Positive Technologies: Most ATMs Can Be Hacked in Minutes
Experts from Positive Technologies have tested ATMs manufactured by NCR, Diebold Nixdorf, and GRGBanking, uncovering potential risks for banks and their customers.
Black Box Attacks and Network Vulnerabilities
According to the report, 69% of the ATMs studied were vulnerable to Black Box attacks. This type of attack involves connecting a special device to the dispenser, which is programmed to send commands to dispense cash. In some ATM models, a criminal could carry out this attack in just 10 minutes.
Additionally, most ATMs (85%) are insufficiently protected against network-level attacks, such as spoofing the processing center. This allows attackers to interfere with transaction confirmation processes and forge responses from the center—approving any cash withdrawal request or increasing the amount of cash dispensed. The study also describes attacks on network devices like GSM modems connected to ATMs, which could be used to launch attacks on other ATMs in the network or even the bank’s internal network.
Disk Encryption and Kiosk Mode Weaknesses
The report notes that 92% of ATMs are vulnerable to attacks due to a lack of hard drive encryption. An attacker can directly connect to the ATM’s hard drive and, if the contents are unencrypted, install malware and disable any security measures. This ultimately gives the criminal control over the dispenser.
In 76% of ATMs, a “Kiosk Mode Escape” attack is possible. This involves bypassing restrictions set for regular users and executing commands in the ATM’s operating system. According to experts, such an attack can take about 15 minutes, and with thorough preparation and automation, even less time is needed.
Peripheral Device and Application Control Issues
“During our security analysis, we found that most ATMs allow unrestricted connection of third-party devices,” says Ekaterina Kilyusheva, an analyst at Positive Technologies. “This enables attackers to connect a keyboard or other device that simulates user input. In most cases, there were no restrictions on using common key combinations to access OS functions, and local security policies were either misconfigured or completely absent. In 88% of ATMs, we were able to bypass Application Control solutions due to improper configuration of trusted application lists or vulnerabilities, including zero-day flaws, in the protection software itself.”
Risks for Banks and Customers
“Primarily, logical attacks on ATMs target their owners, but bank customers can also be affected,” notes Yaroslav Babin, head of the banking systems security research group at Positive Technologies. “When analyzing ATM security, we identify vulnerabilities related to network attacks, software and security configuration errors, and insufficient protection of peripheral devices. All these weaknesses allow criminals to steal money from ATMs or intercept customers’ payment card data. To reduce the risk of attacks, it’s important to focus on physical security of the service area, as well as to log and monitor security events both in the infrastructure and on the ATM itself, enabling timely response to emerging threats. Additionally, regular ATM security assessments are crucial to promptly identify and fix existing vulnerabilities.”