Hacking an ATM, as easy as using Windows XP

Share this…

ATM pentests showed alarming results for banks

ATMs are vulnerable to a number of basic attack techniques that would allow any hacker with minimal knowledge and resources to steal thousands of dollars in cash.

This is assured by an information security and digital forensics firm, whose investigators have analyzed more than 20 different ATM models, finding that almost all of them are vulnerable to local or network access attacks that would allow criminal groups to perform these fraudulent operations.

In total, the study carried out penetration tests on 26 machines and systems of various manufacturers and service providers. Among the most relevant results found by experts in digital forensics are:

  • 15 of these machines were running Windows XP
  • 22 were vulnerable to the ‘network spoofing’ technique in which an attacker connects locally to the LAN port of the banking machine and performs fraudulent transactions. This process takes about 15 minutes to complete
  • 18 ATMs were vulnerable to ‘black box’ attacks where an attacker physically connects a device to the cashier and deceives it and forces it to expel the money
  • 20 ATM models can be forced out of the kiosk mode via a USB or PS/2 connection. From there, an attacker could access the underlying operating system of the machine and execute additional commands
  • 24 lacked data encryption on the hard drive, allowing a hacker who had access to the drive to extract any stored data, as well as information from the machine’s configuration

Broadly, the investigation found that most of the protection measures used by the cashiers to prevent theft or alteration were very flimsy or practically useless, and anyone who proposes to compromise one of these machines could do it in less than an hour.

“Most of the time, security mechanisms are a very simple obstacle for hackers; during the evaluation we found at least one way to bypass security on almost every device analyzed,” the investigators said.

“Because many banks tend to use the same configuration in a large number of ATMs, a successful attack on a single ATM can easily be replicated on a larger scale, increasing the complexity of the problem”.

One of the main recommendations that the digital forensics experts from the International Institute of Cyber Security have made to the banks is to reinforce the physical security of the machines. By physically securing cabinets to block access to any hardware outside the cashier, many of the techniques used by hackers might get frustrated.

In addition, researchers recommend that banks keep a strong monitoring over any incident in their security systems.

While many of these physical attacks do not occur frequently in a real scenario – given the suspicions of a person staying in a cashier for 10 minutes or more – the report highlights the shameful lack of ATM security, especially when an attacker manages to access the cashier’s software.

In a recent hacking event, a researcher explained various methods to address the vulnerabilities of cashiers. Although many considered this type of attack to be impossible, these security errors were solved after the investigator claimed he will disclose them publicly.