Networking giant Juniper canceled a presentation on ATM vulnerabilities scheduled to be given by one of its researchers at the Black Hat Security Conference later this month.
The talk, which would have revealed flaws in the automated teller machines (ATM) of an undisclosed vendors, will be postponed until the vulnerabilities are fixed, Juniper said in a statement. The original description of the presentation stated that the researcher, Barnaby Jack, would "retrace the steps I took to interface with, analyze, and find a vulnerability in a line of popular new model ATMs," and would "explore both local and remote attack vectors, and finish with a live demonstration of an attack on an unmodified, stock ATM."
On Monday, Juniper announced that it would not allow the presentation to go forward, at the request of the affected vendor.
"The vulnerability Barnaby was to discuss has far reaching consequences, not only to the affected ATM vendor, but to other ATM vendors and — ultimately — the public," Brendan P. Lewis, director of corporate social media relations, said in a statement posted to the Juniper blog. "To publicly disclose the research findings before the affected vendor could properly mitigate the exposure would have potentially placed their customers at risk. That is something we don't want to see happen."
Cash machines have increasingly been targeted by hackers and cybercriminals. In March, security firm Sophos uncovered malware specifically written for Diebold ATM devices, which was found on a number of machines in Russia. The security firm stated at the time that the malicious software had been created as early as November 2008.
Diebold warned customers as early as January, according to reporting by IDG News, and provided a software patch for customers.
"Diebold continually emphasizes the customers role in reducing the risk of attacks by following industry-standard security procedures related to managing physical access to ATMs, password management and software updates," the company stated in a cover letter that accompanied the advisory about the issue.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos