Vulnerability discovered in ATM cash machine security enables theft

News by Rene Millman

Hackers could steal money using flaw in ATM security software that enables thieves to increase their user privileges via ARP spoofing.

A serious vulnerability has been discovered in cash machine security software that could allow an attacker to infect machines and steal money.

The flaw was found in GMV's Checker ATM Security. The defect allows an attacker to remotely run code on a targeted ATM to increase their privileges in the system, infect it and steal money.

Checker ATM Security protects cash machines by enforcing several restrictions in software, including whitelisting with application control to block unauthorised applications, restricting attempts to connect peripheral devices – such as a keyboard or mouse – and limiting network connections with a firewall. The software is used in more than 80,000 cash machines worldwide, according to the vendor.

Positive Technologies researcher Georgy Zaytsev said that to exploit the vulnerability, a criminal would need to pose as the control server, which is possible via ARP spoofing, or by simply connecting the ATM to a criminal-controlled network connection.

“During the process of generating the public key for traffic encryption, the rogue server can cause a buffer overflow on the ATM due to failure on the client side to limit the length of response parameters and send a command for remote code execution,” he said. “This can give an attacker full control over the ATM and allow a variety of manipulations, including unauthorized money withdrawal.”

Zaytsev developed test exploits that disable Checker ATM Security and allow arbitrary code to then run on the ATM.

According to the researcher, the developer has confirmed this issue in Checker ATM Security versions 4.x and 5.x and has already provided a patch for the affected versions to all its customers worldwide, which are advised to install it immediately.

The infosec firm said that it had previously identified several issues in ATM protection software, including a dangerous vulnerability in McAfee Solidcore in 2016. Exploitation of that zero-day vulnerability (CVE-2016-8009) could cause execution of arbitrary code with system privileges, escalation of user privileges from guest to system, or a crash of the ATM operating system.

As reported by SC Media UK, ATM hacking is a popular activity for criminals. In January, three Eastern European men were jailed in Taiwan over theft from cash machines in the country.

Rapid7 last year demonstrated how next-generation secure cash machines could be ransacked of money.

Justin Coker, ?vice president EMEA at Skybox Security, told SC that understanding the entire attack surface, including all endpoints, for retail bank ATMs is essential. “If an organisation doesn't have an accurate view of the complete attack surface how can sensible decisions be made?” he said.

“As part of an organisation-wide vulnerability management programme it is essential that banks prioritise high risk and exposed vulnerabilities on targeted assets such as ATMs, taking into account all of the complexities of the infrastructure.

“In addition, where there are exploit kits available and being used in the wild banks need to make the most of available threat intelligence to quickly understand where they are at risk from these types of attack vectors. For banks this includes ATMs and other high value assets. Our own threat research lab looks at more than 30 security data feeds along with research of exploits available on more than 700,000 dark web sites to find these types of exploits,” he added.

Paul Norris, senior systems engineer at Tripwire, told SC that it's important banks take the necessary steps to defend attacks against vulnerable endpoints.

“One control is to monitor the ATMs for changes to critical files, or new files being generated on the ATM. This could identify unauthorised changes or configuration changes to the ATMs that could lead to compromise,” he said.

“However, to execute a successful attack, the attacker would have to compromise other systems and infrastructures. It's important to identify these breaches early before the attack is executed. Integrity monitoring and configuration management tools would assist in detecting these attacks early.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews