Positive Technologies report: ATMs can be hacked in minutes

Positive Technologies experts tested NCR, Diebold Nixdorf, and GRGBanking ATMs to identify potential risks to banks and their clients

Sixty-nine percent of tested ATMs were vulnerable to Black Box attacks. Criminals could connect "Black Box" devices to the cash dispenser of an ATM, where the device is programmed to send the command to dispense banknotes. Performing the entire attack—connecting the device to the ATM, bypassing security, and collecting the cash—would take just 10 minutes on some ATM models, as detailed in the new Positive Technologies report.

Attacks against ATMs have become an increasing concern, globally. In January 2018, the U.S. Secret Service, as well as major ATM vendors Diebold Nixdorf and NCR, issued urgent warnings about the threat of attacks on ATMs. According to NCR reports, Black Box attacks were uncovered in Mexico in 2017. In 2018, these spread to the US. The first reports of ATM malware attacks date back to 2009, with the discovery of Skimer, a Trojan able to steal funds and bank card data. Ever since, logic attacks have become increasingly popular among cybercriminals.

Positive Technologies researchers found that most ATMs (85%) were poorly secured against network attacks such as spoofing the processing center. As a result, a criminal could interfere with the transaction confirmation process and fake a response from the processing center in order to approve every withdrawal request or increase the number of banknotes to dispense. The report also describes scenarios involving attacks on GSM modems connected to ATMs. An attacker could obtain access to a GSM modem and use it to attack other ATMs on the same network and even the internal network of the bank.

A failure to implement hard drive encryption makes 92 percent of ATMs vulnerable to a number of attacks. An attacker could connect directly to an ATM hard drive and, if the contents are not encrypted, infect it with malware and disable security mechanisms. As a result, the attacker can control the cash dispenser.

Exiting kiosk mode was possible on 76 percent of tested ATMs, which is an issue because when restrictions placed on ordinary users are bypassed an attacker can run commands in the ATM operating system. Positive Technologies experts estimated the time necessary for this attack at 15 minutes and, for well-prepared attackers who make use of automation, even less.

Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, said: "Our research shows that most ATMs have no restrictions to stop connection of unknown hardware devices. So an attacker can connect a keyboard or other devices to imitate user input. On most ATMs, there is no prohibition on some of the common key combinations used to access OS functions. What’s more, local security policies were frequently misconfigured or absent entirely. On 88 percent of ATMs, Application Control solutions could be bypassed due to poor whitelisting and vulnerabilities (some of them zero-day) contained in this very same Application Control software."

"Although ATM owners bear the brunt of the threat from logic attacks, bank clients may fall victim as well. In our security work, we constantly uncover vulnerabilities related to network security, improper configuration, and poor protection of peripherals. These flaws allow criminals to steal ATM cash and obtain card information. To reduce the risk of attack and expedite threat response, the first step is to physically secure ATMs, as well as implement logging and monitoring of security events on the ATM and related infrastructure. Regular security analysis of ATMs is important for timely detection and remediation of vulnerabilities."