A conference presentation would have exposed flaws in some cash machines.
By Robert Lemos
July 08, 2009
http://www.technologyreview.com/computing/22966/
Barnaby Jack, a security researcher at the computer networking giant Juniper, had planned to hack into an automatic teller machine (ATM) live onstage at the Black Hat Security Conference in Las Vegas later this month. But his presentation, designed to demonstrate the insecurity of various ATMs, attracted the attention of the financial industry as well as security professionals, and under pressure from ATM manufacturers, Juniper canceled the presentation last week, citing concerns that the vulnerabilities involved had still not been fixed.
"The vulnerability Barnaby was to discuss has far reaching consequences, not only to the affected ATM vendor, but to other ATM vendors and--ultimately--the public," wrote Brendan Lewis, director of corporate social media relations for Juniper in a statement posted to the company's official blog last week. "To publicly disclose the research findings before the affected vendor could properly mitigate the exposure would have potentially placed their customers at risk. That is something we don't want to see happen."
The presentation would have focused on exploiting vulnerabilities in devices running the Windows CE operating system, including some ATMs, according to a source familiar with the details. While the presentation was canceled to allow manufacturers more time to fix the vulnerabilities, Juniper had originally notified the company almost eight months ago, says the source, who asked not to be named.
Other security experts are not surprised that the vulnerabilities are there to find. Significant flaws in cash machines and ATM networks are plentiful, says Nicholas Percoco, senior vice president of TrustWave, an information security and compliance firm that has assessed the security of point-of-sale terminals, kiosks, and ATM networks. "It is very, very rare that a device comes to our labs--in fact, I don't think that it has happened--that we don't find a vulnerability," Percoco says.
No comments:
Post a Comment