ATMs are worryingly easy to hack, say researchers

ATMs' cash boxes are hardened against attack, but their tech components' flaws read like a hacker's how-to.
20 November 2018

ATMs are inherently vulnerable to cyber attacks. Source: Shutterstock

Researchers at a cybersecurity company have found that most banks’ ATMs are vulnerable to a range of attacks that leave cash deposits and customer details at serious risk.

Conducting the research, Positive Technology tested 26 different models of ATM from a range of manufacturers. Most banks deploy the same type of machines and/or configurations over large geographies, meaning that the susceptibility of one device can be used to exploit many more.

“Since banks tend to use the same configuration on large numbers of ATMs, a successful attack on a single ATM can be easily replicated at greater scale,” the report states.

The primary cause for concern is the physical insecurity of some components of a typical ATM installation. We often think of ATMs as sealed virtual safes which are impenetrable by simple physical attacks. This is largely true of the cash-holding part of an ATM – but its controlling computer and (in some cases) its networking components are often secured only behind a flimsy plastic panel which is subject to easy compromise.

In many cases, the report noted, the same key for one such panel will fit every ATM of that model, and keys that will open many machines are available on the internet for sale.

The report also recommends that banks tighten up the communication methods used by ATMs and the banks’ processing centers, and take a proactive stance with regards to log oversight and event monitoring.

The majority of the flaws that were found could be exploited in just a few minutes once access to the ATM’s controlling computer had been achieved. Of the 26 ATMs tested, for instance:

  • 77 percent could be forced out of ‘kiosk mode’ by USB or PS/2 connection.
  • 92 percent did not encrypt internal hard drives.
  • 85 percent could be fooled by spoofing network connections – that is, attackers systems masquerading as, for instance, the bank’s processing center.
  • 69 percent could be tricked into dispensing cash by use of simple devices like a Raspberry Pi (available for a few dollars).

“More often than not, security mechanisms are a mere nuisance for attackers: our testers found ways to bypass protection in almost every case,” the researchers said.

In some cases, the modem connecting the ATM to the processing center was found to be located in the bank branch nowhere near the ATM so that some attacks could be successfully carried out without physical access at all. In these scenarios, ‘man in the middle’ attacks could be deployed, such as ARP poisoning.

Additionally, 58 percent of ATMs pass unencrypted ‘Track2′ information to their processing centers. Track2 information is read from users’ cash cards and contains card number, expiry date, service code, and potentially, PIN & card verification details.

While the intricacies of flaws like MAC spoofing might not be understood by most banking personnel outside the security center, some attacks could at least be begun by anyone with the smallest quantity of computing knowledge.

For instance, in 8 percent of the tested machines, there was no password protection of the ATM’s BIOS, meaning that ATMs’ ‘brains’ could be bypassed altogether as the computer would boot easily from a rogue hard drive. 23 percent of those tested did have BIOS passwords but were easily guessed (‘password’, for example).

Forcing the computer out of kiosk mode was, in some cases, as simple as connecting a keyboard and pressing CTRL-ALT-DELETE. And with 92 percent of the ATMs tested by Positive Technologies running an outdated or vulnerable application or OS (58 percent were running Windows XP), the platforms stood ready to be compromised by anyone with the ability to watch a YouTube video on ‘How to Hack’.

Banks are often on the receiving end of bad publicity when their computer systems develop faults, so one can imagine why ATMs are not updated en masse. But perhaps the time has come for banks to use some of their profits to apply some security features to their aging fleets.

The report notes that the European Association for Secure Transactions (EAST) stated that in 2017, the number of logic attacks on banks in Europe tripled in number from the previous year, with total damages of €1.52 million. Meanwhile, malware such as Skimer, the first specific ATM-targeting malware is still under active development, and other flavors are available on open sale, with prices starting at around €1,500.

The report’s introduction states, “The most important thing about ATM malware is not its inner workings, but the installation method.” That suggests the process of making safe is more complex and therefore more expensive than the rolling out of a software patch – and so might explain the apparent reluctance to make itself safe.