Flaws in encryption of communications between ATM computer and dispenser enabled attackers to steal cash
Positive Technologies experts Vladimir Kononovich and Alexey Stennikov have presented the results of their vulnerability research at the Black Hat USA security conference in Las Vegas. They discovered a method by which attackers could install obsolete insecure software on the controller of an ATM cash dispenser. As a result, a black box attack could cause the dispenser to issue cash. To do so, an attacker would take advantage of poor physical security to connect a single-board computer to the dispenser and then issue a command to dispense cash. NCR has now released patches addressing the vulnerabilities.
Alexey Stennikov, Head of Hardware Security Analysis at Positive Technologies, said: “Our research indicated that not all requests from the ATM computer to the dispenser were encrypted. Instead, encryption was applied only to requests deemed critical by the manufacturer, such as dispensing cash. But some of the so-called non-critical requests can be just as dangerous.”
The first vulnerability, CVE-2017-17668, was caused by insufficient protection of the memory write mechanism in the NCR S1 dispenser controller. On firmware versions prior to 0x0156, an unauthenticated user can execute arbitrary code, bypass the prohibition on firmware downgrading, and install obsolete firmware versions containing known vulnerabilities.
A similar vulnerability, CVE-2018-5717, was found in the NCR S2 dispenser. Firmware version 0x0108 corrects the issue.
ATM logic attacks leveraging physical or network access have become a frequent occurrence in recent years. According to European Association for Secure Transactions (EAST) data, 114 black box attacks were performed in 11 European countries in the first six months of 2017. Also in 2017, Positive Technologies experts reported that the number of ATM logic attacks with use of malware in Europe had increased by 287 percent in 2016 compared to the prior year. GreenDispenser malware, for example, was used to steal approximately $180,000 from ATMs in Eastern Europe in 2015–2016. At Positive Hack Days 8 in 2018, the Leave ATM Alone hands-on contest gave participants the opportunity to probe modern ATMs for vulnerabilities of various types, including weak encryption.