ATM Attack Talk Canned at Black Hat
Last year, three MIT students got banned from presenting their research on hacking the Boston subway system at DefCon. This year, it is Juniper Networks' turn to get the boot.
Responding to pressure from an ATM vendor, Juniper has agreed to pull a talk originally scheduled for both the Black Hat and DefCon security conferences on ATM vulnerabilities. The talk in question - titled "Jackpotting Automated Teller Machines" - belonged to Juniper Staff Security Researcher Barnaby Jack, and was supposed to be presented first July 30 at the Black Hat conference in Las Vegas.
"Juniper believes that Jack's research is important to be presented in a public forum in order to advance the state of security," Steve Manzuik, senior manager of security research at Juniper, said in a statement. "However, the affected ATM vendor has expressed to us concern about publicly disclosing the research findings before its constituents were fully protected. Considering the scope and possible exposure of this issue on other vendors, Juniper decided to postpone Jack's presentation until all affected vendors have sufficiently addressed the issues found in his research."
According to a description of the talk on the DefCon Web site, Jack found a vulnerability in the underlying software used to run a line of ATM models. His research is not the first to deal with ATM vulnerabilities. Just recently, in fact, Trustwave uncovered an attack targeting ATMs in Eastern Europe, and indicated that the attack may be making its way to other parts of the world.
For its part, Juniper says it is committed to responsible disclosure, and is reaching out to other ATM vendors to assist them in addressing security risks. As for Jack's research, however, it seems that for now it will remain on the cutting room floor.
Black Hat will run from July 25-30, with its sister conference DefCon going from the July 30 to Aug. 2.