"Diebold Nixdorf ATM Flaws Allowed Attackers to Modify Firmware, Steal Cash"

Security researchers with Positive Technologies shared information about two vulnerabilities found in Diebold Nixdorf ATMs. The exploitation of these security flaws could have allowed an attacker to replace the firmware on the system and withdraw cash. The vulnerabilities, tracked as CVE-2018-9099 and CVE-2018-9100, were discovered in the Wincor Cineo ATMs with the RM3 and CMD-V5 dispensers. Diebold acquired Wincor Nixdorf in 2016, and then the companies merged. The ATMs were found to have a set of security measures implemented to prevent black box attacks, including end-to-end encrypted communication with the cash dispenser, but the researchers discovered that it was possible to work around such measures. They were able to bypass the command encryption between the ATM computer and the cash dispenser, and replace the ATM firmware with an outdated one. Then they exploited the flaws to make the system spew cash. Although encryption is applied to prevent black box attacks, the researchers figured out that an attacker could extract the keys used for encryption and forge their own firmware to load on the compromised ATM. The system performs firmware integrity checks as an extra step for protection. However, researchers identified the components involved within the check process in the code that verifies the firmware signature and in the firmware. Diebold Nixdorf, which issued patches for the vulnerabilities, suggests implementing physical authentication when an operator performs firmware installation as an extra layer of protection against unauthorized access. This article continues to discuss the discovery, potential exploitation, and impact of the Diebold Nixdorf ATM flaws.

Security Week reports "Diebold Nixdorf ATM Flaws Allowed Attackers to Modify Firmware, Steal Cash"