Positive Technologies researchers found two serious vulnerabilities that affect ATMs made by NCR. Researchers were able to launch black box attacks that forced the machines to dispense cash without authorization. What are these ATM vulnerabilities, and how does a black box attack work?
Researchers from Positive Technologies What are these ATM vulnerabilities— Vladimir Kononovich and Alexey Stennikov — found two vulnerabilities affecting the NCR S1 and S2 cash dispenser controllers, ATM currency dispensers made by NCR. While the two flaws have since been patched, they could have been exploited to install outdated firmware that could enable attackers to induce vulnerable ATMs to dispense cash.
Both flaws could have enabled attackers to roll back firmware on the devices to an older and more vulnerable version. The S1 controller vulnerability is tracked as CVE-2017-17668 while the S2 controller vulnerability is tracked as CVE-2018-5717. In either case, insufficient protection of the memory write mechanism enabled unauthenticated attackers to execute arbitrary code, install firmware containing vulnerabilities and bypass the firmware’s anti-rollback mechanism.
In order to uncover these flaws, researchers conducted a black box attack, which is a type of attack that directly connects with the dispenser for cash withdrawal. In a black box attack, the attackers have no knowledge of the target system’s internal workings — they see only the output produced by the targeted ATMs in response to their inputs.
A black box attack, which is sometimes also known as a logical attack, is not dependent on a specific operating system or application control software, and it doesn’t generate logs or leave a trace on the targeted systems.
For their attack on the vulnerable ATMs, the researchers had to depend on the inputs to the ATM black box — requests submitted through the ATM user interface — and outputs — either cash withdrawals or some failure mode if the withdrawal attempts failed. Detailed knowledge of the hardware internals inside the black box was not required to trick the ATM into dispensing cash.
After being alerted of the vulnerabilities, NCR released critical firmware updates to protect against black box attacks, specifically by updating the firmware rollback vulnerability. The mechanism used to authorize encrypted communications via the dispenser was also strengthened by NCR, which added protection against the use of endoscope technology. While endoscope technology works well to view internal connections on some older ATM models, such as a Personas ATM connected with an RS-232 cable, these models cannot be updated with a firmware fix due to limitations of old hardware resources.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)