ATMs Used By a German Bank Found To Be Vulnerable

Hello folks!

Sparkasse  is a German savings Bank that is now patching its ATMs and self-service terminals after finding that it’s machines were revealing a lot of sensitive information during software updates.

Benjamin Kunz-Mejri, CEO and founder of Germany-based security firm Vulnerability Lab, discovered this flaw after an experience where Sparkasse terminal suddenly ejected his card, and changed its status to “temporarily not available.” A Windows command prompt has shown up when he was interacting with the device, indicating that the ATM was unavailable due to a software update.

Kunz-Mejri mentioned that updates usually happen in the background but interacting with these devices make the processes visible. The researcher described his interaction with the machine as a “timing attack,” but he did not want to disclose additional details in order to prevent abuse.

Kunz-Mejri recorded a video of the information displayed on the terminal’s command prompt screen once he discovered this flaw. Later when reviewing this video, he realised that a lot of sensitive information, including the bank’s main system branch usernames, serial numbers, firewall settings, network information, device IDs, ATM settings, and two system passwords were in it.

While the update was running the self-service terminal’s keyboard was still enabled and because these devices have a full keyboard, system commands can be executed via the available command prompt on the underlying Windows operating system. Also, interacting with the machine has caused the card reader to remain available and usable for other operations.

Some of the devices tested by the Vulnerability Lab were manufactured by Wincor Nixdorf, a German company that manufactures, sells, installs and services retail and banking hardware and software. The affected ATMs and self-service terminals are running Windows 7 and Windows XP operating systems.

Vulnerability Lab described several possible attack scenarios in an advisory. An attacker can perform a man-in-the-middle (MitM) attack on the targeted bank’s local network by recording the information displayed during the update process. But for a MitM attack, access to a local network in the bank’s building would be required.

If an attacker gains access to the local network then the exposed information can be used to reconfigure the ATM with a rogue update.

Researchers also believe that making fraudulent transactions could be possible by tampering with the ATM in an effort to crash it and corrupt its logging or debugging mechanism.

The researchers warned that a larger more coordinated attack targeting multiple ATMs and self-service terminals could be conducted, If fraudsters determine the time and date of update schedules.

Vulnerability Lab has mentioned that it takes 17 minutes to record all the information displayed on the screen.

So far, only Sparkasse ATMs have been tested, but other banks that use Wincor Nixdorf ATMs and self-service terminals might be affected as well.

The Vulnerability Lab first reported the information disclosure and hardware misconfiguration flaws to Sparkasse’s Security and Data Protection team in May. Once the report reached the  Finance Security Center in Frankfurt, the existence of the issues has been confirmed.

Updates have been already rolled out to address the vulnerabilities of some of its ATMs in the German city of Kassel (Hessen) as part of a pilot program. The update will be installed in other regions after the new configuration is tested properly.

Kunz-Mejri has been thanked and rewarded by Sparkasse for his efforts. Kunz-Mejri says this is the first time a German bank acknowledges a security researcher for finding vulnerabilities in self-service terminals and ATMs.


Source: Akati

Comments are closed.