Defcon, the annual safety convention in Las Vegas, has a grand custom of hacking ATMs: unlocking them with safe-cracking strategies, tricking them to steal customers’ private information or PINs, creating and bettering ATM malware, and, in fact, hacking the machine to spit out all of your money. Many of those initiatives have focused what are often called retail ATMs — stand-alone units like those you’d discover in a fuel station or bar. However on Friday, unbiased researcher Matt Burch will current the outcomes of his analysis on “monetary” or “enterprise” ATMs, the kinds utilized by banks and different giant establishments.
Burch documented six vulnerabilities in Vynamic Safety Suite (VSS), a extensively deployed safety resolution from ATM producer Diebold Nixdorf. The corporate stated the entire vulnerabilities have been patched, however an attacker may exploit them to bypass onerous drive encryption in unpatched ATMs and acquire full management of the machines. Fixes for the bugs exist, however Burch warned that in apply the patches might by no means be extensively deployed, leaving some ATMs and cashout techniques in danger.
“The Vynamic Safety Suite has quite a lot of totally different options, together with endpoint safety, USB filtering, and delegated entry,” Burch tells WIRED, “however the specific assault floor I am exploiting is the onerous drive encryption module. There are six vulnerabilities in it. The reason being that I establish paths and information to use, report them to Diebold, who then fixes the difficulty, after which I discover one other method to obtain the identical end result. These are comparatively easy assaults.”
The entire vulnerabilities Burch discovered have been in VSS’s skill to allow disk encryption on the ATM onerous drive. Burch stated most ATM producers use Microsoft’s BitLlocker Home windows encryption for this objective, however Diebold Nixdorf’s VSS makes use of a third-party integration to carry out the integrity verify. The system was arrange in a dual-boot configuration with each a Linux partition and a Home windows partition. Earlier than the working system boots, the Linux partition runs a signature integrity verify to make sure the ATM hasn’t been compromised, after which it boots into Home windows and operates as regular.
“The issue is that to do all of this, the system must be decrypted, which creates a possibility for assault,” Burch stated. “The basic flaw I am exploiting is that the Linux partition will not be encrypted.”
Burch found that he may manipulate the situation of a vital system validation file to redirect code execution, primarily giving himself management of the ATM.
Diebold Nixdorf spokesman Michael Jacobsen instructed WIRED that Burch first disclosed his findings to the corporate in 2022, and that the corporate had been in touch with Burch about talking at Defcon. The corporate stated that the entire vulnerabilities Burch introduced have been addressed with patches in 2022. Nevertheless, Burch stated that it’s his understanding that the corporate continued to deal with among the findings with patches in 2023, as he introduced new variations of the vulnerabilities to the corporate over the previous few years. Burch added that he believes Diebold Nixdorf addressed the vulnerabilities at a extra basic stage in April in VSS model 4.4, which encrypts Linux partitions.
