View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 16, 2018

Hack for Cash: ATMs Take Just 20 Minutes to Crack

“Sometimes the modem is located outside of the ATM cabinet, so an attacker would not even have to open up the ATM in order to perform modifications”

By CBR Staff Writer

A staggering 85 percent of ATM cash machines can be hacked and tricked into dispensing free cash within just 20 minutes, a new report warns.

Bank security experts Positive Technologies described in a report this week a number of successful attempts to gain access to an ATMs operating system.

They targeted ATMs belonging to GRGBanking, NCR and Diebold Nixdorf and found four main vulnerabilities categories: insufficient network security; insufficient peripheral security; improper configuration of systems or devices; and vulnerabilities within the configuration of the application control.

The team’s researchers wrote in their report that due to the insufficient network security a criminal with access to the ATM network can “target available network services, intercept and spoof traffic, and attack network equipment.”

“Criminals can also spoof responses from the processing center or obtain control of the ATM.”

ATM Vulnerabilities

Image: Positive Technologies Report

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

ATM Vulnerabilities

They found that 58 percent of the ATMs tested were at risk to threat actors breaching the network through poor cybersecurity practices, such as out of date software and weak firewall protection.

Through the vulnerabilities CVE-2017-8464 and CVE-2018-1038 they could enable remotely running arbitrary code and subsequently escalating privileges; this resulted in the ability to “disable security mechanisms and control output of banknotes from the dispenser.”

Hit it Hard

By far the most successful type of attack was a direct hack of the ATM itself, although this required physical access.

If the attacker is able to manipulate the ATM so that they can unplug the Ethernet cable and connect a device, they are then able to conduct attacks on the network service or man-in-the-middle attacks.

This method worked 85 percent of the time on the tested ATMs with the researchers finding that: “Sometimes the modem is located outside of the ATM cabinet, so an attacker would not even have to open up the ATM in order to perform modifications.”

See Also: Magecart’s 7 Groups: Hackers Dropping Counter-Intelligence Code in JavaScript Skimmers

The quickest method is also the loudest, Positive Technologies carried out Black Box attacks which only took 10 minutes to obtain cash from the machine.

A Black Box attack is done by drilling a hole in the side of the ATM case to gain access to the cables connecting the ATM cash box to the ATM OS. A ready made tool is then connected to the ATM letting the threat actors withdraw as much cash as they like.

ATM Vulnerabilities

Image: Positive Technologies Report

In concluding, the researchers note that cyberattacks on ATMs will decrease as preventive methods such as up to date software and good practice are carried out.

However, they state that the first step that needs to be done is to: “Physically secure the ATM cabinet and surroundings. Exploiting most of the vulnerabilities we found would be impossible without access to the on-board computer and peripheral ports.”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.