Positive Technologies Demonstrates How Attackers Could Hack Diebold Nixdorf ATMs

Positive Technologies researcers, Vladimir Kononovich and Alexey Stennikov  have discovered vulnerabilities in the Wincor Cineo ATMs with the RM3 and CMD-V5 dispensers  (Wincor is currently owned by Diebold Nixdorf). With access to the dispenser controller’s USB port, an attacker can install an outdated or modified firmware version (for example, with disabled encryption) to bypass the encryption and make cash withdrawals. Diebold Nixdorf has more than 1 million of its ATMs installed worldwide, which makes it the largest ATM manufacturer with a 32 percent share of the global market.

Most previous generations of ATMs could not withstand black-box attacks. In such attacks, a hacker connects to the dispenser via a computer or a mobile device and sends a special code to the dispenser, which results in the ATM dispensing money. In a research performed by Positive Technologies in 2018, 69 percent of ATMs turned out to be vulnerable to such attacks and could be hacked in minutes. Modern ATMs, including Wincor Cineo, have built-in protection against black-box attacks. This protection is achieved by using end-to-end encryption between an ATM computer and the dispenser. The computer sends encrypted commands to the dispenser, and a hacker cannot withdraw money without encryption keys stored on the ATM computer.

Recommended AI News: Ampliphi Launches New Platform To Help Organizations Seamlessly Accelerate the Circular Economy

Vladimir Kononovich, Senior Specialist of ICS Security at Positive Technologies, says: “In the case of Wincor Cineo, we managed to figure out the command encryption used in the interaction between the PC and the controller, and bypass the protection against black-box attacks. At a popular website, we bought the same dispensing controller as the one used in Wincor’s ATMs. Bugs in the controller code and old encryption keys allowed us to connect to an ATM using our own computer (as in a classic black-box attack), bypass the encryption, and make a cash withdrawal. Currently, the attack scenario consists of three steps: Connecting a computer to an ATM, loading outdated and vulnerable firmware, and exploiting the vulnerabilities to access the cassettes inside the safe.”

According to Vladimir Kononovich, some manufacturers rely on security through obscurity, with proprietary protocols that are poorly studied and the goal of making it difficult for attackers to procure equipment to find vulnerabilities in such devices. However, our research shows that such equipment is not difficult to find on the open market and analyze, which can be used by criminal groups.

Recommended AI News: Iron Mountain Wins Google Cloud Financial Services Customer Award

[To share your insights with us, please write to sghosh@martechseries.com]