Search This Blog

Diebold Nixdorf ATM Bugs Allowed Attackers to Alter Firmware & Steal Cash

The protections against black box attacks built into these ATMs can be bypassed by simply replacing the firmware of the cash dispenser controller.

 

Security researchers at Positive Technologies have disclosed information on several vulnerabilities in Diebold Nixdorf ATMs that could have permitted an intruder to change the system's firmware and take cash. 

The vulnerabilities, known as CVE-2018-9099 and CVE-2018-9100, were discovered in the Wincor Cineo ATMs' CMD-V5 and RM3/CRS dispensers – one in each device – and were patched a few years ago. In 2016, Diebold acquired Wincor Nixdorf, and the two firms eventually merged. 

During research approved by the vendor, Positive Technologies found that, while the ATMs had a range of security mechanisms in place to combat blackbox attacks, such as end-to-end encrypted communication with the cash dispenser, it was actually easy to get past them.

The researchers found out the command encryption between the ATM computer and the cash dispenser, bypassed it, swapped the ATM firmware with an older version, and abused the flaws to direct the device to distribute cash. 

While encryption is utilized to protect against blackbox attacks, the researchers observed that an attacker might steal the encryption keys and then spoof their own firmware to load on the compromised ATM. The researchers were able to determine the elements involved in the check process in the code responsible for confirming the firmware signature and in the firmware, particularly the public key and the signed data itself. 

Positive Technologies explained, “As a signature verification algorithm, RSA was used with an exponent equal to 7, and the bit count of the key was determined by the size of the public part N. It turned out that if you fitted into the offsets at which the signature and public key were written, you could set almost any length.” 

An attacker requires to discover a means to transmit orders to the dispenser and define the amount of money in each cassette before withdrawing money from the ATM. Diebold Nixdorf, which published fixes for these vulnerabilities in 2019, suggests activating physical authentication when an operator conducts firmware installation to further prevent unauthorised access. The firm warned earlier this year that jackpotting assaults against RM3-based Cineo systems in Europe were on the surge.
Share it:

ATM Security

Black Box Attacks

Financial Data

Flaws

Security Researchers

Vulnerabilities and Exploits