Positive Technologies research finds ATM vulnerabilities enable illegal cash withdrawals, such as in Wincor Cineo ATMs

Positive Technologies researchers, Vladimir Kononovich and Alexey Stennikov have discovered vulnerabilities in the Wincor Cineo ATMs, with the RM3 and CMD-V5 dispensers (Wincor is currently owned by Diebold Nixdorf).

ATM cyber-attacks

With access to the dispenser controller’s USB port, an attacker can install an outdated or modified firmware version (for example, with disabled encryption), to bypass the encryption and make cash withdrawals. Diebold Nixdorf (Diebold Incorporated) has more than 1 million of its ATMs installed worldwide, making it one of the largest ATM manufacturers, with a 32 percent share of the global market.

Most previous generations of ATMs could not withstand black-box attacks. In such cases, a hacker connects to the dispenser, via a computer or mobile device, and sends a special code, which results in the ATM dispensing money. In research performed by Positive Technologies in 2018, 69 percent of ATMs turned out to be vulnerable to such attacks and could be hacked in minutes.

Modern ATMs with built-in protection against black-box attacks

Modern ATMs, including Wincor Cineo, have built-in protection against black-box attacks

Modern ATMs, including Wincor Cineo, have built-in protection against black-box attacks. This protection is achieved by using end-to-end encryption between an ATM computer and the dispenser. The computer sends encrypted commands to the dispenser and a hacker cannot withdraw money, without encryption keys stored on the ATM computer.

Vladimir Kononovich, Senior Specialist of ICS Security, at Positive Technologies, said “In the case of Wincor Cineo, we managed to figure out the command encryption used in the interaction between the PC and the controller, and bypass the protection against black-box attacks. At a popular website, we bought the same dispensing controller, as the one used in Wincor's ATMs.”

Issues of bugs in controller code and old encryption keys

Vladimir Kononvich adds, “Bugs in the controller code and old encryption keys allowed us to connect to an ATM, using our own computer (as in a classic black-box attack) and bypass the encryption, and make cash withdrawal. Currently, the attack scenario consists of three steps - Connecting a computer to an ATM, loading outdated and vulnerable firmware, and exploiting the vulnerabilities to access the cassettes, inside the safe.”

According to Vladimir Kononovich, some manufacturers rely on security through obscurity, with proprietary protocols that are poorly studied and the goal of making it difficult for attackers to procure equipment, in order to find vulnerabilities in such devices. However, the research shows that such equipment is not difficult to find on the open market and analyse, which can be used by criminal groups.

CVE-2018-9099 and CVE-2018-9100 vulnerabilities

The first flaw, CVE-2018-9099, was detected in the firmware of the CMD-V5 dispenser

Both vulnerabilities received a CVSSv3.0 score of 6.8. The first flaw, CVE-2018-9099, was detected in the firmware of the CMD-V5 dispenser (all versions up to and including - 141128 1002 CD5_ATM.BTR and 170329 2332 CD5_ATM.FRM). The second, CVE-2018-9100, was detected in the firmware of the RM3/CRS dispenser (all versions up to and including - 41128 1002 RM3_CRS.BTR and 170329 2332 RM3_CRS.FRM).

To fix the vulnerabilities, credit organisations must request the latest firmware version from ATM manufacturers. Moreover, as an additional security factor, the vendor should enable physical authentication for the operator during firmware installation.

hardwear.io security conference

On October 29, Vladimir Kononovich will talk about the detected vulnerabilities at the hardwear.io hardware security conference, taking place in The Netherlands. In 2018, Positive Technologies experts helped eliminate vulnerabilities in ATMs of another major ATM machines manufacturer, NCR (NCR Corporation).