Security BSides Las Vegas 2025

Take all my money – penetrating ATMs
2025-08-05 , Firenze

Who needs money to grow on trees when you can make it rain out of an ATM! If this sounds like something that you would be interested in, this talk is for you!
In this talk you will hear career war stories from an ATM pentester. Other topics that will be covered include technical aspects of ATM hacking, common tools used, as well as troubles that can arise when trying to set up an ATM test.
Attendees will leave with a better understanding of the composition of an ATM, a basic methodology to approach ATM penetration testing with, and some crazy stories that will be shared with anyone that will listen.


In this presentation we will discuss real-world examples of cybersecurity issues with ATMs. Ever wondered what it takes to make an ATM spewing out cash? You’ll hear some war stories from Fredriks career when penetration testing ATMs which includes the technical aspects of ATM hacking like tools but also troubles that can arise when trying to set up an ATM test.

Jonathan Fischer is a hardware and IoT security enthusiast that started off designing, programming, and implementing electronic controls for industrial control systems and off-highway machinery. After a decade in that industry, Jonathan obtained his BS in Computer Science and transitioned over to the cyber security industry where he has been working as a Red Team consultant and researcher for more than eight years at Fortune 500 companies. Since joining the cyber security industry, Jonathan has since earned various industry certifications (OSCP, GXPEN, etc.) and continues to leverage his unique experience in his research into hardware hacking. Jonathan has presented his research at conferences such as ShmooCon, Black Hat Arsenal, DEF CON Demo Labs, BSides LV, and Hardware Hacking Village. He is also the co-creator of Injectyll-HIDe, an open-source hardware implant designed for use by red teams.

Fredrik Sandström, M.Sc. is Head of Cyber Security at Basalt, based in Stockholm, Sweden. He has nearly a decade of experience in penetration testing, alongside a background in software development and embedded systems engineering. His early work includes software development for organizations such as the Swedish Defence Research Agency (FOI).

Since 2015, Fredrik has focused on delivering advanced security assessments—including penetration testing, red teaming, and threat emulation—for clients in diverse sectors such as banking, insurance, automotive, energy, communications, and IT services. He holds multiple industry-recognized certifications, including GXPN (GIAC Exploit Researcher and Advanced Penetration Tester), GCPN (GIAC Cloud Penetration Tester), GRTP (GIAC Red Team Professional), and HTB Certified Bug Bounty Hunter (CBBH).

Fredrik is also an active contributor to the security community. He has presented at major conferences such as SEC-T—Sweden’s leading offensive security conference—and DevCon in Bucharest, Romania, a key event for developers and IT professionals in Eastern Europe.