ATM hack talk pulled from security conference

It's almost security conference season in Las Vegas and with one month to go, a presentation has been pulled from Black Hat and Defcon.

Juniper Networks says it pulled a talk about a flaw in ATM software that one of its researchers was scheduled to give at the security conferences, after the ATM vendor complained.

In his presentation entitled 'Jackpotting Automated Teller Machines', Barnaby Jack was planning to discuss local and remote attack vectors on ATMs and provide a live demonstration of an attack on an unmodified ATM.

The description of the talk, which was posted on the Defcon website but appears to have been removed, said: "The most prevalent attacks on Automated Teller Machines typically involve the use of card skimmers, or the physical theft of the machines themselves. Rarely do we see any targeted attacks on the underlying software. This presentation will retrace the steps I took to interface with, analyse, and find a vulnerability in a line of popular new model ATMs."

In a statement, Juniper Networks said the company "believes that Jack's research is important to be presented in a public forum in order to advance the state of security. However, the affected ATM vendor has expressed to us concern about publicly disclosing the research findings before its constituents were fully protected.

"Considering the scope and possible exposure of this issue on other vendors, Juniper decided to postpone Jack's presentation until all affected vendors have sufficiently addressed the issues found in his research."

Juniper Networks is reaching out to other ATM vendors to help them address any security risks uncovered in Jack's research, the statement said.

The company did not disclose which manufacturer makes the ATMs that were to be referenced in the talk. Jack could not be reached for comment.

Security issues related to ATMs are a hot topic. Last month, a computer forensics expert revealed he had discovered malware on ATMs that allowed criminals to steal account data and PINs. Three people were arrested last year after allegedly breaking into Citibank's ATM network inside 7-Eleven convenience stores and stealing PIN codes.

This is the second year in a row that a scheduled presentation at one of the two security conferences was pulled. Last year, a talk on hacking smartcards used in the Boston subway system was blocked after a federal judge granted the Massachusetts transit authority's request for an injunction.

And other researchers have encountered problems after giving their talks. In 2005, a security researcher was able to give his presentation at Defcon on how attackers could take over Cisco routers but hours later Cisco Systems filed a lawsuit against him. The suit was ultimately settled.

Things were more dramatic in 2001, when the FBI took Russian crypto expert Dmitry Sklyarov into custody at his Las Vegas hotel the day after he gave his Defcon talk about insecurities in e-book security software.

The ATM talk cancellation was first reported by Risky.Biz.

Original article: ATM vendor gets security talk pulled from conferences from CNET News.com