Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Diebold Nixdorf ATM Flaws Allowed Attackers to Modify Firmware, Steal Cash

Security researchers with Positive Technologies have published information on a couple of vulnerabilities in Diebold Nixdorf ATMs that could have allowed for an attacker to replace the firmware on the system and withdraw cash.

Security researchers with Positive Technologies have published information on a couple of vulnerabilities in Diebold Nixdorf ATMs that could have allowed for an attacker to replace the firmware on the system and withdraw cash.

Tracked as CVE-2018-9099 and CVE-2018-9100, the flaws were identified in the CMD-V5 and RM3/CRS dispensers – one in each device – of the Wincor Cineo ATMs and were addressed a couple of years ago. Diebold acquired Wincor Nixdorf in 2016 and the companies later merged.

During research sanctioned by the vendor, Positive Technologies discovered that, while the ATMs had in place a series of security measures meant to prevent blackbox attacks, such as end-to-end encrypted communication with the cash dispenser, it was actually possible to work around these.

Specifically, the researchers figured out the command encryption between the ATM computer and the cash dispenser, bypassed it, replaced the ATM firmware with an outdated one, and exploited the vulnerabilities to tell the system to spew cash.

While encryption is used to prevent blackbox attacks, the researchers discovered that an attacker could actually extract the keys used for encryption and then forge their own firmware to load on the compromised ATM.

The system performs firmware integrity checks as an additional protection step, but the researchers were able to identify the components involved in the check process in the code responsible for verifying the firmware signature and in the firmware, “namely the public key and the signed data itself.”

“As a signature verification algorithm, RSA was used with an exponent equal to 7, and the bit count of the key was determined by the size of the public part N. It turned out that if you fitted into the offsets at which the signature and public key were written, you could set almost any length,” Positive Technologies explains.

Before being able to withdraw cash from the ATM, an attacker also needed to find a way to send commands to the dispenser and to specify the amount of money in each cassette.

Advertisement. Scroll to continue reading.

Diebold Nixdorf, which issued patches for these vulnerabilities in 2019, recommends enabling physical authentication when an operator performs firmware installation, to further prevent unauthorized access. Earlier this year, the vendor warned of an uptick in jackpotting attacks on RM3-based Cineo systems in Europe.

Related: France Says Breaks Up International ATM ‘Jackpotting’ Network

Related: Driver Vulnerabilities Facilitate Attacks on ATMs, PoS Systems

Related: The Latest Threats to ATM Security

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

David Currie, former CISO of Nubank and Klarna, has been appointed CEO of Vaultree.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.