At the yearly Defcon cybersecurity gathering in Las Vegas, there exists a longstanding custom of breaching ATMs. Unbolting them utilizing safe-cracking methods, setting them up to pilfer users’ personal information and PINs, devising and honing ATM malware, and, naturally, penetrating them to dispense all their banknotes. A multitude of these initiatives were aimed towards what are referred to as retail ATMs, autonomous contraptions akin to those you might encounter at a gas station or a tavern. However, on Friday, independent investigator Matt Burch is unveiling discoveries tied to the “financial” or “enterprise” ATMs utilized in banking institutions and other expansive entities.
Burch is showcasing six vulnerabilities in ATM-manufacturer Diebold Nixdorf’s widely distributed security platform, known as Vynamic Security Suite (VSS). The flaws, which the organization confirms have all been fixed, could be leveraged by assailants to circumvent the encryption of an outdated ATM’s hard drive and attain total command over the apparatus. Although remedies for these glitches are accessible, Burch cautions that, practically, the updates might not be universally implemented, potentially leaving certain ATMs and cash-out systems vulnerable.
“Vynamic Security Suite performs multiple functions—it includes endpoint protection, USB filtering, delegated access, and a variety of other features,” Burch informs WIRED. “Nevertheless, the specific attack vector that I’m capitalizing on is the hard drive encryption module. There are six vulnerabilities since I would identify an avenue and files to exploit, and then I would notify Diebold of the concern, they would resolve the issue, and subsequently, I would discover an alternate method to achieve the same result. These are fairly basic attacks.”
The loopholes unearthed by Burch are all related to VSS’s capability to activate disk encryption for ATM hard drives. Burch mentions that most ATM producers depend on Microsoft’s BitLocker Windows encryption for this objective, whereas Diebold Nixdorf’s VSS utilizes an external integration to carry out an integrity check. The structure is organized in a dual-boot setup that encompasses both Linux and Windows partitions. Prior to OS boot-up, the Linux partition conducts a signature integrity check to verify that the ATM hasn’t been compromised, and then initiates the Windows platform for standard operation.
“The issue here is that, to perform all these functions, they decrypt the system, which exposes the vulnerability,” Burch articulates. “The primary limitation that I’m taking advantage of is the unencrypted status of the Linux partition.”
Burch ascertained that he could manipulate the destination of crucial system verification files to redirect code execution; in essence, awarding himself dominance over the ATM.
Diebold Nixdorf spokesperson Michael Jacobsen informs WIRED that Burch initially revealed these discoveries to them in 2022 and that the organization has engaged in discussions with Burch concerning his Defcon presentation. The organization indicates that the vulnerabilities Burch is revealing had all been rectified with patches in 2022. Burch, however, points out that as he routinely approached the company with updated representations of the vulnerabilities during the last few years, he understood that the organization had persisted in addressing some of the findings with patches in 2023. Additionally, Burch asserts that he is under the impression that Diebold Nixdorf dealt with the vulnerabilities on a more foundational level in April using the VSS version 4.4 that encrypts the Linux partition.