Industry News

Russian ATM hacked with 5 keystrokes – Video

Slapping a full-size QUERTY keyboard on an automated teller machine is not the best way to keep the ATM safe from prying hands, as one Sberbank customer found out this holiday season.

In early December, an employee of Russian website Habrahabr went to get some cash from a Sberbank ATM that incidentally had a full-size keyboard. Out of boredom, as the man recalls, he started hitting the Shift key repeatedly when, all of the sudden, the Sticky Keys feature switched on, giving him full access to the machine’s underlying Windows XP operating system.

Sticky Keys, an accessibility feature originating in Apple’s System 6, is shared by many GUI-based operating systems, including Microsoft’s ancient Windows XP.

By pressing the Shift key five times in a row, Windows serializes keystrokes, allowing the user to press and release modifier keys. This eliminates the need to hold one key with a finger while reaching for other keys.

While it’s certainly helpful to users who have physical disabilities or to those with Emacs Pinky syndrome, Sticky Keys leaves Windows-based ATMs vulnerable to attacks – especially when customers are offered a full-size keyboard. The hack was captured on video and posted to YouTube (embedded below) for everyone’s viewing pleasure.

https://youtu.be/vMP6zu38YE4

As the footage shows, Sticky Keys let the user quickly access the Windows XP UI, including the Start menu and taskbar. Access to these areas of the OS means a malicious user could try to modify the way the ATM works, shut down the machine, use the ATM as a regular PC and, under the right conditions, maybe even deploy malware.

Sberbank took weeks to fix the problem, according to the Habrahabr post, but eventually patched all its ATMs. A bank statement appeared to downplay the flaw as a “peculiarity” of its systems that otherwise “did not carry any risks for device security.”

About the author

Filip TRUTA

Filip is an experienced writer with over a decade of practice in the technology realm. He has covered a wide range of topics in such industries as gaming, software, hardware, and security, and has worked in various B2B and B2C marketing roles. He likes fishing (not phishing), basketball, and playing around in FL Studio.

Add Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.