A “white hat” hacker from the firm IOActive tells how he discovered a gaping security flaw in cash machines equipped with an NFC reader. According to him, the vendor manufacturers have neglected the security of this component to the point that it is possible to conduct buffer overflow attacks.
ATM security captivates the imagination in more ways than one. Here we have very unique secure equipment since they must be able to ensure both the physical protection of currencies, and protection against computer attacks, while being installed in public places.
In recent years, various researchers have shown that the security of these distributors is far from infallible. However, until now, the attacks have been based on access to a USB port hidden under the casing, or even to internal components. So it is difficult to imagine a malicious person carrying out such attacks in nature in the middle of the day.
Researcher finds disturbing way to attack ATMs
Especially when you take into account that these devices are generally under video surveillance. Other attacks, especially network, are possible. But they require precise knowledge of the characteristics of the target distributor, while exposing the perpetrator of the attack to being detected, given the security devices installed by the banks.
Josep Rodriguez a consultant for the security firm IOActive is what is called a “white hat” or ethical hacker. He has long been interested in the safety of these distributors, but also to NFC technology. However, you have undoubtedly noticed it: some distributors now ship an NFC reader.
This one is not used by all banks, but as Josep Rodriguez explains, it is a gaping front door in the machine due to a security vulnerability that has been known for years. He explains in fact having succeeded, via a simple smartphone, in triggering a so-called “buffer memory overrun” attack via a distributor’s NFC reader.
This type of attack works because the distributor’s operating system does not limit the amount of data that can enter through NFC. When the amount of data exceeds the allocated space in RAM, data continues to be written to adjacent memory addresses for use by other parts of the system. With a little reverse engineering, it can then do just about anything it wants on the target machine..
Fixing the NFC security flaw on all ATMs in circulation will take time
For example, he was able to tell the machine to write down all the bank card numbers that pass through his reader, change the amount of transactions on the fly, and even in at least one case force the distributor to distribute all of its content (also attack known as “Jackpotting”). Wired explains:
“Rodriguez has built an Android application that allows his smartphone to mimic radio communications from bank cards and exploit loopholes in the system’s NFC firmware. By waving his smartphone, he can exploit a variety of bugs to crash ATMs, hack them to collect and transmit credit card data, invisibly change the value of transactions, and even lock down devices while displaying a ransomware message. ”.
The security researcher warned manufacturers of the issue between 7 months and a year ago, including ID Tech, Ingenico, Verifone, Crane Payment Innovations, BBPOS, Nexgo, and an unidentified vendor due to a security breach. even more serious. Nevertheless, to force them to act quickly he has already announced that he will release technical details in the coming weeks.
It remains to be seen whether it is technically possible for the manufacturers concerned to really close the security breach on all devices in circulation.. Josep Rodriguez himself recognizes this: “Patching several hundred thousand ATMs physically is something that will take a lot of time”.
Read also: Android – a bug allows to hack a smartphone using NFC
It is noted that the demonstration of the attack did not take place in the United States, where the security of banking systems can sometimes be weaker, but in Madrid, in Europe. The researcher concludes: “These vulnerabilities have been present in firmware for years, and we have used these devices on a daily basis to manage our credit cards, our money. It has to be more secure ”.