Tuesday, June 30, 2009

ATM Jackpot Talk Blocked from Blackhat

One of the few talks I was actually looking forward to seeing at Blackhat this year has just been canned due to corporate pressures.

Barnaby Jack was meant to be delivering his new talk "Jackpotting Automated Teller Machines" in Las Vegas but has had to cancel it due to the affected vendor(s) not getting things fixed in time and subsequent pressure being applied to his employer to drop the talk.

The abstract for Barns talk was the following (now removed from the Blackhat site):
I've always liked the scene in Terminator 2 where John Connor walks up to an ATM, interfaces his Atari to the card reader and retrieves cash from the machine.

I think I've got that kid beat.

The most prevalent attacks on Automated Teller Machines typically involve the use of card skimmers, or the physical theft of the machines themselves. Rarely do we see any targeted attacks on the underlying software. This presentation will retrace the steps I took to interface with, analyze, and find a vulnerability in a line of popular new model ATM's.

The presentation will explore both local and remote attack vectors, and finish with a live demonstration of an attack on an unmodified, stock ATM.
This isn't the first time a scheduled high-profile talk has had its rug pulled out from under it at Blackhat. Unfortunately this kind of thing is becoming a more regular occurrence at large technical security conferences - which is a shame.

Interestingly enough I had proposed a talk for Blackhat Las Vegas this year along with Stefan Frei which would have discussed how to stop this kind of thing from happening in the future. Pity it wasn't accepted this time round (would have been prime fodder for the ATM media circus) - but it gives us a bit more time to build and test things out. For those that are interested, the talk was going to be about "Guaranteed Disclosure" - abstract as follows...
Vulnerability disclosure – it’s close to all our hearts. For the last decade the disclosure debate has swung from Full Disclosure through to Responsible Disclosure, and every faction in-between. Let’s step up the pace and throw in a new disclosure paradigm – Guaranteed Disclosure.

What would the vulnerability disclosure landscape look like if you could disclose a vulnerability to a security vendor and etch in stone when it’ll become public? No sidestepping by the vendor – they’ve got 90 days to fix the vulnerability because that’s when the vulnerability will be public – and you can honestly say “it’s out of my hands, the timer has already begun!”

In this session we cover a new option for vulnerability researchers to independently and securely disclose their findings to vendors – and guarantee that they’ll be publicly disclosed on a date in advance, despite any future pressure from the Vendor or Government. Guaranteed Disclosure will ensure that hard limits are placed upon the time for vendors to fix a vulnerability and make it public – without the researcher being pressured to halt.
Barns -- looking forward to your talk whenever you get the corporate nod to finally give it.

No comments:

Post a Comment