A new study that analyzed ATMs from three major manufacturers found that two-thirds of them were vulnerable to physical black box attacks and an even larger number were vulnerable to network attacks.
The research project spanned two years and was carried out by researchers from security firm Positive Technologies. They looked at 26 ATMs from NCR, Diebold Nixdorf and GRGBanking running an embedded versions of Windows XP, 7 or 10 and had different configurations.
An ATM has two major parts: a cabinet that houses the computer, which is connected to peripheral devices such as the PIN pad, card reader, display, network equipment, etc., and a safe that houses the cash dispenser.
But while the cash dispenser itself is protected inside the safe, the cable that connects it to the ATM computer is not. Attackers have been known to drill holes into ATM cabinets and use other physical access techniques to connect rogue devices known as Black Boxes to the dispenser cable. This allows them to issue commands and trick ATMs into releasing cash.
According to Positive Technologies, 69 percent of the tested ATMs were vulnerable to Black Box attacks that could be executed in 10 minutes or less.
“This device is most often a simple single-board computer (such as Raspberry Pi) running modified versions of ATM diagnostic utilities,” the researchers said in their report. “Diagnostic utilities usually run checks to verify that access is legitimate, but attackers know how to disable these checks and any other security mechanisms.”
Some ATMs use physical authentication mechanisms, but in attacks observed last year in Mexico, thieves used endoscopes to bypass this protection and authorize their Black Box devices. NCR issued firmware and dispenser updates to prevent such attacks, but it is up to the ATM owners to deploy them.
But this is not the only technique to get money out of ATMs. Hackers also can attack these machines over the network by spoofing the connection to the bank’s processing center, if not properly encrypted, or by exploiting vulnerabilities in the ATM’s network services or devices, such as GSM modems.
The Positive Technologies researchers found that 85 percent of the tested ATMs were vulnerable to such network attacks. Access to the ATM network can be achieved with insider help or by hacking into the bank’s IT network, which often is linked to the ATM network for update and remote management purposes. This was the modus operandi of the Cobalt group, which managed to steal millions of dollars from banks around the world.
According to Positive Technologies, 27 percent of the tested ATMs were vulnerable to processing center spoofing and 58 percent had exploitable vulnerabilities in their network services due to poor firewall configuration or outdated software.
Furthermore, the researchers found ways to exit the kiosk mode interface displayed to users on 76 percent of the ATMs. This allowed them to execute commands directly on the operating system.
More than 90 percent of the tested ATMs had application control solutions installed to prevent the execution of malware programs. These solutions use a whitelisting approach, but the whitelists often include all software that existed on the ATM when the solution was deployed. This means that any vulnerability in the whitelisted applications could be exploited to take control of the OS and disable the protection.
Ninety-two percent of the ATMs were also vulnerable to physical attacks that involve hijacking the connection to their hard drives and 27 percent were vulnerable to attacks that involved booting from an external disk, a technique observed in real-world attacks. Furthermore, the researchers found ways to reboot the operating system in special debugging or safe modes, wherein various protections were disabled, on 42 percent of the tested machines.
Attacks that can result in the theft of payment card data were possible on virtually all ATMs. These attacks involve intercepting card data while traveling between the ATM and the bank’s processing center or intercepting it with malware or via the USB or COM ports when transmitted by the card reader to the OS.
“Although ATM owners bear the brunt of the threat from logic attacks, bank clients may fall victim as well,” said Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies. “In our security work, we constantly uncover vulnerabilities related to network security, improper configuration, and poor protection of peripherals. These flaws allow criminals to steal ATM cash and obtain card information. To reduce the risk of attack and expedite threat response, the first step is to physically secure ATMs, as well as implement logging and monitoring of security events on the ATM and related infrastructure. Regular security analysis of ATMs is important for timely detection and remediation of vulnerabilities.”