At the annual Defcon security conference in Las Vegas, there is a long tradition of hacking ATMs. They are unlocked with safe-cracking techniques, manipulated to steal users’ personal data and PIN numbers, ATM malware is created and perfected, and, of course, hacked to make them spew out all the money. Many of these projects targeted so-called retail ATMs — stand-alone devices like those found at a gas station or bar. But on Friday, independent researcher Matt Burch will present his findings related to “financial” or “enterprise” ATMs used at banks and other large institutions.
Burch is demonstrating six vulnerabilities in ATM maker Diebold Nixdorf’s widely used security solution, known as Vynamic Security Suite (VSS). The vulnerabilities, which the company says have already been fixed, could be exploited by attackers to bypass an unpatched ATM’s hard drive encryption and take full control of the machine. And while there are fixes available for the bugs, Burch warns that in practice, the patches may not be widely deployed, potentially leaving some ATMs and cash-out systems exposed.
“Vynamic Security Suite does a number of things: it has endpoint protection, USB filtering, delegated access, and much more,” Burch tells WIRED. “But the specific attack surface I’m leveraging is the hard drive encryption module. And there are six vulnerabilities because I would identify a path and files to exploit, and then I would report that to Diebold, they would fix the problem, and then I would find another way to achieve the same result. They’re relatively simplistic attacks.”
The vulnerabilities Burch found are all in VSS’s functionality to enable disk encryption for ATM hard drives. Burch says most ATM manufacturers rely on Microsoft’s Windows BitLocker encryption for this purpose, but Diebold Nixdorf’s VSS uses a third-party integration to run an integrity check. The system is set up in a dual-boot configuration that has both Linux and Windows partitions. Before the operating system boots, the Linux partition runs a signature integrity check to validate that the ATM has not been compromised and then boots it into Windows for normal operation.
“The problem is that in order to do all that, they decrypt the system, which opens up the possibility,” Burch says. “The main flaw I’m exploiting is that the Linux partition was not encrypted.”
Burch discovered that he could manipulate the location of critical system validation files to redirect code execution—or, in other words, give himself control of the ATM.
Diebold Nixdorf spokesperson Michael Jacobsen told WIRED that Burch first disclosed the findings to them in 2022, and that the company has been in touch with Burch about his talk at Defcon. The company says the vulnerabilities Burch is presenting were addressed with patches in 2022. Burch notes, however, that when he’s come back to the company with new versions of the vulnerabilities in recent years, his understanding is that the company has continued to address some of the findings with patches in 2023. And Burch adds that he believes Diebold Nixdorf addressed the vulnerabilities at a more fundamental level in April with version 4.4 of VSS that encrypts the Linux partition.
