In the wake of recent allegations that ATM locks worldwide are vulnerable to new side-channel attacks, Sargent and Greenleaf (S&G), a manufacturer of high-quality electronic ATM locks, recently conducted vulnerability testing to provide insight and identify ways ATM owners and operators can protect their machines against side-channel attacks.
Side-channel attacks, which can exploit internal components of electronic locks, first emerged in 2015 and continue to plague electronic lock users today. In a nutshell, attacks are most effective when access, information and speed are present.
Exposed external connection points
If the hacker can quickly and easily gain access and make a connection, a breach is more likely to happen"
“If the hacker can quickly and easily gain access and make a connection, a breach is more likely to happen,” states Travis Ferry, an engineer with Sargent and Greenleaf and part of the core team that conducted the company’s vulnerability testing.
Ferry immediately noted that ATM locks with exposed external connection points render the attacks more likely, with some locks vulnerable to being hacked in as little as five minutes. “Theoretically, a hacker could still get access to an ATM lock with a solid ring around it,” Ferry continues, “but, it would take time, and these attackers rely on speed to accomplish a breach.”
High-level findings to the industry
The company’s vulnerability testing also examined the type of electronic information stored within ATM locks and found that some locks retain complete static access codes in certain modes of operation without requiring touch keys for access. S&G’s report states that once hackers obtain an access code, it’s easy to open the lock and gain entry to where the ATM’s cash is stored.
S&G released high-level findings to the industry in September that could better protect ATMs
S&G released high-level findings to the industry in September that could better protect ATMs around the United States and the world. “Millions of ATMs are deployed globally,” said Devon Ratliff, Director of Engineering for Sargent and Greenleaf. “People want to feel secure about their money and cash-in-transit companies need to know their machines are safe from compromise.”
Minimising access and encryption information
Among the many suggestions from the S&G report, the top recommendations include adding tamper-resistant solid ring housings to ATM locks, minimising access and encryption information stored in the locks, and implementing multiple layers of authentication through one-time codes, touch keys and time windows.
“Today’s ATM owners and operators have a lot to contend with,” Ratliff says. “Threats like side-channel attacks and jackpotting aren’t just theoretical; they result in real losses and significant downtime for these businesses.” Ratliff recommends that ATM owners and operators secure their machines with locks designed to deter side-channel attacks and consider adding accessories like ATM hood protection as well. “We can’t predict the future,” Ratliff concludes, “but, we can be pro-active and stay responsive to the threats we face today.”
