There’s a long tradition at the annual Defcon security conference in Las Vegas of hacking ATMs. Unlocking them with safe-cracking techniques, rigging them to steal users’ personal information and PINs, creating and perfecting ATM malware, and, of course, hacking them to spit out all their cash. Many of these projects have targeted so-called retail ATMs, standalone devices like those you’d find at a gas station or a coffee shop. But on Friday, independent researcher Matt Burch will present findings related to “financial” or “corporate” ATMs used by banks and other large institutions.
Burch is demonstrating six vulnerabilities in ATM maker Diebold Nixdorf’s widely deployed security solution, known as Vynamic Security Suite (VSS). The vulnerabilities, which the company says have all been patched, could be exploited by attackers to bypass a rogue ATM’s hard drive encryption and take full control of the machine. And while fixes for the bugs are available, Burch cautions that in practice, patches may not be widely deployed, potentially leaving some ATMs and cash dispensers exposed.
“Vynamic Security Suite does a bunch of things: It has endpoint protection, USB filtering, delegated access, and a lot more,” Burch tells WIRED. “But the specific attack surface that I’m taking advantage of is the hard drive encryption module. And there are six vulnerabilities, because I would identify a path and files to exploit, and then I would report it to Diebold, who would fix it, and then I would find another way to achieve the same result. They’re relatively simplistic attacks.”
The vulnerabilities Burch found are all in the VSS functionality to enable disk encryption for ATM hard drives. Burch says most ATM manufacturers rely on Microsoft’s BitLocker Windows encryption for this purpose, but Diebold Nixdorf’s VSS uses a third-party integration to perform an integrity check. The system is set up in a dual-boot configuration that has both Linux and Windows partitions. Before the operating system boots, the Linux partition performs a signature integrity check to validate that the ATM has not been compromised, and then boots it into Windows for normal operation.
“The problem is, in order to do all this, they decrypt the system, which opens up the opportunity,” Burch says. “The fundamental flaw that I’m exploiting is that the Linux partition was not encrypted.”
Burch discovered that he could manipulate the location of critical system validation files to redirect code execution; in other words, gain control of the ATM.
Diebold Nixdorf spokesman Michael Jacobsen told WIRED that Burch first told them the findings in 2022, and that the company has been in touch with Burch about his Defcon talk. The company says the vulnerabilities Burch presented were all patched in 2022. Burch notes, however, that while he has returned to the company with new versions of the vulnerabilities over the past two years, his understanding is that the company has continued to address some of the findings with patches in 2023. And Burch adds that he believes Diebold Nixdorf addressed the vulnerabilities at a more fundamental level in April with VSS version 4.4 that encrypts the Linux partition.