“Sometimes the modem is located outside of the ATM cabinet, so an attacker would not even have to open up the ATM in order to perform modifications”
A staggering 85 percent of ATM cash machines can be hacked and tricked into dispensing free cash within just 20 minutes, a new report warns.
Bank security experts Positive Technologies described in a report this week a number of successful attempts to gain access to an ATMs operating system.
They targeted ATMs belonging to GRGBanking, NCR and Diebold Nixdorf and found four main vulnerabilities categories: insufficient network security; insufficient peripheral security; improper configuration of systems or devices; and vulnerabilities within the configuration of the application control.
The team’s researchers wrote in their report that due to the insufficient network security a criminal with access to the ATM network can “target available network services, intercept and spoof traffic, and attack network equipment.”
“Criminals can also spoof responses from the processing center or obtain control of the ATM.”
Image: Positive Technologies Report
They found that 58 percent of the ATMs tested were at risk to threat actors breaching the network through poor cybersecurity practices, such as out of date software and weak firewall protection.
Through the vulnerabilities CVE-2017-8464 and CVE-2018-1038 they could enable remotely running arbitrary code and subsequently escalating privileges; this resulted in the ability to “disable security mechanisms and control output of banknotes from the dispenser.”
Hit it Hard
By far the most successful type of attack was a direct hack of the ATM itself, although this required physical access.
If the attacker is able to manipulate the ATM so that they can unplug the Ethernet cable and connect a device, they are then able to conduct attacks on the network service or man-in-the-middle attacks.
This method worked 85 percent of the time on the tested ATMs with the researchers finding that: “Sometimes the modem is located outside of the ATM cabinet, so an attacker would not even have to open up the ATM in order to perform modifications.”
The quickest method is also the loudest, Positive Technologies carried out Black Box attacks which only took 10 minutes to obtain cash from the machine.
A Black Box attack is done by drilling a hole in the side of the ATM case to gain access to the cables connecting the ATM cash box to the ATM OS. A ready made tool is then connected to the ATM letting the threat actors withdraw as much cash as they like.
In concluding, the researchers note that cyberattacks on ATMs will decrease as preventive methods such as up to date software and good practice are carried out.
However, they state that the first step that needs to be done is to: “Physically secure the ATM cabinet and surroundings. Exploiting most of the vulnerabilities we found would be impossible without access to the on-board computer and peripheral ports.”