A team of digital forensics specialists has reported the finding of two major zero-day vulnerabilities in some ATM machines widely used in the US, among other territories. If exploited, these flaws could allow a hacker to steal cash and extract sensitive information from users.
Experts Trey Keown and Brenda So from security
firm Red Balloon discovered these flaws at ATMs manufactured by Nautilus
Hyosung, which has a large presence throughout North America, especially in the
U.S.
To find the vulnerabilities,
digital forensics experts only had to gain access to the network where a
compromised ATM was connected; thanks to this, the experts were able to
demonstrate that it was possible to gain full control of the machine and avoid
security software detection.
Vulnerabilities affect the ATM remote control
system, as do software that controls machine peripheral devices; according to
the experts, it is really easy to access a compromised network to exploit the
flaws.
After receiving the vulnerability report, Nautilus
released, along with Red Balloon, a statement in which they said that these
flaws have not been exploited in the wild. In addition, the experts mention
that, out of the 150k Nautilus ATMs operating in the U.S., about 80k machines are
vulnerable to flaw exploitation.
Although the company has a presence in multiple
countries, and is a subsidiary of South Korea-based Hyonsung Corp., security
flaws appear to affect only the company’s ATMs operated and distributed by its
US affiliate.
The vulnerabilities were detected and reported
the last summer; about a week after receiving the report, Nautilus announced
some firmware security updates to prevent the flaws from being exploited,
digital forensics experts mention.
All of the company’s business partners were
warned about security failures in order for them to ask for the update of their
ATMs as soon as possible.
It is not yet clear what progress the
installation of these security patches shows, as this process requires a
technician to personally report to each possibly compromised ATM. In this
regard, Ang Cui, founder and CEO of Red Balloon, considers it unlikely that the
company will be able to update the firmware of all its ATMs, as they may not
even have staff to do so, besides that the new security measures will also
require updates in the future. Moreover, the manufacturer specified that, for
security reasons, it is not possible to provide further details about
vulnerabilities and exploits.
According to the digital forensics experts of
the International Institute of Cyber Security (IICS) the compromised
information could be really useful to a hacker or scammer, as it is almost a
list of the ATMs most exposed to cyberattacks. Many times the need to
physically access a compromised device reduces the chances of exploiting a
vulnerability; however, experts point out that all the flaws found in this
investigation can be exploited remotely, which increases the seriousness of
these reports a little bit.
