Security talk pulled after ATM vendor complains
Published: 02 Jul 2009 13:13 BST
Juniper Networks has pulled a talk about a flaw in ATM software that one of its researchers was scheduled to give at the Black Hat and Defcon security conferences, after the ATM vendor complained.
In his presentation entitled Jackpotting Automated Teller Machines, Barnaby Jack was planning to discuss local and remote attack vectors on ATMs, and provide a live demonstration of an attack on an unmodified ATM. Juniper confirmed in a statement that it was behind Monday's cancellation of the talk.
The company said:"[Juniper] believes that Jack's research is important to be presented in a public forum in order to advance the state of security. However, the affected ATM vendor has expressed to us concern about publicly disclosing the research findings before its constituents were fully protected. Considering the scope and possible exposure of this issue on other vendors, Juniper decided to postpone Jack's presentation until all affected vendors have sufficiently addressed the issues found his research".
Juniper Networks is approaching other ATM vendors to help them address any security risks uncovered in Jack's research, the statement said. The company did not disclose which manufacturer makes the ATMs that were to be referenced in the talk. Jack could not be reached for comment.
Security issues related to ATMs are a hot topic. Last month, a computer forensics expert revealed that he had discovered malware on ATMs that allowed criminals to steal account data and PINs. Three people were arrested last year after allegedly breaking into Citibank's ATM network inside 7-Eleven stores and stealing PIN codes.
Jack's description of the talk, which was posted on the Defcon website but appears to have been removed, said: "The most prevalent attacks on Automated Teller Machines typically involve the use of card skimmers, or the physical theft of the machines themselves. Rarely do we see any targeted attacks on the underlying software. This presentation will retrace the steps I took to interface with, analyse, and find a vulnerability in a line of popular new model ATMs."
This is the second year in a row that a scheduled presentation at one of the two security conferences was pulled. Last year, a Defcon talk on hacking smartcards used in the Boston subway system was blocked after a federal judge granted the Massachusetts transit authority's request for an injunction. The lawsuit was later dismissed and the three MIT students involved eventually agreed to help the transit system improve its fare-collection system.
Other researchers have encountered problems after giving their talks. In 2005, a security researcher was able to give his presentation at Defcon on how attackers could take over Cisco routers, but hours later Cisco filed a lawsuit against him. The suit was ultimately settled.
Credit: ATM vendor gets security talk pulled from conferences from CNET News
Did you find this article useful?
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
