A security researcher, Benjamin Kunz-Mejri discovered that ATM machines of German savings bank, ‘Sparkasse’ can leak sensitive information during software updates.
Mejri who is a CEO and founder of Germany based security firm Vulnerability Lab, used the ATM of Sparkasse when the machine suddenly ejected his card, and changed its status to “temporarily not available.” The machine later showed details of an update process on the screen which was when Mejri realised that the terminal had become temporarily unavailable because it was performing a software update.
For this attack, Mejri coined the term “timing attack”.
Software updates are normally conducted in the background, but Mejri discovered, the progress and details of the update process can be made visible by interacting with the device as he did.
The researcher found that a lot of sensitive data like bank’s main system branch usernames, serial numbers, firewall settings, network information, device IDs, ATM settings, and two system passwords was vulnerable to the hackers.
During the whole process, the card reader remained available and usable for other operations.
The ATM’s keyboard was also not disabled and the attacker could execute system commands via the available command prompt.
The ATM’s analysed were manufactured by Wincor Nixdorf, a German company that manufactures, sells, installs and services retail and banking hardware and software. The affected ATMs and self-service terminals were running Windows 7 and Windows XP operating systems.
According to the experts, a large scale attack can be coordinated by a criminal ring due to this vulnerability.
An attacker who has a physical access to bank nework can use the information disclosed during the update process to run a man-in-the-middle (MitM) attack on the targeted bank’s local network.
The attacker could push a bogus update to reconfigure the ATMs.
The attacker could conduct fraudulent transactions by forcing the ATM crash and corrupt the logging or debugging mechanism.
If fraudsters can determine the time and date of update schedules, they can conduct a larger, coordinated attack targeting multiple ATMs and self-service terminals as it takes 17 minutes to record all the information displayed on the screen.
There is a possibility that apart from Sparkasse, other banks who use Wincor Nixdorf ATMs and self-service terminals might also be affected.
The bank has already pushed out updates that fix the issue to a limited number of ATMs in German city of Kassel as a pilot project. The update will be installed in other regions after the test of new configuration becomes successful.
It is the first time that a German bank has admitted the security vulnerability in an ATM and rewarded the researcher with undisclosed amount of money.
Last week only, Berlin Police announced that they have been looking for a man who illegally withdrew cash from two ATMs using a USB stick that he connected to the devices after unscrewing their front panel.