OWASP – Hacking Commercial Safes & ATMs

I went to my first OWASP (Open Web Application Security Project) meeting ever tonight. To be honest, I held away from it all these months simply because I never felt I had the right amount of technical knowledge under my belt. However, a friend of a friend invited and I decided to take the leap – VERY thankful that I did! The people are very chill, and though the topic had some amount of technicality it was still pretty easy to understand even for a newbie like me. There were about 40 people in the audience and only 5 of them were females. I won’t go into every detail they covered but below are just some of the things that stuck out to me.

The topic was on how to hack commercial safes & ATMs – or at least what to look at and think about when considering to do this (hypothetically speaking). The presenters went through the basics, starting with the standards and regulations. Underwriter’s Laboratories are the main source of authority and their standards such as 687 and 768 include things like tool resistance, & torch resistance. More can be found on their website – http://ulstandards.ul.com/ .

The presenters also went through the various types of attacks that happen on such devices such as low voltage, short circuit tests, mechanical attacks. On the much older version of locks, a vibration attack would be used. Essentially this is where you attach a vibrating device to the lock and the keys within the lock automatically shift into the open position. Attacks using video cameras & microphones to see what pin you enter are still prevalent today. Bluetooth attacks are also very common. Silly question but why is bluetooth needed for safes?!

Another interesting vulnerability in locks is that there are multiple users. Usually it’s one manager and the other are users, however, there are no usernames! The users are just assigned a pin and there can be up to 100 users with the new Samsung locks. Are you thinking what I am thinking? Bruteforce for the win!  Actually, it would not take too much of effort to keep on trying 6 digit pins till you get it – one of them must be 123456. If you’re the one with that pin, PLEASE GO CHANGE IT!

Through simple use of technology, an attacker can know where the safe is and when it’s open. Gone are the days where the robbers used to ask, “Where is your safe?”


In short the best user practices with an ATM are:

  1. Use indoor ATMS – at least the door adds another layer of physical security & hopefully the bank or store has their own surveillance cameras for added measure
  2. Keep a track of the ATMs you go to – mainly so in-case if you’re ever hacked then you can narrow down the suspected places
  3. Replace debit/credit cards  & change pins regularly – especially if your information is compromised

More information about OWASP can be found at: https://www.owasp.org/index.php/Main_Page

Related posts

Leave a Comment