They explain to a Black Hat panel how a small flaw near an ATM’s speakers let them turn the machine into a cash fountain.
Never say your machine can’t be hacked.
That’s perhaps one of the lessons ATM maker Diebold Nixdorf learned after security researchers showed how they could turn one of the company’s machines into a cash fountain. A simple hack of an exposed USB in one of Diebold Nixdorf’s popular Opteva ATMs allowed researchers at security company IOActive to get it to spew out cash until it was empty.
During IOActive’s “Breaking Embedded Devices” panel at Black Hat on Wednesday, researchers showed that it’s not just computers, phones and servers that can be exploited — it’s anything with a chip or an internet connection, no matter how small its function.
Embedded systems, as the term denotes, are mass produced systems that only have a single role in a machine, whether it’s to dispense cash or check how much ink is in your printer. Because they have such simple jobs, security often isn’t a priority.
But IOActive showed at Black Hat that a machine’s security is only as strong as its weakest link, and embedded systems make for easy targets.
In the past, we’ve seen researchers use vulnerabilities to hijack cars, smart homes and guns. Connected toys have shown that they still have a security roadblock to overcome. And the majority of people are nervous that their smart refrigerator or connected diaper pads will get hacked.
The ATM hack is just the latest example of how security, especially when it comes to the little things, can get overlooked.
Mike Davis, the director of embedded systems security at IOActive, said he reached out to Diebold Nixdorf multiple times about the vulnerability. He said he told the company that it had a security flaw near the ATM’s speakers in the upper section. The same spot provided an opening for potential hackers to loosen and expose a USB port.
“It’s a little bit like a magic trick, but no kidding, it took seconds to getting the ATM to open,” Davis said.
When Diebold Nixdorf learned about the opening, Davis said, the company “didn’t consider it enough of a security issue to address,” because it believed only the bottom portion of the ATM needed to be secured — where the cash is stored.
IOActive said the company argued that the vulnerability wouldn’t allow anyone to steal any money because the cash is safely locked in the bottom.
“We decided to say OK, challenge accepted. We’re pretty sure we can just ask it to give us the money,” Davis said.
The IOActive team plugged a netbook to the exposed USB port and injected in code to the ATM’s Automatic Funds Distributor, a bot on the embedded system that decides how much money to send out. It reverse-engineered the bot and tricked the machine to empty out its entire stash.
Since being able to swindle Diebold Nixdorf’s ATMs, IOActive said it’s been trying to work with the company to test out security flaws on its other machines. According to iOActive, Diebold declined the help, saying IOActive had only hacked an outdated ATM.
A spokeswoman for Diebold Nixdorf said the machine IOActive hacked was from between 2008 and 2009, and never received any security patches or maintenance.
“Like any connected device that does not receive proper maintenance and patching — especially one nearly 10 years old — the risk for it to be compromised increases,” the spokeswoman said.
Diebold Nixdorf was unable to say how many of its ATMs from 2008 to 2009 are still in use and added that in most cases, it’s up to financial institutions to keep software up to date. It’s unclear if the vulnerability has since been fixed.