Researchers from Positive Technologies have identified vulnerabilities in Wincor ATMs of the Cineo line (the trademark belongs to the Diebold Nixdorf concern). As it turns out, they can be forced to issue cash by issuing a command from an external device - despite protection against such attacks. The test showed that the built-in protection against black box attacks (end-to-end encryption of control traffic) can be bypassed by changing the firmware of the dispenser controller.
If you have access to a USB port, the desired result - forced cash withdrawal - can be achieved in a few minutes. The test attack, carried out in laboratory conditions, consisted of three stages: connecting a third-party device to the ATM, downloading outdated and vulnerable firmware, and exploiting vulnerabilities to gain access to the contents of the cassettes.
“On a popular classifieds website, we purchased the same controller that controls the output that is installed in serial Wincor ATMs,” says Vladimir Kononovich, senior specialist in the PT department for the security of industrial control systems. “Code errors and old encryption keys found in the controller made it possible to connect to the ATM using your own computer (as in the case of a classic black box attack), bypass encryption and issue cash.” The problem is relevant for Wincor Cineo with RM3/CRS and CMD v5 dispensers (CVE-2018-9100 and CVE-2018-9099, respectively).
You can get rid of it by updating the firmware by requesting the latest version from the ATM manufacturer. Vendors are also encouraged to enable physical authentication for the operator during firmware installation. Both vulnerabilities were discovered and reported to the manufacturer more than three years ago. Diebold Nixdorf said the problem had already been fixed, so the authors of the findings decided to publish their study.
The results will also be presented on October 29 at the Hardwear.io hardware security conference taking place this week in the Netherlands. In 2018, Positive Technologies specialists helped another major ATM manufacturer, NCR, get rid of a similar vulnerability. This vendor showed great efficiency and patched the gap in a short time.
(c) https://www.anti-malware.ru/news/2021-10-26-114534/37303
If you have access to a USB port, the desired result - forced cash withdrawal - can be achieved in a few minutes. The test attack, carried out in laboratory conditions, consisted of three stages: connecting a third-party device to the ATM, downloading outdated and vulnerable firmware, and exploiting vulnerabilities to gain access to the contents of the cassettes.
“On a popular classifieds website, we purchased the same controller that controls the output that is installed in serial Wincor ATMs,” says Vladimir Kononovich, senior specialist in the PT department for the security of industrial control systems. “Code errors and old encryption keys found in the controller made it possible to connect to the ATM using your own computer (as in the case of a classic black box attack), bypass encryption and issue cash.” The problem is relevant for Wincor Cineo with RM3/CRS and CMD v5 dispensers (CVE-2018-9100 and CVE-2018-9099, respectively).
You can get rid of it by updating the firmware by requesting the latest version from the ATM manufacturer. Vendors are also encouraged to enable physical authentication for the operator during firmware installation. Both vulnerabilities were discovered and reported to the manufacturer more than three years ago. Diebold Nixdorf said the problem had already been fixed, so the authors of the findings decided to publish their study.
The results will also be presented on October 29 at the Hardwear.io hardware security conference taking place this week in the Netherlands. In 2018, Positive Technologies specialists helped another major ATM manufacturer, NCR, get rid of a similar vulnerability. This vendor showed great efficiency and patched the gap in a short time.
(c) https://www.anti-malware.ru/news/2021-10-26-114534/37303
