By Natalie DeCoste
Criminals have long targeted ATMs through various methods ranging from opening a front panel and sticking a thumb drive into a USB port to drilling a hole that exposes internal wiring. Now, a study revealed that ATMs are at risk from a new array of security problems.
IOActive security researcher Josep Rodriquez revealed that the near-field communications reader chips, or NFC readers, used in many modern ATMs and point-of-sale systems leave the systems vulnerable to attacks from hackers. These attacks include crashing systems via a nearby NFC device, locking the machines down as part of a ransomware attack, or hacking them to extract certain credit card data.
The NFC systems enable users to wave a credit or debit card over a reader to make a contactless payment or extract money from a machine rather than swiping or inserting the card. While the systems are certainly convenient, they opened the door to these new attacks.
Rodriguez developed an Android app that enabled his phone to mimic credit and debit card communications to the NFC device and exploit flaws in the systems’ firmware. By waving his phone over an NFC reader, Rodriguez could crash the system and carry out the various attacks.
“You can modify the firmware and change the price to one dollar, for instance, even when the screen shows that you’re paying 50 dollars. You can make the device useless, or install a kind of ransomware. There are a lot of possibilities here,” said Rodriguez of the point-of-sale attacks he discovered.
One such attack that Rodriguez warned about is known as “jackpotting.” This attack tricks the machine into spitting out cash, giving the crime a casino-like finish. However, this specific attack is only possible when paired with exploits of additional bugs. Wired reported that it could not view a video of such an attack because of IOActive’s confidentiality agreement with the affected ATM vendor.
“If you chain the attack and also send a special payload to an ATM’s computer, you can jackpot the ATM-like cash out, just by tapping your phone,” said Rodriguez about jackpotting attacks.
Wired was able to view footage of a different NFC attack where Rodriguez waves his smartphone over the NFC reader of an ATM causing the machine to display an error message. Following the error message, the NFC reader appeared to crash, and the machine no longer read his credit card when he next touches it to the machine.
IOActive’s research showcases major vulnerabilities with the NFC systems. First, it demonstrates that the NFC systems are vulnerable to relatively simple attacks. For example, hackers can easily overwhelm the systems with too much data and corrupt their memories because the readers are not always verifying how much data they are receiving.
Second, even when the vulnerabilities have been identified in the machines, companies can take years to fix the problem. One company whose machines were part of Rodriguez’s study claimed that in 2018 it patched one of the problems identified by the report. However, Rodriguez claimed he was able to verify that the attack worked in a restaurant in 2020.
Rodriguez has already alerted the impacted vendors of the security issues with their systems, including ID Tech, Ingenico, Verifone, Crane Payment Innovations, BBPOS, Nexgo, and the unnamed ATM vendor.
Karsten Nohl, the founder of security firm SRLabs and a well-known firmware hacker, reviewed Rodriguez’s work and sought to ease concerns by pointing out some limitations for real-world hackers and thieves. Nohl said that stolen data from the machines would only give hackers the mag-stripe credit card data, not the victim’s PIN or the data from EMV chips, seriously limiting the use of the stolen data.