Hack an ATM in 20 minutes - Threatwire Crosspost (Patreon)

Positive Technologies, a security company offering vulnerability assessment, compliance management, and threat analysis solutions, did an analysis of many different types of ATMs and found that most of them could be hacked in less than 20 minutes, some in very quick and painless attacks.

Their sample for testing consisted of 26 different ATMs, manufactured by NCR, Diebold Nixdorf, and GRGBanking. All of these ran on some type of Windows operating system, and each had a unique configuration. Attacks depended on a variety of circumstances: the type of connection to the processing center they used, what software was installed, any security measures actually in place, etc. 

The attacks they tried for are called logic attacks, which don’t require trying to physically pry cash out of the machine, but take the approach of malware or special hacker devices that can be plugged in to syphon cash in a less physically obtrusive way. It’s a 22 page report thats pretty fascinating to read, so I’ve linked it below.

Criminals are interested in four components of an ATM: the ATM computer, where they could connect USB devices, connect to the hard drive, and reconfigure the boot mode; the card reader, where an attacker could intercept card data; the network equipment, where the criminal could intercept network traffic, spoof processing, attack network services and devices, connect to the bank or spoof software updates; and the cash dispenser, where a black box could be connected. A black box is a device connected to the ATM that an attacker can send commands to, and it’ll dispense cash. 

The vulnerabilities include insufficient network security, insufficient peripheral security, improper configuration of systems or devices, and vulnerabilities or improper configuration of application control.

They found that at most, 100% of the ATMs were vulnerable to a specific attack, and that would take 15 minutes. Another hack affected 69% of ATMs and took only 10 minutes. The one that affected all ATMs is an attack on card data, where they could intercept data between the OS and the Card Reader with the USB or COM port, with a special serial device. Another attack worked against ALL ATMs again, but this one required installing malware on the machine via changing the boot mode or physically penetrating the device.

The one that took 10 minutes and affected 69% required access physically to the ATM cabinet so an attacker could install a Raspberry Pi like Black Box device to dispense cash. In total, they explained well over 10 different attacks they could use on ATMs, and none of them took over 20 minutes. Each attack included recommendations to protect against them, including physical locks to encryption, to stronger password security.

Positive Technologies explains that logic attacks on ATMs are on the rise and banks and consumers lose out on millions of dollars. The first step of course is physical security, since most of the attacks involved getting physical access to the internals of an ATM. From there, monitoring security events and reacting to threats is also important. 

Link to study: https://www.ptsecurity.com/upload/corporate/ww-en/analytics/ATM-Vulnerabilities-2018-eng.pdf