Two critical zero-day vulnerabilities found at thousands of ATMs

A team of digital forensics specialists has reported the finding of two major zero-day vulnerabilities in some ATM machines widely used in the US, among other territories. If exploited, these flaws could allow a hacker to steal cash and extract sensitive information from users.

Experts Trey Keown and Brenda So from security firm Red Balloon discovered these flaws at ATMs manufactured by Nautilus Hyosung, which has a large presence throughout North America, especially in the U.S.

To find the vulnerabilities, digital forensics experts only had to gain access to the network where a compromised ATM was connected; thanks to this, the experts were able to demonstrate that it was possible to gain full control of the machine and avoid security software detection.

Vulnerabilities affect the ATM remote control system, as do software that controls machine peripheral devices; according to the experts, it is really easy to access a compromised network to exploit the flaws.

After receiving the vulnerability report, Nautilus released, along with Red Balloon, a statement in which they said that these flaws have not been exploited in the wild. In addition, the experts mention that, out of the 150k Nautilus ATMs operating in the U.S., about 80k machines are vulnerable to flaw exploitation.

Although the company has a presence in multiple countries, and is a subsidiary of South Korea-based Hyonsung Corp., security flaws appear to affect only the company’s ATMs operated and distributed by its US affiliate.

The vulnerabilities were detected and reported the last summer; about a week after receiving the report, Nautilus announced some firmware security updates to prevent the flaws from being exploited, digital forensics experts mention.

All of the company’s business partners were warned about security failures in order for them to ask for the update of their ATMs as soon as possible. 

It is not yet clear what progress the installation of these security patches shows, as this process requires a technician to personally report to each possibly compromised ATM. In this regard, Ang Cui, founder and CEO of Red Balloon, considers it unlikely that the company will be able to update the firmware of all its ATMs, as they may not even have staff to do so, besides that the new security measures will also require updates in the future. Moreover, the manufacturer specified that, for security reasons, it is not possible to provide further details about vulnerabilities and exploits.

According to the digital forensics experts of the International Institute of Cyber Security (IICS) the compromised information could be really useful to a hacker or scammer, as it is almost a list of the ATMs most exposed to cyberattacks. Many times the need to physically access a compromised device reduces the chances of exploiting a vulnerability; however, experts point out that all the flaws found in this investigation can be exploited remotely, which increases the seriousness of these reports a little bit.