Flaws in Ubiquitous ATM Software Could Have Let Attackers Take Over Cash Machines

There is simply a expansive contented astatine the yearly Defcon information league successful Las Vegas of hacking ATMs. Unlocking them with safecracking techniques, rigging them to bargain users' idiosyncratic information and PIN numbers, crafting and refining ATM malware and, of course, hacking them to spit retired each their cash. Many of these projects targeted what are known arsenic retail ATMs, freestanding devices similar those you'd find astatine a state presumption oregon a bar. But connected Friday, autarkic researcher Matt Burch is presenting findings related to the “financial” oregon “enterprise” ATMs utilized successful banks and different ample institutions.

Burch is demonstrating six vulnerabilities successful ATM-maker Diebold Nixdorf’s wide deployed information solution, known arsenic Vynamic Security Suite (VSS). The vulnerabilities, which the institution says person each been patched, could beryllium exploited by attackers to bypass an unpatched ATM's hard thrust encryption and instrumentality afloat power of the machine. And portion determination are fixes disposable for the bugs, Burch warns that, successful practice, the patches whitethorn not beryllium wide deployed, perchance leaving immoderate ATMs and cash-out systems exposed.

“Vynamic Security Suite does a fig of things—it has endpoint protection, USB filtering, delegated access, and overmuch more,” Burch tells WIRED. “But the circumstantial onslaught aboveground that I’m taking vantage of is the hard thrust encryption module. And determination are six vulnerabilities due to the fact that I would place a way and files to exploit, and past I would study it to Diebold, they would spot that issue, and past I would find different mode to execute the aforesaid outcome. They’re comparatively simplistic attacks.”

The vulnerabilities Burch recovered are each successful VSS's functionality to crook connected disk encryption for ATM hard drives. Burch says that astir ATM manufacturers trust connected Microsoft's BitLlocker Windows encryption for this purpose, but Diebold Nixdorf’s VSS uses a third-party integration to tally an integrity check. The strategy is acceptable up successful a dual-boot configuration that has some Linux and Windows partitions. Before the operating strategy boots, the Linux partition runs a signature integrity cheque to validate that the ATM hasn't been compromised, and past boots it into Windows for mean operation.

“The occupation is, successful bid to bash each of that, they decrypt the system, which opens up the opportunity,” Burch says. “The halfway deficiency that I’m exploiting is that the Linux partition was not encrypted.”

Burch recovered that helium could manipulate the determination of captious strategy validation files to redirect codification execution; or, successful different words, assistance himself power of the ATM.

Diebold Nixdorf spokesperson Michael Jacobsen tells WIRED that Burch archetypal disclosed the findings to them successful 2022 and that the institution has been successful interaction with Burch astir his Defcon talk. The institution says that the vulnerabilities Burch is presenting were each addressed with patches successful 2022. Burch notes, though, that arsenic helium went backmost to the institution with caller versions of the vulnerabilities implicit the past mates of years, his knowing is that the institution continued to code immoderate of the findings with patches successful 2023. And Burch adds that helium believes Diebold Nixdorf addressed the vulnerabilities connected a much cardinal level successful April with a mentation of VSS that encrypts the Linux partition.