Positive Technologies presents case study on ATM vulnerability at Black Hat USA
Positive Technologies, a provider of vulnerability assessment, compliance management and threat analysis solutions, recently presented at the Black Hat USA security conference in Las Vegas on the company's discovery in late 2017 of a method by which attackers could carry out a black box attack on certain ATMs.
The vulnerability, which involved NCR Corp. cash dispenser controllers, has been addressed by the company with a software patch.
According to a press release, the case study involved research findings by Positive Technologies that attackers could install obsolete insecure software on the controller of the ATM cash dispenser and then physically connect a single-board computer to the dispenser and issue a command to dispense cash.
"Our research indicated that not all requests from the ATM computer to the dispenser were encrypted," Alexey Stennikov, head of hardware security analysis at Positive Technologies, said in the release. "Instead, encryption was applied only to requests deemed critical by the manufacturer, such as dispensing cash. But some of the so-called non-critical requests can be just as dangerous.”
The first vulnerability, CVE-2017-17668, was caused by insufficient protection of the memory write mechanism in the NCR S1 dispenser controller.
On firmware versions prior to 0x0156, an unauthenticated user can execute arbitrary code, bypass the prohibition on firmware downgrading, and install obsolete firmware versions containing known vulnerabilities.
A similar vulnerability, CVE-2018-5717, was found in the NCR S2 dispenser. Firmware version 0x0108 corrects the issue.
According to the release, Positive Technologies reported an increase of 287 percent in the number of malware-based logical attacks on ATMs in Europe between 2015 and 2016. During that period, GreenDispenser malware was used to steal approximately $180,000 from ATMs in Eastern Europe.
Companies: NCR Corporation