zhu difeng - Fotolia
ATM maker NCR has issued software security updates after researchers reported flaws in encryption of communications between ATM computers and dispensers that could enable attackers to steal cash.
The researchers found that attackers could install obsolete insecure software on the controller of an ATM cash dispenser and issue commands to dispense cash.
Criminals could steal cash in this way by taking advantage of poor physical security to connect a computer to the dispenser, Positive Technologies researchers Vladimir Kononovich and Alexey Stennikov told attendees of the Black Hat USA security conference in Las Vegas.
“Our research indicated that not all requests from the ATM computer to the dispenser were encrypted,” said Alexey Stennikov, head of hardware security analysis at Positive Technologies.
“Instead, encryption was applied only to requests deemed critical by the manufacturer, such as dispensing cash. But some of the so-called non-critical requests can be just as dangerous.”
The first vulnerability, CVE-2017-17668, was caused by insufficient protection of the memory write mechanism in the NCR S1 dispenser controller.
On firmware versions prior to 0x0156, the researchers found that an unauthenticated user could execute arbitrary code, bypass the prohibition on firmware downgrading, and install obsolete firmware versions containing known vulnerabilities.
A similar vulnerability, CVE-2018-5717, was found in the NCR S2 dispenser. Firmware version 0x0108 corrects the issue.
ATM logic attacks using physical or network access have become a frequent occurrence in recent years. According to the European Association for Secure Transactions (East), 114 black box attacks were performed in 11 European countries in the first six months of 2017.
An increase in attacks
Also in 2017, Positive Technologies reported that the number of malware-assisted ATM logic attacks in Europe had increased by 287% in 2016 compared to the previous year. GreenDispenser malware, for example, was used to steal approximately $180,000 from ATMs in Eastern Europe in 2015–2016.
Security experts advise that in order to deal with the wide variety of possible attacks, ATM security measures could be both physical and logical.
Physical security measures include perimeter surveillance, access control, intrusion detection, central monitoring and ensuring that ATMs are well-lit, secure and alarmed locations.
Logical security measures include firewalls, a tracking and monitoring system, encryption technologies, logical access control, fraud detection systems and protection of communication links.
However, in September 2017, Europol issued a warning that cyber attacks on bank cash machines were a growing problem in light of criminal capabilities to access ATMs via bank networks.
The primary goal of ATM malware is to connect to and control peripheral devices inside the ATM to withdraw stored cash and/or collect information from bank customers, according to a report by Europol’s European Cybercrime Centre (EC3) and security firm Trend Micro.