Flaws in ATMs of a German Bank open the doors to cyber attacks

A security researcher at the Vulnerability Lab discovered that ATMs at the German savings bank Sparkasse can leak sensitive info during software updates.

The security researcher Benjamin Kunz-Mejri, CEO of the Vulnerability Lab, discovered that ATMs at the German savings bank Sparkasse can leak sensitive data during software updates.

The discovery of the anomaly was casual, Benjamin Kunz-Mejri was was using the ATM when it ejected his card and resulted “temporarily not available.” The expert tried to interact with the ATM and observed a Windows command prompt showing on ongoing update process, he took a video of the information displayed on the terminal.

The change of the status was caused by a software update, and the researcher used the term “timing attack” to describe his interaction with the ATM.

He was surprised that the ATM keyboard was not disabled, allowing an attacker to execute system commands via the command prompt. He also noticed that the card reader remained usable during the update process.

Video recording has allowed the expert to analyze the information displayed on the screen, he noticed that many sensitive data was revealed,  including the bank’s main system branch usernames, serial numbers, network and firewall configurations, device IDs, ATM settings, and two system passwords.

The ATM machines analyzed by the researcher are manufactured by Wincor Nixdorf,  one of the most important company of the retail and banking industry. The flawed terminals are running Windows 7 and Windows XP operating systems. It is likely that other banks which are using the Wincor Nixdorf ATMs might be affected as well.

The experts warn about a large scale attack coordinated by a criminal ring in conjunction with a planned update, they described the following possible attack scenarios:

• The attacker could use the information disclosed during the update process to run a man-in-the-middle (MitM) attack on the targeted bank’s local network. This attacker needs a physical access to bank network.
• The attacker could push a bogus update to reconfigure the ATMs, also in this case he needs a physical access to bank network.
• The Attacker could conduct fraudulent transactions by forcing the ATM crash and corrupt the logging or debugging mechanism.

The Vulnerability Lab reported the security issue to Sparkasse’s Security and Data Protection team in May, the flaw was confirmed after the vulnerability report was received by the internal Finance Security Center.

The Sparkasse bank has already pushed out updates that fix the issue to a limited number of ATMs in the city of Kassel. The purpose is to run further tests before issuing the update to all the ATMs used by the organization.

It is the first time that a German bank admits the security vulnerability in an ATM and reward the researchers.

Pierluigi Paganini

(Security Affairs – ATMs , banking)