Cybersecurity and Your ATM
Everyone loves money. This allows us a certain level of freedom for the items we use, where we would like to travel, gifts to our friends, and a level of comfort for the future. They say cash is king, and certainly, during this time period, it has tended to be. One piece of equipment that holds a mass amount of cash is the ATM. People have dreamed of simply walking by and money flying out at them. As bizarre as this sounds, these attacks have been part of the proof-of-concept since at least 2010. The history lesson begins with Black Hat in 2010. Barnaby Jack’s presentation showed two different methods to the jackpot, or direct the ATM to spew out the bills it contained. One of the attacks was done over the internet and the other required hardware access through the front of the machine. The audience was naturally excessively impressed by his expertise. At the time he was the Director of Security Research at IOActive Labs. Over the years, the research continued and other methods to jackpot the ATMs were found and published.
The new attack is focused on the Diebold Nixdorf machines. Diebold Nixdorf made $3.3B from ATM sales and the associated service plans in 2019. This is one of the favored and notable manufacturers for ATM machines.
New Attack
Well, there is a new ATM attack in town. This does not work on all ATMs. The attackers have been using the new method against Diebold’s ProCash 2050xe USB terminals. The newly published attack utilizes a black box applying proprietary code to the attack surface in the ATM. The code is from the ATM manufacturer (Diebold). The attackers have to connect the black box to the ATM to complete the attack. This is done through unlocking the ATM chassis, drilling holes into the chassis at selected points, or otherwise physically bypassing the physical security. At this point, the attacker would plug their patch cord into the CMD-V4 dispenser in the place of the cord already plugged in. At this point, the ATM pwned as the attacker issues the malicious dispense commands.
The end result is for the cash to flow from the machine to the attackers, who are not authorized to receive the money. Depending on the inventory held in the ATM, this could be as many as 40 bills every 23 seconds or $800/23 seconds if the machine only holds $20’s.
From what is known, the attacks appear to use a portion of the ATM software stack. It isn’t known for certain how the attackers were able to gain access to the code, as the software is proprietary and anyone isn’t able to simply goto Dr. Google and download it. They may have, however, gained the requisite information from an unencrypted hard drive that was unaccounted for.
PoC or not?
By noting an attack is workable and potentially viable is one thing. To show this and also show where this has been done outside of the lab in the real world is another issue completely. In this case, this attack has been used across Europe.
Mitigations
All is not lost and there does not need to be a 24-hour security guard at these specifically affected machines. Diebold has provided mitigations for this and urgently recommended their customers verify if these were in place yet. These include using the firmware version 2011 or later for CMD V4, enabling the firmware fuse, secure encryption handling, enhanced keystore format, 3DES encryption, and verify this encryption is active and verify this is actually being done. The document from Diebold is very helpful in the implementation.
Potential
Yes, indeed this is a viable attack and not just a lab exercise. This, however, would need to be done is a very limited scope of potential events. After all, if one of these was in the mall, someone isn’t going to waltz up at noon on a Saturday and gingerly pry open the front of the ATM and hope no one notices or calls law enforcement, or better yet drill through the aluminum plating several times and thread a patch cord through a hole. There is always the key to unlock the ATM, however, this would probably appear a bit fishy also as the attackers plug in the cord to the machine. If the machine were to be outside, perhaps the attack could be done in the darkness. The issue with this is there are cameras everywhere in the environment. The attackers probably would be recorded, and they also run the risk of law enforcement stopping by.
It is also notable that the black box does not need to be a 13-inch monitor laptop. This could be built with an Arduino or Raspberry Pi. The housing for these is also very small comparatively. While this would indeed appear a little odd to the shoppers in our scenario or others, the hardware is easily hidden and manipulated.
Resources
Diebold Nixdorf. (2020, July 15). 020-27/0003-Jackpotting with black box in Europe. Retrieved from https://dd80b675424c132b90b3-e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/diebold-nixdorf-security-alert-2.pdf
Diebold Nixdorf. (n.d.). Cyber attacks are on the rise. Find out how you can protect your network comprehensively. Retrieved from https://www.dieboldnixdorf.com/-/media/diebold/files/banking/insights/brochures/dn_brochure_security-jackpotting-overview_fa_20181005.pdf
Goodin, D. (2020, July 20). Crooks have acquired proprietary diebold software to “jackpot” ATMs. Retrieved from https://arstechnica.com/information-technology/2020/07/crooks-are-using-a-new-way-to-jackpot-atms-made-by-diebold/
ThreatPost. (2020, July 21). Diebold ATM terminals jackpotted using machine’s own software. Retrieved from https://www.newsbreak.com/news/1604274576845/diebold-atm-terminals-jackpotted-using-machines-own-software and https://www.thetechstreetnow.com/tech/diebold-atm-terminals-jackpotted-using-machines-own-software/1305153191397515153/1305153191397515153/ and https://threatpost.com/diebold-atm-terminals-jackpotted-using-machines-own-software/157575/
Zetter, K. (2010, July 20). Researcher demonstrates ATM ‘jackpotting’ at black hat conference. Retrieved from https://www.wired.com/2010/07/atms-jackpotted/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.