Security researchers with Positive Technologies have published information on a couple of vulnerabilities in Diebold Nixdorf ATMs that could have allowed for an attacker to replace the firmware on the system and withdraw cash.
Tracked as CVE-2018-9099 and CVE-2018-9100, the flaws were identified in the CMD-V5 and RM3/CRS dispensers – one in each device – of the Wincor Cineo ATMs and were addressed a couple of years ago. Diebold acquired Wincor Nixdorf in 2016 and the companies later merged.
During research sanctioned by the vendor, Positive Technologies discovered that, while the ATMs had in place a series of security measures meant to prevent blackbox attacks, such as end-to-end encrypted communication with the cash dispenser, it was actually possible to work around these.
Specifically, the researchers figured out the command encryption between the ATM computer and the cash dispenser, bypassed it, replaced the ATM firmware with an outdated one, and exploited the vulnerabilities to tell the system to spew cash.
While encryption is used to prevent blackbox attacks, the researchers discovered that an attacker could actually extract the keys used for encryption and then forge their own firmware to load on the compromised ATM.
The system performs firmware integrity checks as an additional protection step, but the researchers were able to identify the components involved in the check process in the code responsible for verifying the firmware signature and in the firmware, “namely the public key and the signed data itself.”
“As a signature verification algorithm, RSA was used with an exponent equal to 7, and the bit count of the key was determined by the size of the public part N. It turned out that if you fitted into the offsets at which the signature and public key were written, you could set almost any length,” Positive Technologies explains.
Before being able to withdraw cash from the ATM, an attacker also needed to find a way to send commands to the dispenser and to specify the amount of money in each cassette.
Diebold Nixdorf, which issued patches for these vulnerabilities in 2019, recommends enabling physical authentication when an operator performs firmware installation, to further prevent unauthorized access. Earlier this year, the vendor warned of an uptick in jackpotting attacks on RM3-based Cineo systems in Europe.
Related: France Says Breaks Up International ATM ‘Jackpotting’ Network
Related: Driver Vulnerabilities Facilitate Attacks on ATMs, PoS Systems
Related: The Latest Threats to ATM Security
