Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Diebold Nixdorf ATM Flaws Allowed Attackers to Modify Firmware, Steal Cash

Security researchers with Positive Technologies have published information on a couple of vulnerabilities in Diebold Nixdorf ATMs that could have allowed for an attacker to replace the firmware on the system and withdraw cash.

Security researchers with Positive Technologies have published information on a couple of vulnerabilities in Diebold Nixdorf ATMs that could have allowed for an attacker to replace the firmware on the system and withdraw cash.

Tracked as CVE-2018-9099 and CVE-2018-9100, the flaws were identified in the CMD-V5 and RM3/CRS dispensers – one in each device – of the Wincor Cineo ATMs and were addressed a couple of years ago. Diebold acquired Wincor Nixdorf in 2016 and the companies later merged.

During research sanctioned by the vendor, Positive Technologies discovered that, while the ATMs had in place a series of security measures meant to prevent blackbox attacks, such as end-to-end encrypted communication with the cash dispenser, it was actually possible to work around these.

Specifically, the researchers figured out the command encryption between the ATM computer and the cash dispenser, bypassed it, replaced the ATM firmware with an outdated one, and exploited the vulnerabilities to tell the system to spew cash.

While encryption is used to prevent blackbox attacks, the researchers discovered that an attacker could actually extract the keys used for encryption and then forge their own firmware to load on the compromised ATM.

The system performs firmware integrity checks as an additional protection step, but the researchers were able to identify the components involved in the check process in the code responsible for verifying the firmware signature and in the firmware, “namely the public key and the signed data itself.”

“As a signature verification algorithm, RSA was used with an exponent equal to 7, and the bit count of the key was determined by the size of the public part N. It turned out that if you fitted into the offsets at which the signature and public key were written, you could set almost any length,” Positive Technologies explains.

Advertisement. Scroll to continue reading.

Before being able to withdraw cash from the ATM, an attacker also needed to find a way to send commands to the dispenser and to specify the amount of money in each cassette.

Diebold Nixdorf, which issued patches for these vulnerabilities in 2019, recommends enabling physical authentication when an operator performs firmware installation, to further prevent unauthorized access. Earlier this year, the vendor warned of an uptick in jackpotting attacks on RM3-based Cineo systems in Europe.

Related: France Says Breaks Up International ATM ‘Jackpotting’ Network

Related: Driver Vulnerabilities Facilitate Attacks on ATMs, PoS Systems

Related: The Latest Threats to ATM Security

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.