Researchers Find Most ATMs Vulnerable to Hacker Attacks

A new study that analyzed ATMs from three major manufacturers found that two-thirds of them were vulnerable to physical black box attacks and an even larger number were vulnerable to network attacks.

The research project spanned two years and was carried out by researchers from security firm Positive Technologies. They looked at 26 ATMs from NCR, Diebold Nixdorf and GRGBanking running an embedded versions of Windows XP, 7 or 10 and had different configurations.

An ATM has two major parts: a cabinet that houses the computer, which is connected to peripheral devices such as the PIN pad, card reader, display, network equipment, etc., and a safe that houses the cash dispenser.

But while the cash dispenser itself is protected inside the safe, the cable that connects it to the ATM computer is not. Attackers have been known to drill holes into ATM cabinets and use other physical access techniques to connect rogue devices known as Black Boxes to the dispenser cable. This allows them to issue commands and trick ATMs into releasing cash.

According to Positive Technologies, 69 percent of the tested ATMs were vulnerable to Black Box attacks that could be executed in 10 minutes or less.

“This device is most often a simple single-board computer (such as Raspberry Pi) running modified versions of ATM diagnostic utilities,” the researchers said in their report. “Diagnostic utilities usually run checks to verify that access is legitimate, but attackers know how to disable these checks and any other security mechanisms.”

Some ATMs use physical authentication mechanisms, but in attacks observed last year in Mexico, thieves used endoscopes to bypass this protection and authorize their Black Box devices. NCR issued firmware and dispenser updates to prevent such attacks, but it is up to the ATM owners to deploy them.

But this is not the only technique to get money out of ATMs. Hackers also can attack these machines over the network by spoofing the connection to the bank’s processing center, if not properly encrypted, or by exploiting vulnerabilities in the ATM’s network services or devices, such as GSM modems.

The Positive Technologies researchers found that 85 percent of the tested ATMs were vulnerable to such network attacks. Access to the ATM network can be achieved with insider help or by hacking into the bank’s IT network, which often is linked to the ATM network for update and remote management purposes. This was the modus operandi of the Cobalt group, which managed to steal millions of dollars from banks around the world.

According to Positive Technologies, 27 percent of the tested ATMs were vulnerable to processing center spoofing and 58 percent had exploitable vulnerabilities in their network services due to poor firewall configuration or outdated software.

Furthermore, the researchers found ways to exit the kiosk mode interface displayed to users on 76 percent of the ATMs. This allowed them to execute commands directly on the operating system.

More than 90 percent of the tested ATMs had application control solutions installed to prevent the execution of malware programs. These solutions use a whitelisting approach, but the whitelists often include all software that existed on the ATM when the solution was deployed. This means that any vulnerability in the whitelisted applications could be exploited to take control of the OS and disable the protection.

Ninety-two percent of the ATMs were also vulnerable to physical attacks that involve hijacking the connection to their hard drives and 27 percent were vulnerable to attacks that involved booting from an external disk, a technique observed in real-world attacks. Furthermore, the researchers found ways to reboot the operating system in special debugging or safe modes, wherein various protections were disabled, on 42 percent of the tested machines.

Attacks that can result in the theft of payment card data were possible on virtually all ATMs. These attacks involve intercepting card data while traveling between the ATM and the bank’s processing center or intercepting it with malware or via the USB or COM ports when transmitted by the card reader to the OS.

“Although ATM owners bear the brunt of the threat from logic attacks, bank clients may fall victim as well,” said Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies. “In our security work, we constantly uncover vulnerabilities related to network security, improper configuration, and poor protection of peripherals. These flaws allow criminals to steal ATM cash and obtain card information. To reduce the risk of attack and expedite threat response, the first step is to physically secure ATMs, as well as implement logging and monitoring of security events on the ATM and related infrastructure. Regular security analysis of ATMs is important for timely detection and remediation of vulnerabilities.”

Featured eBook
7 Reasons Why CISOs Should Care About DevSecOps

7 Reasons Why CISOs Should Care About DevSecOps

DevOps is no longer an experimental phenomenon or bleeding edge way of delivering software. It’s now accepted as a gold standard for delivering software. It’s time for CISOs to stop fearing DevOps and start recognizing that by embedding security into the process they’re setting themselves up for huge potential upsides. Download this eBook to learn ... Read More
Security Boulevard

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin