ABU DHABI // With a one-fits-all master key he bought online for a few dollars, Barnaby Jack unlocked the panel of an ATM, plugged in a USB stick and uploaded his own firmware.
The screen displayed four lucky 7s and the word "jackpot", then spat out the cash.
The "walk-up", as he called it, was done onstage at the annual hackers conference, Black Hat, being held this year in Abu Dhabi.
Mr Jack, the director of security research for IOActive, was one of the code-savvy technicians exposing vulnerabilities in everything from mobile phones to software for sewer system infrastructure.
Not only was he able to pull cash from an ATM on the spot in less than a minute, Mr Jack was also able to control a similar machine remotely and extract details from its settings.
He could read the banknote count, for example, and the address of specific ATMs that would be printed on receipts, so that someone could be standing at the ATM location at the moment he told it to dispense money.
He could even command its camera to shut off or change the image. "Elvis could be robbing the ATM for all they know," he said.
Of course, he uses the software he developed only to identify gaps in security and help ATM manufacturers to develop countermeasures.
The two companies he works with have already implemented changes, although there are still a few hundred thousand machines in retail stores with remote access enabled by default. Store owners either did not know how to disable the function or did not bother to, he said.
While bank ATMs were more sophisticated, he said, they were still hackable.
"For years, nobody had really looked at ATM software security, so when I first did this it was a bit of a wake-up call to these guys," said Mr Jack, who is from New Zealand but lives in San Francisco. "Now they've taken a proactive stance."
Another presenter at the conference showed how a mobile phone running Google's Android operating system could be fully accessed through applications downloaded from malware-laden websites.
Once the software gains the privilege to download applications on a device remotely, it is able to gain further permission for scrolling through contacts and messages, said Nils, who works for MWR InfoSecurity and goes only by his first name. It can even enable the microphone to record a conversation while the phone is in someone's pocket.
Although Google fixed the problem in its newest releases, the HTC Legend phone is still susceptible.
"Maybe this demonstration will force them to make the change," said Nils, who is from Germany. He said he had gone by his first name since he began hacking at the age of 14 to avoid being contacted by "shady people" who were interested in his capabilities.
Jonathan Pollet, the founder of Red Tiger Security, does consulting on Scada systems - vast power grids for industries or infrastructure such as electricity, oil and gas pipelines, and wastewater management systems. He said security maintenance for such systems was often done only once or twice a year, leaving ample opportunity for attacks.
There have been cases of groups stealing control of systems for ransom, or disgruntled employees releasing valves that spilled raw sewage into public spaces.
"You'll often have either people with inside knowledge, or outside groups looking to make money, who can easily take advantage of the lack of security framework," he said, adding that Scada firewalls lagged behind other information technology by about five years.
The conference at the Emirates Palace hotel ends today, giving Mr Jack ample time for a fresh challenge in the realm of ATM hacking.
"I haven't figured out the gold ATM at Emirates Palace yet, but I'm going to see what I can do," he said.
