Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Serious Flaws Found in ATMs of German Bank

Researcher Finds Information Disclosure and Hardware Misconfiguration Flaws in ATMs Used by German Bank

Sparkasse ATM hacked

Researcher Finds Information Disclosure and Hardware Misconfiguration Flaws in ATMs Used by German Bank

Sparkasse ATM hacked

German savings bank Sparkasse has started patching its ATMs and self-service terminals after a researcher discovered that the machines can be tricked into revealing a lot of sensitive information during software updates.

The issue was discovered by Benjamin Kunz-Mejri, CEO and founder of Germany-based security firm Vulnerability Lab. The researcher was using a Sparkasse terminal when the machine suddenly ejected his card, and changed its status to “temporarily not available.”

Interacting with the device caused a Windows command prompt showing details of an update process to appear on the screen. That’s when the researcher realized that the terminal had become temporarily unavailable because it was performing a software update.

Software updates are normally conducted in the background, but as Kunz-Mejri discovered, the progress and details of the update process can be made visible by interacting with the device. The researcher described his interaction with the machine as a “timing attack,” but he did not want to disclose additional details in order to prevent abuse.

When he discovered the vulnerability, Kunz-Mejri recorded a video of the information displayed on the terminal’s command prompt screen. After reviewing the recording, he determined that the update process exposed a lot of sensitive information, including the bank’s main system branch usernames, serial numbers, firewall settings, network information, device IDs, ATM settings, and two system passwords.Sparkasse ATM hacked

The researcher also found that the self-service terminal’s keyboard was not disabled while the update was performed. Since these devices have a full keyboard, an attacker can execute system commands via the available command prompt on the underlying Windows operating system. The expert also noted that his interaction with the machine had caused the card reader to remain available and usable for other operations.

The tested devices are manufactured by Wincor Nixdorf, a German company that manufactures, sells, installs and services retail and banking hardware and software. The affected ATMs and self-service terminals are running Windows 7 and Windows XP operating systems, Vulnerability Lab said.

In an advisory provided to SecurityWeek, Vulnerability Lab described several possible attack scenarios. In one scenario, the attacker records the information displayed on the screen during the update process and uses it to perform a man-in-the-middle (MitM) attack on the targeted bank’s local network. It’s worth noting that the attacker would require access to the local network in the bank’s building to conduct such an attack.

Advertisement. Scroll to continue reading.

An attacker who can gain access to the local network can also use the exposed information to reconfigure the ATM with a rogue update that is made to look like it’s coming from the service provider’s servers, the security firm said.

Researchers also believe an attacker could conduct fraudulent transactions by tampering with the ATM in an effort to crash it and corrupt its logging or debugging mechanism.

If fraudsters can determine the time and date of update schedules, they can conduct a larger, coordinated attack targeting multiple ATMs and self-service terminals, and use the obtained information in future operations, Vulnerability Lab has warned.

According to Vulnerability Lab, it takes 17 minutes to record all the information displayed on the screen.

While only machines used by Sparkasse have been tested, the security firm believes other banks that use Wincor Nixdorf ATMs and self-service terminals might be affected as well.

Sparkasse and Wincor Nixdorf have not responded to SecurityWeek’s request for comment.

The information disclosure and hardware misconfiguration flaws were first reported to Sparkasse’s Security and Data Protection team in May, and the existence of the issues was confirmed shortly after the vulnerability report reached the bank’s Finance Security Center in Frankfurt, Vulnerability Lab said.

The organization has already rolled out updates that address the vulnerabilities to some of its ATMs in the German city of Kassel (Hessen) as part of a pilot program. The update will be installed in other regions after the new configuration is tested properly, Vulnerability Lab said.

Sparkasse has thanked Kunz-Mejri for his effort and awarded him an undisclosed amount of money, documents seen by SecurityWeek show. Kunz-Mejri says this is the first time a German bank acknowledges a security researcher for finding vulnerabilities in self-service terminals and ATMs.

Incidents involving hacked ATMs are not unheard of in Germany. Last week, Berlin Police announced that they have been looking for a man who illegally withdrew cash from two ATMs using a USB stick that he connected to the devices after unscrewing their front panel. This technique has been known for several years. 

The suspect was caught on video and investigators have released a couple of photos in hopes that someone will identify him.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.