Flaws in drivers used by ATM and POS make it easy to steal all the money from them

ATM theft is an increasingly complex problem due to the evolution in methods employed by criminals and, according to information security awareness specialists, insecure or malicious drivers are one of the main risk factors in these attacks.

In a report prepared by experts from the firm Eclypsium, it is mentioned that the problem of these drivers can be analyzed focusing on two main factors:

  • A poorly designed driver could be employed by malicious hackers to gain control over the Windows kernel and the firmware of the underlying device. For years criminals have used malware to deploy backdoors on vulnerable systems, allowing them to generate persistence and deploy subsequent attacks
  • There is no universal method to prevent Windows systems from loading faulty drivers when they have been identified. Microsoft’s HVCI technology can protect the latest devices, although previously released devices must rely on blacklists manually installed by administrators

Information security awareness specialists mention that exploited vulnerabilities are based on a method integrated into driver software, which is almost an industry standard. The latest developments in the investigation of this criminal conduct show that the exploitation of these failures continues to be presented even in widely controlled environments, such as ATMs in secure facilities and even against point of sale (POS) devices.

As mentioned above, criminals went from breaking up the physical integrity of ATMs to extract as much money as possible to deploy logical security-based attacks, tricking software into machines to approve illegitimate cash withdrawals. This attack variant, popularly known as “jackpotting“, involves the use of malware, hacking tools and direct attack against ATM components.  

Eclypsium’s most recent research focuses on an ATM from Diebold Nixford, in which experts detected a vulnerable component; it should be clarified that this cashier proved to be much more secure than previous versions of the same company and even other options from competitors.

According to information security awareness experts, this cashier is especially sensitive to a vulnerability that has not yet been exploited in real-world scenarios, but could affect multiple devices, be they ATMs, points of sale, among other equipment. To carry out the research, the experts acquired an internal computer identical to that used by the analyzed cashier (SWAP-PC 5G i5-4570 AMT TPMen).

Esta imagen tiene un atributo ALT vacío; su nombre de archivo es atmdriver.jpg
SOURCE: Eclypsium

An ATM’s internal computer connects to all its components, such as the card reader, keyboard, network interfaces, and cash cassettes. While analyzing the computer in detail, experts noted that a controller was providing arbitrary access to the system’s x86 I/O ports; although these are limited functions in the context of the ATM, they can be used to gain arbitrary PCI access, leading to an attack on PCI-connected devices. In addition, the researchers discovered that the manufacturer uses this driver to update the BIOS firmware at the cashier, which could indicate a path for modifying the firmware and installing a hacking kit.

Although this new research focuses only on one ATM model, information security awareness experts mention that this controller is highly likely to be employed by other models manufactured by Diebold Nixdorf and other companies. This also affects Windows system-based point-of-sale solutions. 

The company was timely notified and acknowledged the report shortly thereafter. Updates to fix this issue have already been released and affected machine administrators are encouraged to install the fixes as soon as possible. 

In this case the updates were released as quickly as possible. However, in many other cases it is very difficult to correct vulnerabilities in ATMs, mainly because these devices are highly regulated and this delays the development of security patches. In many cases, changes to the device require the vendor to repeat the certification process, a process that certainly takes a long time. As a result, manufacturers may take up to a year to upgrade an unsafe device.

It is fully demonstrated that some vulnerable driver may be exploited to gain low-level access to the hardware and computer systems of an ATM, so it is necessary for everyone involved in this process to establish the necessary mechanisms to best address these inconveniences. For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.