Researchers have disclosed the details of two serious vulnerabilities affecting ATM currency dispensers made by NCR. The flaws have been patched, but they could have been exploited to install outdated firmware and get ATMs to dispense cash.
Positive Technologies experts Vladimir Kononovich and Alexey Stennikov have conducted a successful black box attack against the NCR S1 and S2 cash dispenser controllers. In these types of attacks, the attacker only sees inputs and outputs, without having any knowledge of the system’s internal workings.
The method, which the researchers described as a “logical attack,” requires physical access to the targeted device. In this particular case, an attacker could have leveraged the poor physical security of the targeted dispenser controller to connect to it, install vulnerable firmware, and issue commands that would instruct the machine to dispense cash.
The experts disclosed their findings this week at the Black Hat security conference in Las Vegas.
Two different security holes have been found that allow an attacker to roll back the firmware to an older, vulnerable version.
One of them is CVE-2017-17668, which affects the S1 controller, and the other is CVE-2018-5717, which affects the S2 controller.
The flaws are similar and they are both related to insufficient protection of the memory write mechanism. They can be exploited by an unauthenticated attacker to execute arbitrary code, bypass the firmware anti-rollback mechanism, and install firmware containing known vulnerabilities, according to Positive Technologies.
“Our research indicated that not all requests from the ATM computer to the dispenser were encrypted. Instead, encryption was applied only to requests deemed critical by the manufacturer, such as dispensing cash. But some of the so-called non-critical requests can be just as dangerous,” said Alexey Stennikov, Head of Hardware Security Analysis at Positive Technologies.
The researchers notified NCR of their findings and the vendor released critical firmware updates in February that should provide better protection against black box attacks. The update should address the firmware rollback vulnerability and it adds an extra layer of protection for physical authentication mechanisms.
“The physical authentication mechanism used to authorize encrypted communications to the dispenser has been strengthened to add protection against an attacker using endoscope technology in an attempt to manipulate dispenser electronics from outside the safe. Additionally, further authentication mechanisms have been added as configuration options,” NCR said in its advisory.