A “white hat” hacker from the firm IOActive tells how he discovered a gaping security flaw in cash machines equipped with an NFC reader. According to him, the vendor manufacturers have neglected the security of this component to where it is possible to conduct buffer overflow attacks.
ATM security captivates the imagination in more ways than one. We have here unique, secure equipment since they must be able to provide both physical protection of currencies and protection against computer attacks while being installed in public places .
In recent years, various researchers have shown that the security of these distributors is far from infallible . However, until now, the attacks have relied on access to a USB port hidden under the casing, or even to internal components. So I can’t imagine a malicious person carrying out such attacks in nature in the middle of the day.
Researchers Finds Disturbing Way To Attack ATMs
Especially when you consider these devices are under video surveillance. Other attacks, including network attacks, are possible. But they require precise knowledge of the characteristics of the target distributor, while exposing the perpetrator of the attack to being detected, given the security devices installed by the banks.
Josep Rodriguez a consultant for the security firm IOActive is called a “white hat” or ethical hacker. He has long been interested in the security of these distributors, but also in NFC technology. However, you have undoubtedly noticed it: some distributors now ship an NFC reader.
All banks did not n’t use this one, but as Josep Rodriguez explains, it’s a gaping front door into the machine because of a security flaw known for years. He explains in fact having succeeded, via a simple smartphone, in triggering a so-called “buffer memory overrun” attack via the NFC reader of a distributor .
This type of attack works because the distributor’s operating system does not limit the amount of data that can enter through NFC. When the amount of data exceeds the allocated space in RAM, data continues to be written to adjacent memory addresses for use by other parts of the system. With a little reverse engineering, it can then do just about anything it wants on the target machine .
Fixing The NFC Security Flaw On All ATMs In Circulation Will Take Time
For example, he was able to tell the machine to write all the bank card numbers that pass through his reader, change the amount of transactions on the fly, and even in at least one case force the distributor to distribute all of its content (also attack known as “Jackpotting”). Wired explains:
“Rodriguez has built an Android application that allows his smartphone to mimic radio communications from bank cards and exploit loopholes in the system’s NFC firmware. By waving his smartphone, he can exploit a variety of bugs to crash ATMs, hack them to collect and transmit credit card data, invisibly change the value of transactions, and even lock down devices while displaying a ransomware message”.
The security researcher warned manufacturers of the issue between 7 months and a year ago, including ID Tech, Ingenico, Verifone, Crane Payment Innovations, BBPOS, Nexgo, and an unidentified vendor because of a security breach. Even more serious. To force them to act quickly he has already announced that he will release technical details in the coming weeks.
It remains to be seen whether it is technically possible for the manufacturers concerned to really close the security breach on all devices in circulation. Josep Rodriguez himself admits it: “patching several hundred thousand ATMs physically is something that will take a lot of time”.
The demonstration of the attack did not take place in the United States, where the security of banking systems can sometimes be weaker, but in Madrid, in Europe. The researcher concludes: “These vulnerabilities have been present in firmware for years, and we have used these devices daily to manage our credit cards, our money. It has to be more secure”.