The majority of prior versions of ATMs were vulnerable to black-box assaults. In such attacks, a hacker connects to the ATM via a computer or a mobile device and transmits a particular code to the ATM, causing it to disburse money. According to a 2018 study by Positive Technologies, 69 percent of ATMs are vulnerable to such assaults and can be hacked in minutes. Wincor Cineo ATMs, for example, feature built-in protection against black-box assaults. End-to-end encryption between the ATM computer and the dispenser provides this level of security. The dispenser receives encrypted commands from the computer and Without the encryption keys stored on the ATM computer, a hacker cannot withdraw money.
“In the instance of Wincor Cineo, we were able to figure out the command encryption used in the connection between the PC and the controller, and circumvent the protection against black-box attacks,” explains Vladimir Kononovich, Senior Specialist of ICS Security at Positive Technologies. We purchased the exact dispensing controller used in Wincor ATMs from a famous website. We were able to connect to an ATM using our own computer (like in a conventional black-box assault), overcome the encryption, and make a cash withdrawal due to bugs in the controller code and antiquated encryption keys. The attack scenario now consists of three steps: Connecting a computer to an ATM, loading insecure and obsolete firmware, and exploiting the flaws in the safe to gain access to the cassettes inside.”
Some manufacturers, according to Vladimir Kononovich, focus on security via obscurity, using proprietary protocols that have been little explored with the purpose of making it difficult for attackers to obtain equipment and uncover flaws in such devices. However, our research demonstrates that such equipment, which can be utilised by criminal groups, is not difficult to find and analyse on the open market.
The CVSSv3.0 score for both vulnerabilities was 6.8. CVE-2018-9099 was discovered in the CMD-V5 dispenser’s firmware (all versions up to and including 141128 1002 CD5 ATM.BTR and 170329 2332 CD5 ATM.FRM). The second vulnerability, CVE-2018-9100, was discovered in the RM3/CRS dispenser’s firmware (all versions up to and including 41128 1002 RM3 CRS.BTR and 170329 2332 RM3 CRS.FRM).
Credit card companies must obtain the most recent firmware update from ATM makers to resolve the flaws. Furthermore, the seller should allow physical authentication for the operator during firmware installation as an extra security measure.
Vladimir Kononovich will speak about the discovered flaws at the Hardwear.io hardware security conference in the Netherlands on October 29.
Positive Technologies experts assisted in the elimination of vulnerabilities in ATMs made by another large manufacturer, NCR, in 2018.
1-Alexey Stennikov is a freelance researcher at the moment.
The cash dispensing cassettes are controlled by a dispenser.
2-It is a complex automated mechanism controlled by the controller and positioned in the bottom, more secure area of the ATM (safe). An attacker’s most crucial target is a dispenser.