ATM vendor gets security talk pulled from conferences

Last year it was smartcards and this year it's ATMs.

It's almost security conference season in Las Vegas and with one month to go, a presentation has been pulled from Black Hat and Defcon.

Juniper Networks says it pulled a talk about a flaw in ATM software that one of its researchers was scheduled to give at the security conferences, after the ATM vendor complained.

In his presentation entitled "Jackpotting Automated Teller Machines," Barnaby Jack was planning to discuss local and remote attack vectors on ATMs and provide a live demonstration of an attack on an unmodified ATM.

The description of the talk, which was posted on the Defcon Web site but appears to have been removed, said: "The most prevalent attacks on Automated Teller Machines typically involve the use of card skimmers, or the physical theft of the machines themselves. Rarely do we see any targeted attacks on the underlying software. This presentation will retrace the steps I took to interface with, analyze, and find a vulnerability in a line of popular new model ATMs."

In a statement, Juniper Networks said the company "believes that Jack's research is important to be presented in a public forum in order to advance the state of security. However, the affected ATM vendor has expressed to us concern about publicly disclosing the research findings before its constituents were fully protected. Considering the scope and possible exposure of this issue on other vendors, Juniper decided to postpone Jack's presentation until all affected vendors have sufficiently addressed the issues found his research."

Juniper Networks is reaching out to other ATM vendors to help them address any security risks uncovered in Jack's research, the statement said.

The company did not disclose which manufacturer makes the ATMs that were to be referenced in the talk. Jack could not be reached for comment.

Security issues related to ATMs are a hot topic. Last month, a computer forensics expert revealed that he had discovered malware on ATMs that allowed criminals to steal account data and PINs. Three people were arrested last year after allegedly breaking into Citibank's ATM network inside 7-Eleven stores and stealing PIN codes.

This is the second year in a row that a scheduled presentation at one of the two security conferences was pulled. Last year, a talk on hacking smartcards used in the Boston subway system was blocked after a federal judge granted the Massachusetts transit authority's request for an injunction. The lawsuit was later dismissed and the three MIT students who were muzzled eventually ended up agreeing to help the transit system improve its fare collection system.

And other researchers have encountered problems after giving their talks. In 2005, a security researcher was able to give his presentation at Defcon on how attackers could take over Cisco routers, but hours later Cisco Systems filed a lawsuit against him. The suit was ultimately settled.

Things were more dramatic in 2001, when the FBI took Russian crypto expert Dmitry Sklyarov into custody at his Las Vegas hotel the day after he gave his Defcon talk about insecurities in e-book security software.

(The ATM talk cancellation was first reported by Risky.Biz.)