ATMs are at risk! Researcher exposes shocking security flaws
At the recent Defcon security conference held in Las Vegas, independent researcher Matt Burch exposed six vulnerabilities in the widely-used ATM security solution, Vynamic Security Suite (VSS). It is a software product of ATM maker Diebold Nixdorf. Burch's findings suggest that these weaknesses could potentially enable attackers to circumvent an unpatched ATM's hard drive encryption, and seize complete control of the machine.
VSS's vulnerabilities and exploitation potential
Burch explained that the VSS is a multifaceted software with features like endpoint protection, USB filtering, and delegated access. However, his focus was on the hard drive encryption module of the software. He discovered multiple exploitable paths and files within this module, each time reporting his findings to Diebold Nixdorf for patching but continually finding new ways to achieve similar results.
Disk encryption functionality at risk
The vulnerabilities Burch identified are located in the VSS feature that enables disk encryption for ATM hard drives. Unlike most ATM manufacturers who use Microsoft's BitLocker Windows encryption, Diebold Nixdorf's VSS employs a third-party integration for an integrity check. This system operates on a dual-boot configuration with both Linux and Windows partitions, with the Linux partition running a signature integrity check before booting to ensure the ATM has not been compromised.
Unencrypted Linux partition in VSS exploited
Burch highlighted a significant issue with the VSS system, stating, "The problem is, in order to do all of that, they decrypt the system, which opens up the opportunity." He exploited this weakness by manipulating the location of crucial system validation files within the unencrypted Linux partition. This allowed him to redirect code execution and take control of an ATM machine.
Diebold Nixdorf responds to Burch's findings
Diebold Nixdorf's spokesperson Michael Jacobsen confirmed that Burch first reported these vulnerabilities in 2022, and the company addressed them with patches later that year. However, as Burch continued to uncover new versions of these vulnerabilities over time, Diebold Nixdorf had to release additional patches in 2023. Jacobsen assured that the company is working diligently to ensure their customers are using the most current version suitable for their environment.
Burch warns of potential future exploits and risks
Despite the patches, Burch warned that similar vulnerabilities could still be exploited, although it would be "significantly harder now." He also noted that large institutions might not have updated their enterprise ATMs due to significant infrastructure initiatives. This leaves some ATMs and cash-out systems potentially vulnerable. Burch clarified that executing such an attack requires physical access to the ATM machine, a task not easily accomplished without prior knowledge or experience.
