At the annual Defcon security conference in Las Vegas, hacking ATMs has become quite a tradition. From unlocking them using safecracking techniques to crafting sophisticated ATM malware, hackers have been exploring various ways to exploit these machines. While most projects targeted retail ATMs found at gas stations and bars, independent researcher Matt Burch is shedding light on vulnerabilities in the “financial” or “enterprise” ATMs used by banks and large institutions.
Burch is unveiling six vulnerabilities in Diebold Nixdorf’s Vynamic Security Suite (VSS), a widely deployed security solution for ATMs. Although Diebold Nixdorf claims to have patched these vulnerabilities, they could still be utilized by attackers to bypass an ATM’s hard drive encryption and gain full control over the machine. Despite patches being available, Burch warns that these fixes might not be widely implemented, potentially leaving some ATMs and cash-out systems vulnerable.
Explaining the attack surface he targeted, Burch mentioned, “Vynamic Security Suite does a number of things—it has endpoint protection, USB filtering, delegated access, and much more. But the specific attack surface that I’m taking advantage of is the hard drive encryption module. And there are six vulnerabilities, because I would identify a path and files to exploit, and then I would report it to Diebold, they would patch that issue, and then I would find another way to achieve the same outcome. They’re relatively simplistic attacks.”
The vulnerabilities Burch discovered are related to VSS’s function of activating disk encryption for ATM hard drives. While most ATM manufacturers rely on Microsoft’s BitLocker Windows encryption, Diebold Nixdorf’s VSS uses a third-party integration for an integrity check. The system uses a dual-boot setup with Linux and Windows partitions, where the Linux partition conducts a signature integrity check before booting into Windows for regular operations.
“The problem is, in order to do all of that, they decrypt the system, which opens up the opportunity,” Burch explained. “The core deficiency that I’m exploiting is that the Linux partition was not encrypted.”
By manipulating critical system validation files’ location, Burch was able to redirect code execution, essentially gaining control of the ATM.
Diebold Nixdorf spokesperson Michael Jacobsen informed WIRED that Burch disclosed the findings to them in 2022 and that the company has been collaborating with Burch regarding his Defcon presentation. The company claims that the vulnerabilities highlighted by Burch were addressed with patches in 2022. However, Burch mentioned that as he revisited the company with new vulnerabilities over the past few years, Diebold Nixdorf continued to address some of the findings with patches in 2023. Additionally, Burch believes that Diebold Nixdorf tackled the vulnerabilities at a more fundamental level in April with VSS version 4.4 by encrypting the Linux partition.