery of the vulnerability, Joseph Rodriguez was working as a security consultant at IOActive.
The scale of the problem is enormous, he says, as the hole is present on numerous devices in malls, restaurants and retail stores.
For hacking, a smartphone with NFC is enough, but Joseph wrote a special application himself.
He notified special services over a year ago, but found that the problem was still relevant.
By disclosing the details of the hack, he plans to draw attention to the vulnerability, which will push stakeholders to fix it.