ATM security captivates the imagination in many ways. Here we have very exclusive safe equipment, as they must be able to guarantee both the physical protection of coins and protection against computer attacks, during installation in public places.
For a few years, several researchers have shown that the security of these distributors is far from foolproof. However, until now, attacks were based on access to a USB port hidden under the casing, or even to internal components. Therefore, it is difficult to imagine a malicious person carrying out such attacks in nature in the middle of the day.
Especially when you take into account that these devices are often under video surveillance. Other attacks, especially network attacks, are possible. But they require precise knowledge of the characteristics of the target distributor while exposing the author of the attack to be detected, given the security devices installed by the banks.
Josep Rodriguez, a consultant at the security company IOActive, is what is called a “white hat” or ethical hacker. He has long been interested in the safety of these distributors, but also NFC technology. However, you’ve probably noticed: some distributors now provide an NFC reader.
This one isn’t used by all banks, but as Josep Rodriguez explains, it’s a front door wide open on the machine due to a security vulnerability that has been known for years. He explains that he was able, through a simple smartphone, to trigger the so-called “buffer overrun” attack via a distributor’s NFC reader.
This type of attack works because the distributor’s operating system does not limit the amount of data that can enter through NFC. When the amount of data exceeds the allocated space in RAM, the data continues to be written to adjacent memory addresses for use by other parts of the system. With a little reverse engineering, it can do almost anything on the target machine.
For example, he was able to tell the machine to write down all the bank card numbers that pass through its reader, change the number of transactions in real-time, and even in at least one case force the distributor to distribute all of its content (also known as “Jackpotting”). Wired explains:
“Rodriguez built an Android app that allows his smartphone to mimic bank card radio communications and exploit gaps in the system’s NFC firmware. By waving his smartphone, he can exploit a variety of bugs to break ATMs, hack them to collect and transmit credit card data, invisibly change the value of transactions, and even lock devices while displaying a ransomware message.”
The security researcher alerted manufacturers to the issue between 7 months and a year ago, including ID Tech, Ingenico, Verifone, Crane Payment Innovations, BBPOS, Nexgo, and an unidentified vendor due to a security breach. Even more serious. However, to force them to act quickly, he has already announced that he will release technical details in the coming weeks.
It remains to be seen whether it is technically possible for the manufacturers concerned to close the security breach on all devices in circulation. Josep Rodriguez himself recognizes this: “Fixing several hundred thousand ATMs physically is something that will take a long time.”
We note that the demonstration of the attack did not take place in the United States, where the security of banking systems can sometimes be weaker, but in Madrid, in Europe. The researcher concludes: “These vulnerabilities have been present in firmware for years and we have been using these devices daily to manage our credit cards, our money. It has to be safer”.