A Moscow-based security firm demonstrated how to hack an ATM without any additional tools to a large crowd of hackers, security experts and software vendors, gathered for the annual Positive Hack Days forum in Moscow.
“You don’t need much to take control of some ATMs,” Olga Kochetova, a security expert from Positive Technologies told The Moscow Times on Friday. “Some machines can be hacked just by using your usual bank card and the buttons located around the screen,” she said.
Banks try protecting ATMs, but sometimes they fail to remove things like pop-up system messages. Just by pressing buttons in the right time, when it happens, it is possible to access the operating system, steal information or even run your own program on the ATM’s computer.
Apparently, it doesn’t happen very often, Kochetova said, but only because people are honest and don’t press buttons when they see strange messages appear on the display.
In the past, industrial systems were designed to work in isolation and therefore programmed without any security in mind, said Gleb Gritsai, another expert attending the forum.
Some ATMs can be hacked just by using a usual bank cards and several buttons.
His team presented a model train set controlled through the same hardware and software that is used by the passenger train system in Russia. They gave a step-by-step instruction on how to assume control and then disconnect electricity, change direction of the train and operate a set of semaphore gates.
“It is dangerous for transportation companies and passengers,” said Dmitry Yefanov, a security guru. “The good thing is that in real life, the system is more protected. Normally, rail road control rooms and electrical stations are not connected to the Internet, it’s very difficult to gain access,” he added.
Babak Javadi, a technology expert from Toool.us, said the purpose of hacking is to find weaknesses in a system and find ways to circumvent the rules created for the system. Whether the system is a computer or a door lock, the point is to explore and understand the unexpected situations that can be encountered.
Sergei Gordeichik, the brain behind the forum, said he hoped that the event would bring people from different backgrounds under one roof, to show young people that, in principle, they can do what they love, be on the right side of the law and earn money at the same time.
“A hacker is someone who has knowledge, ability and experience. Our goal is to create an environment to channel their abilities into the right direction, away from criminal activities,” Gordeichik said.
There is a perception that hackers are bad, negative people, continually plotting evil schemes, Yefanov said. It is completely wrong, he added.
“I’m a hacker,” Marc Heuse, an independent security researcher, told The Moscow Times, “and I worked for some of the most notable organizations in the world: The U.N., Central Bank of Europe, KPMG and others. Companies not hiring hackers are making a big mistake.”
Heuse pointed out that while there are hackers who break into the internal system, there are also accountants who cheat their companies and steal money. These criminal activities have nothing to do with their interest in their profession; it has something to do with the person’s character, he said.
Hackers turn into security specialists as soon as their work becomes paid, experts agree. Some young people explore system vulnerabilities simply because they are bored. It doesn’t mean they are criminals — they are just curious.
“I would recommend businesses to work on their network security in order to find problems,” Gordeichik said. It will be much worse to learn about them from the news.
In a large, semi-dark hall, full of red bean bags, geeks with laptops and humming trance music, when a Moscow Times reporter inquired if Wi-Fi was available, an attendee said, “Yes, there is … but I wouldn’t recommend using it. You’ll be hacked.”