Posted on November 16, 2018 at 3:50 PM
ATM Tests Reveal Surprising Security Flaws
Recently, security researchers at Positive Technologies decided to test ATMs made by various firms, and see how secure they actually are. The results of tests were quite unexpected, as researchers claim that most ATMs can be hacked in less than 20 minutes, depending on the type of attacks.
Particularly, researchers tested ATMs belonging to GRGBanking, NCR, and Diebold Nixdorf. They published their findings in a 22-page report earlier this week.
Types of attacks
According to the report, researchers tested out only those attacks that are seen as regular and typical exploits used for attacking ATMs. This includes obtaining money from devices, but also uncovering and obtaining details of regular ATM users.
After conducting these tests, researchers noticed that around 85% of tested devices allow access to their network easily. All that researchers or hackers need to do is to unplug the device and tap into Ethernet cables, or to spoof wireless connections of those devices that ATMs usually get connected to. In addition, around 27% of ATMs turned out to be vulnerable to spoofing their processing center communications.
Next, around 58% of ATMs were found to have vulnerabilities in different components that make up their networks. Exploits in network components and/or services can allow hackers to take control over the device, even remotely. Not only that, but 23% of ATMs can be accessed indirectly, by targeting devices and networks that only have a connection to the ATM itself.
By gaining control of the ATM, attackers can disable security, as well as control the amount of money that the device is providing. These attacks allegedly take around 15 minutes to execute, according to experts.
Fast hacking – Black Box method
While these methods seem to be relatively successful when it comes to robbing ATMs, they are still considered to be lengthy processes. This is why researchers also explored fastest ways of hacking ATMs, and have found that the quickest way in is by performing Black Box attacks, which can be pulled off in less than 10 minutes.
This is a type of attack where hackers can enter the ATM case either by opening it or drilling a hole and reaching the cables inside by force. After that, they connect a custom-made tool (black box) to the cable that connects the cash box with the ATM computer, and trick the system into releasing the cash.
These attacks were effective against 69% of tested ATMs, as the report claims. Not only that, but around 19% of them had no protection against this type of attacks.
The Most successful attacks
Another very successful attack includes exiting the kiosk mode, which is the OS mode in which the interface of ATMs runs. All that it takes is for an attacker to plug a device into a USB or PS/2 port and turn off the kiosk mode. After that, running different commands on the system and robbing the ATM is not an issue.
While this is another method that takes around 15 minutes, researchers claim that around 76% of tested devices ended up being vulnerable to this attack.
After that, researchers attempted an attack that takes the longest amount of time to perform, but that has the best results if done right. This one is conducted by bypassing the device’s internal hard drive and booting it from an external hard drive. This method is successful in 92% of cases, which makes it extremely dangerous, and it can happen for of three reasons — the lack of BIOS password within the ATM, the use of a password that can be easily guessed, or the lack of data encryption on the disk that is being used.
Even this test took less than 20 minutes, but it still managed to defeat the defense of almost every single ATM that experts were testing.
Other attacks include the ones where physical access to an ATM allows restarting the device completely and forcing it to boot in a debug mode. That way, different debug utilities can be accessed, and ATM can easily be infected with malware. This is also a 15-minute attack, but almost half of the tested ATMs were vulnerable to it.
Finally, researchers noted that there is a special concern regarding the ways that card data is transmitted. In more than half the cases, researchers managed to intercept card data while it was traveling between ATMs and banks’ processing centers. However, when this data was processed within the ATM itself, researchers managed to intercept it every single time.
While this type of attack also takes 15 minutes to be pulled off, it should not be a problem, since most attacks on ATMs are happening at night in isolated areas. The final conclusion is that security measures that are guarding money on the streets are more of a nuisance for hackers than a real problem, and most of them can be overcome within 10-20 minutes.