Security researchers with Positive Technologies have published information on a couple of vulnerabilities in Diebold Nixdorf ATMs that could have allowed for an attacker to replace the firmware on the system and withdraw cash.
Tracked as CVE-2018-9099 and CVE-2018-9100, the flaws were identified in the CMD-V5 and RM3/CRS dispensers – one in each device – of the Wincor Cineo ATMs and were addressed a couple of years ago. Diebold acquired Wincor Nixdorf in 2016 and the companies later merged.
During research sanctioned by the vendor, Positive Technologies discovered that, while the ATMs had in place a series of security measures meant to prevent blackbox attacks, such as end-to-end encrypted communication with the cash dispenser, it was actually possible to work around these.
Specifically, the researchers figured out the command encryption between the ATM computer and the cash dispenser, bypassed it, replaced the ATM firmware with an outdated one, and exploited the vulnerabilities to tell the system to spew cash.
While encryption is used to prevent blackbox attacks, the researchers discovered that an attacker could actually extract the keys used for encryption and then forge their own firmware to load on the compromised ATM.
The system performs firmware integrity checks as an additional protection step, but the researchers were able to identify the components involved in the check process in the code responsible for verifying the firmware signature and in the firmware, “namely the public key and the signed data itself.”
“As a signature verification algorithm, RSA was used with an exponent equal to 7, and the bit count of the key was determined by the size of the public part N. It turned out that if you fitted into the offsets at which the signature and public key were written, you could set almost any length,” Positive Technologies explains.
Before being able to withdraw cash from the ATM, an attacker also needed to find a way to send commands to the dispenser and to specify the amount of money in each cassette.
Diebold Nixdorf, which issued patches for these vulnerabilities in 2019, recommends enabling physical authentication when an operator performs firmware installation, to further prevent unauthorized access. Earlier this year, the vendor warned of an uptick in jackpotting attacks on RM3-based Cineo systems in Europe.
Related: France Says Breaks Up International ATM ‘Jackpotting’ Network
Related: Driver Vulnerabilities Facilitate Attacks on ATMs, PoS Systems
Related: The Latest Threats to ATM Security
More from Ionut Arghire
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Pharmaceutical Giant Eisai Takes Systems Offline Following Ransomware Attack
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- US, Israel Provide Guidance on Securing Remote Access Software
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
