Need cash fast? In 2018, it's still remarkably easy to hack into an ATM, a new study finds.
Researchers from information-security consulting firm Positive Technologies looked at 11 different models of ATMs made by NCR, Diebold Nixdorf and GRG Banking, set up in 26 different configurations, and found that ATM security is a stinking mess.
Every single ATM the researchers examined was vulnerable to software-based attacks, not all of which involved opening up the ATM cabinet. All gave up customer card data in one way or another; 85 percent, or 22 of 26 ATMs tested, let you hit the jackpot and walk away with stolen cash without cracking open the safe.
"More often than not, security mechanisms are a mere nuisance for attackers," the Positive Technologies report, released yesterday (Nov. 13), said. "Our testers found ways to bypass protection in almost every case."
An ATM consists of a computer and a safe enclosed in a cabinet. The computer often runs Windows and has regular keyboard, mouse and network inputs. Open up the cabinet with a drill, a lock pick or a key — one key will often open all units of a given model — and you get physical access to the computer.
The safe contains the cash, and the cash dispenser is directly attached to the safe, which you'd need heavy equipment or explosives to crack open. But Positive Technologies found that the computer, its network connections or the interface connecting the computer to the safe could almost always give you cash or a customer's ATM-card information.
Before it can give a user cash, the ATM computer must talk to a server at a far-off transaction processing center, using either a wired Ethernet connection or a cellular modem. Some of the connections are dedicated direct links, while others go out over the internet. But not all of them are encrypted.
"Tested ATMs frequently featured poor firewall protection and insufficient protection for data transmitted between the ATM and processing center," the report noted.
Remote ATM attacks
Because of this, not all of the attacks required physical access to the machines. Fifteen out of 26 ATMs failed to encrypt communications with processing servers, although some did so over Ethernet rather than wirelessly. You'd need only to tap into the network traffic, either wired or wirelessly, to grab the card data.
Other models secured the traffic using faulty VPNs whose encryption could be cracked. Some had known security flaws in the network hardware or software that could also be exploited, as not all the ATMs had patched the known flaws.
On a few machines, the cellular connections to the processing servers could be attacked by using encryption keys found in the modem firmware. Default administrative credentials -- username and password were both "root" — gave full Telnet access to one machine, and it was possible to brute-force weak administrative credentials on the same model's remote web interface.
In both cases, it would be possible to send bogus processor-server responses to the machines, resulting in a cash jackpot.
Physical but non-intrusive ATM attacks
Some ATM models put the Ethernet port on the outside of the cabinet, making it possible to disconnect the cable and plug in a laptop that spoofed a processing server and told the ATM to spit out cash. Known security flaws in the ATM's network hardware or software could also be exploited, as not all the ATMs had patched known flaws.
Granted, it's not always easy to hang around an ATM and have enough time to pull off an attack. But the report noted that a crook would need only 15 minutes to access the ATM network connection to the processing center — something that might not be as conspicuous at three in the morning.
Opening up the ATM cabinet
Once you open up the cabinet and get access to the computer's input ports, there isn't much between you and a cash jackpot.
"Most tested ATMs allowed freely connecting USB and PS/2 devices," the report said. "A criminal could connect a keyboard or other device imitating user input."
When you use an ATM, it's in "kiosk mode" and you can't switch to another application. But if you plug in a keyboard, or a Raspberry Pi set up to act like a keyboard, you can use the ATM like a regular computer.
"Exiting kiosk mode was possible in every case with the help of hotkeys," the report said, and those hotkeys were usually standard Windows combinations such as Alt+F4 to close an active window, or Alt + Tab to switch among open applications.
Exiting kiosk mode won't cough up the cash, but using a keyboard makes it a whole lot more convenient to run malicious commands on the ATM. Since more than half the machines examined ran Windows XP, the 2001 operating system with lots of known vulnerabilities, this wasn't always hard.
The researchers also found that two machines ran digital video recorder applications in the background to record customer activity. Once out of kiosk mode, the Positive Technologies team brought up the hidden DVR windows by moving a mouse cursor to a corner of the screen. Then they could use the DVR application to erase security footage.
Installing malicious ATM software
Most of the ATMs ran security appications to prevent installation of malicious software. Four of those applications themselves, including two made by McAfee and Kaspersky Lab, had security flaws of their own. Another security application stored an administration password in plaintext.
Once you change the security application's settings, you can connect directly to the ATM's hard drive to add malicious programs if the drive isn't encrypted. The researchers could do this to 24 of the 26 ATMs examined. Buying such malware isn't cheap — it starts at $1,500 in online criminal forums — but you can use it on one machine or another of the same model.
Or you could just plug in an USB stick to the ATM's USB port and boot from that. Seven machines let you change the BIOS boot order on the fly. Then you'd get unrestricted access to the ATM's main hard drive.
You could just reboot the machine into a debugging or safe mode, which often led to the jackpot.
"Setting a different boot mode was possible on 88 percent of ATMs," the report said. "In 42 percent of cases, the testers could develop this attack further and eventually withdraw cash."
Plugging in an ATM black box
You don't actually need to access the ATM's computer to get cash. You can quickly connect a "black box" — a Raspberry Pi or similar machine running modified ATM diagnostic software — directly to the cash dispenser on the safe to make the dispenser vomit banknotes.
Most ATM makers encrypt communications between the ATM computer and the cash dispenser to make this attack theoretically impossible. But half the ATMs that Positive Technologies examined used poor encryption that was easily cracked, and five ATMs had no software protections against black-box attacks at all.
So what's in it for me?
In the United States, banking regulations protect consumers from liability in almost all forms of ATM cash-grabbing attacks. Your only obligation is to report the theft to your bank as soon as you discover it.
The real risk is to the banking industry, and Positive Technologies said the industry could minimize the amount of theft by insisting that ATM makers encrypt ATM hard drives, strongly encrypt communications with processing servers, upgrade machines to run Windows 10, disable common Windows keyboard commands, lock down BIOS configurations, use better administrative passwords and, last but not least, make the ATM computers harder to physically access.
"Since banks tend to use the same configuration on large numbers of ATMs," said the report, "a successful attack on a single ATM can be easily replicated at greater scale."