Vulnerabilities in the security of ATM cash machines have been shown by a computer security expert in a conference demonstration.

Barnaby Jack, director of security research at IOActive, hacked into standalone ATMs and hijacked their internal operating systems, leading them to disgorge cash.

Jack demonstrated the flaw in a presentation to the annual Black Hat conference in Las Vegas which aims to highlight the latest computer and IT security vulnerabilities. Hesaid his attacks prove there are major problems in ATM security and that better software protection measures are urgently required.

Jack said: "My reaction was, 'this is the game-over vulnerability right here'. Every ATM I've looked at, I've been able to find a flaw in. It's a scary thing."

ATM Security Flaws

Jack spent two years researching the flaw. He purchased standalone ATM terminals online - the type seen in convenience stores. He used the physical keys that came with the machines to unlock a compartment of the ATM that had standard USB ports. He then inserted an infected USB into one of the ports, commanding the ATM to empty its cash. Jack also hacked into ATMs by exploiting weaknesses in network connections between the manufacturer's systems and the machines.

Jack demonstration's hacking was well received by the conference. He was keen to point out that his demonstration wasn't about teaching "everybody how to hack ATMs. It's to raise the issue and have ATM manufacturers be proactive about implementing fixes." In particular, he said, the demonstration highlighted how a hacker can gain full control of an ATM, meaning criminals would also be able to harvest account details from people who've used the machines as well as access money.

Although Jack didn't identify the manufacturers of the ATMs he used for the demonstration, Triton Systems later confirmed that one of its machines had been involved. The company said it has introduced software patch that blocks authorised software from running on its ATMs.