As if the abysmal state of ATM security protocols and the continuous evolution of threat vectors were not enough, a security researcher has now identified NFC-related vulnerabilities that could allow hacking of an ATM machine. This is not entirely shocking as, back in 2019, Kasperksy Labs documented a WinPot malware that could allow a hacker with physical access to a machine’s innards to make it spit out cash. A year earlier, the US government uncovered a hacking group behind a malware attack called Operation FASTCash that wiped out millions from ATMs in many countries.
Over the years, the techniques of jackpotting banking machines have evolved, and most of it has to do with finding vulnerabilities that remain unpatched for years due to a continued reliance on legacy systems. Researchers have proved at multiple cybersecurity conventions that a majority of ATMs are still vulnerable to typical attacks, such as communication spoofing or bypassing the internal hard drives of a machine, simply because they run outdated software and are not maintained regularly.
Further exacerbating the woes, Josep Rodriguez has now documented vulnerabilities associated with NFC (Near-Field Communication) readers used in a wide range of banking machines worldwide, as reported by Wired. The researcher claims to have built an Android app that can be used to hack or crash the NFC reader on an ATM machine just by waving a phone over it. The flaws discovered could be exploited to crash point-of-sale (POS) machines, hack them to steal credit card data, display a fake transaction value, or even lock the POS devices.
Vulnerabilities Galore, But Poor Patching Multiplies The Risk
Rodriguez notes that with knowledge of a few additional bugs, it is possible to exploit the technique to force an ATM of a particular banking institution into dispensing cash. In a video shared as proof of concept, Rodriguez crashed an ATM by waving a phone in front of the machine’s NFC reader. According to Rodriguez, the right payload attack would make an ATM dispense cash by just tapping a phone against it. Karsten Nohl from security firm SRLabs mentioned that Rodriguez’s findings are excellent, but the NFC trick can only be used to hack credit card data and not details such as a PIN. Moreover, stealing cash from an ATM using the NFC exploit would require additional knowledge of system-level vulnerabilities.
However, Rodriguez notes that a majority of banking-related machines remain vulnerable because many of them don’t receive regular software updates to fix critical flaws. In many cases, physical access to those machines is required to update the system, which makes the challenge even more daunting due to the sheer number of machines out there. Needless to say, it would require a lot of time and resources to accomplish the goal. Dr. Ang Cui, the founder of Red Balloon Security, notes that the NFC vulnerabilities documented by Rodriguez can indeed be misused to steal cash from a modern ATM.
Rodriguez’s technique involves sending a data packet from a phone that is much larger than what a credit card sends to an NFC reader, essentially overloading it to corrupt the memory and execute malicious code. The cybersecurity expert, who kept the findings a secret for more than one year, now looks forward to sharing them in an online seminar. The goal, however, is to highlight how bad the maintenance of such machines is, and how vulnerabilities like this continue to remain unpatched for years.
Source: Wired