Hacking ATMs: A Defcon Tradition Unveiled
At the annual Defcon security conference in Las Vegas, hacking ATMs has become a long-standing tradition. Researchers have showcased various techniques, such as safecracking, rigging ATMs to steal users’ personal data and PINs, creating ATM malware, and even making the machines dispense all their cash. While many of these exploits target retail ATMs found in gas stations or bars, independent researcher Matt Burch is focusing on the more sophisticated “financial” or “enterprise” ATMs used in banks and large institutions.
Discovering Vulnerabilities in Vynamic Security Suite
Burch is set to present findings on six vulnerabilities within Diebold Nixdorf’s widely used security solution, Vynamic Security Suite (VSS). These vulnerabilities, which the company claims have been patched, could potentially allow attackers to bypass an ATM’s hard drive encryption and gain full control over the machine. However, Burch warns that, despite the availability of patches, not all ATMs may have been updated, leaving some machines and cash-out systems vulnerable.
The Attack Surface: Hard Drive Encryption Module
“Vynamic Security Suite performs a variety of functions, including endpoint protection, USB filtering, and delegated access,” Burch explained to WIRED. “But the specific attack vector I’m exploiting is the hard drive encryption module. I discovered six vulnerabilities by identifying exploitable paths and files, reporting them to Diebold, receiving a patch, and then finding another way to achieve the same outcome. These attacks are relatively simplistic.”
How the Vulnerabilities Work
The vulnerabilities Burch identified pertain to VSS’s disk encryption function for ATM hard drives. While most ATM manufacturers rely on Microsoft’s BitLocker Windows encryption, Diebold Nixdorf’s VSS integrates a third-party solution for an integrity check. The system uses a dual-boot setup with both Linux and Windows partitions. Before the operating system boots, the Linux partition conducts a signature integrity check to ensure the ATM hasn’t been tampered with, then transitions to Windows for normal operation.
“The issue is that during this process, the system is decrypted, creating a window of opportunity,” Burch noted. “The core flaw I’m exploiting is the unencrypted Linux partition.”
Exploiting the Vulnerabilities
Burch discovered that by manipulating the location of critical system validation files, he could redirect code execution and gain control over the ATM.
Diebold Nixdorf’s Response and Future Concerns
Diebold Nixdorf spokesperson Michael Jacobsen confirmed that Burch first disclosed these findings to the company in 2022, and they have been in contact with him about his Defcon presentation. The company asserts that the vulnerabilities were addressed with patches in 2022, and additional updates were made as Burch continued to report new versions of the vulnerabilities over the years. In April, VSS version 4.4 was released, which Burch believes addresses the vulnerabilities more fundamentally by encrypting the Linux partition.
Ongoing Challenges and the Future of ATM Security
Despite these efforts, Burch suggests that similar vulnerabilities could still potentially be exploited, though doing so has become significantly more challenging. He also points out that updating enterprise ATMs requires substantial infrastructure work, and it’s likely that some ATMs are still running outdated versions of VSS.
Jacobsen emphasized that Diebold Nixdorf is working to ensure customers are using the latest versions of the software. He also cautioned against assuming that switching to an alternative disk encryption like Microsoft BitLocker would be a viable solution, as it might not address the specific vulnerabilities in ATM environments.
Conclusion
The ongoing threat of ATM cash-out attacks, which often require physical access to the machines, continues to be a concern. These attacks typically involve gaining access to the ATM, removing the hard drive, and altering its contents—a process that, though challenging, is feasible for those trained in the method. As long as criminals profit from these exploits, discussions about the next frontiers of ATM hacking will remain a staple at conferences like Defcon