Security BSides Las Vegas 2025

Take all my money – penetrating ATMs
2025-08-05 , Firenze

In this presentation we will discuss real-world examples of cybersecurity issues with ATMs. Ever wondered what it takes to make an ATM spewing out cash? You’ll hear some war stories from Fredriks career when penetration testing ATMs which includes the technical aspects of ATM hacking like tools but also troubles that can arise when trying to set up an ATM test.


In this presentation we will discuss real-world examples of cybersecurity issues with ATMs. Ever wondered what it takes to make an ATM spewing out cash? You’ll hear some war stories from Fredriks career when penetration testing ATMs which includes the technical aspects of ATM hacking like tools but also troubles that can arise when trying to set up an ATM test.

Jonathan Fischer is a hardware and IoT security enthusiast that started off designing, programming, and implementing electronic controls for industrial control systems and off-highway machinery. After a decade in that industry, Jonathan obtained his BS in Computer Science and transitioned over to the cyber security industry where he has been working as a Red Team consultant and researcher for more than eight years at Fortune 500 companies. Since joining the cyber security industry, Jonathan has since earned various industry certifications (OSCP, GXPEN, etc.) and continues to leverage his unique experience in his research into hardware hacking. Jonathan has presented his research at conferences such as ShmooCon, Black Hat Arsenal, DEF CON Demo Labs, BSides LV, and Hardware Hacking Village. He is also the co-creator of Injectyll-HIDe, an open-source hardware implant designed for use by red teams.

Fredrik Sandström, M.Sc. is Head of Cyber Security at Basalt, based in Stockholm, Sweden. He has nearly a decade of experience in penetration testing, alongside a background in software development and embedded systems engineering. His early work includes software development for organizations such as the Swedish Defence Research Agency (FOI).

Since 2015, Fredrik has focused on delivering advanced security assessments—including penetration testing, red teaming, and threat emulation—for clients in diverse sectors such as banking, insurance, automotive, energy, communications, and IT services. He holds multiple industry-recognized certifications, including GXPN (GIAC Exploit Researcher and Advanced Penetration Tester), GCPN (GIAC Cloud Penetration Tester), GRTP (GIAC Red Team Professional), and HTB Certified Bug Bounty Hunter (CBBH).

Fredrik is also an active contributor to the security community. He has presented at major conferences such as SEC-T—Sweden’s leading offensive security conference—and DevCon in Bucharest, Romania, a key event for developers and IT professionals in Eastern Europe.