2 ATM Manufacturers Patch VulnerabilitiesDiebold Nixdorf and NCR Say Unpatched Flaws Could Permit Deposit Forgery
Diebold Nixdorf and NCR have issued patches for ATM software vulnerabilities that could enable a hacker with physical access to the devices to commit deposit forgery, according to the Carnegie Mellon University CERT Coordination Center.
Diebold has patched the software in its 2100xe USB ATM to fix CVE-2020-9062, while NCR has patched its APTRA XFS 04.02.01 and 05.01.00 software used in the company's SelfServ ATMs to fix three vulnerabilities.
Potential Pathway to Theft
The Diebold Nixdorf and NCR vulnerabilities, if exploited, could allow a hacker to intercept communications between various device modules and falsely increase the amount of money being deposited, according to a CERT alert.
To steal money, a hacker would need to complete several steps, starting with accessing an ATM's internal components to get to its communications system, the alert explains.
Then, the hacker would deposit currency and modify messages from the Cash/Check Deposit Modules, or CCDM, to the host computer to indicate a greater amount or value than was actually deposited. Finally, the hacker would make a withdrawal for the artificially increased amount of currency.
Issues in Diebold Nixdorf ATMs
Diebold Nixdorf ATMs running Probase version 1.1.30 are susceptible to CVE-2020-9062, according to the alert. The issue is a lack of encryption, authentication and verification in the communications between the CCDM and the host computer.
"An attacker with physical access to internal ATM components can intercept and modify messages, such as the amount and value of currency being deposited, and send modified messages to the host computer," the alert states.
Diebold Nixdorf recommends ATM owners immediately update the software to apply the patch. It also recommends limiting physical access to ATM’s internal components, adjusting deposit transaction business logic and implementing fraud monitoring.
NCR ATM Vulnerabilities
NCR's SelfServ ATMs using APTRA XFS 04.02.01 and 05.01.00 software are susceptible to similar attacks due to three flaws, the alert states.
- The model does not encrypt, authenticate or verify the integrity of messages between the bunch note accepter and the host computer.
- The 512-bit RSA certificates used to validate BNA software updates in the ATM can be broken by a hacker, enabling execution of arbitrary code.
- The software does not properly validate updates for the BNA.
"An attacker with physical access to internal ATM components can restart the host computer. During boot, the update process looks for CAB archives on removable media and executes a specific file without first validating the signature of the CAB archive. This allows an attacker to execute arbitrary code with system privileges," the alert says.
Obtaining the money from a hacked NCR ATM requires a process similar to that used for the Diebold Nixdorf machines.
To fix all three issues, KB CERT recommends ATM owners immediately update the NCRSelfServ software to APTRA XFS version 06.08, which includes the patches.
Earlier, Diebold Nixdorf reported that some of its ATMs were targeted by "jackpotting" or "cash-out" incidents in several European countries.
The company reported that its ProCash 2050ex ATMs located outdoors were vulnerable to an attack called "black box" (see: Diebold Nixdorf: ATMs in Europe Hacked).