A pair of security researchers has discovered two vulnerabilities in cash machines widely used across the US that could allow a determined criminal to steal cash and customer data.
Brenda So and Trey Keown, of New York-based Red Balloon Security, found the flaws in machines manufactured by Nautilus Hyosung America, the largest provider of automatic teller machines in the US. By gaining access to the same network as the target ATM, the researchers were able to obtain full control of the machine and bypass its security measures. They also discovered master keys to the ATMs for sale on Amazon.com — something other researchers have previously pointed out.
In a joint statement Monday, Red Balloon and Nautilus Hyosung said they had no evidence anyone has ever taken advantage of the vulnerabilities. The researchers said the flaws only affected retail versions of Nautilus ATMs, not ones used in financial institutions. According to an estimate by Red Balloon, more than 80,000 machines are vulnerable. Nautilus has more than 150,000 installed ATMs in the US, according to the statement.
Nautilus is a subsidiary of closely-held conglomerate Hyosung Corporation, based in South Korea. The security flaws only exist in ATMs developed and distributed by its US subsidiary.
The researchers said they reported the flaws to the company in the summer and a fix was developed within a week. “Nautilus Hyosung America has already issued firmware security updates to mitigate possible threats,” the company said in the statement. Nautilus said it “notified all of its commercial customers to immediately update their ATMs with these patches,” which were first released on September 4. Red Balloon said it is working with Nautilus to improve the security of its ATMs.
Red Balloon provides security to computers embedded inside a product, like a printer or ATM.
It’s unclear how many ATMs have actually received the fix. To install the patch, a technician or ATM owner would have to manually insert a USB stick with the software update into the machine or download it from Nautilus, the security researchers said. Red Balloon said it won’t release a detailed breakdown of exactly how the flaws work, in order to prevent criminals from replicating their work, but may provide more technical details in the future.
Ang Cui, chief executive and founder of Red Balloon, said updating all of the ATMs is likely to be difficult. “Getting people to do security updates and firmware has been a thing that we’ve studied for a decade,” Cui said. “People just don’t want to think about it. They don’t want to do it.”
The researchers also discovered a flaw in a mobile application developed by Nautilus and used by ATM owners and technicians. By exploiting the flaw, the researchers said they could access information on user accounts, ATMs — including cash balances, location, software version — and service requests. The information that could be gleaned from the mobile app would be very useful to a potential criminal in deciding which ATMs would be the most vulnerable and have the highest payout, the security researchers said. The flaw found in the app was in the process of being fixed, they said.
“While we have no evidence this vulnerability has been utilised, Hyosung has decided to disable this service until the updated versions are released as a precautionary measure,” Keith Lennard, Nautilus Hyosung America’s head of software said in an email.
All of the vulnerabilities that were discovered could be accessed remotely, meaning an attacker would not need physical access to the ATM in order to hack it, only to be on the same network.
One of the ATM vulnerabilities discovered by Red Balloon targets a machine’s “remote management system” and would allow a criminal to steal the data of any credit card or debit card entered into the ATM as a transaction takes place. In theory, an attacker could sweep up the card data of everyone who used the ATM without being noticed.
The second vulnerability was discovered in the software that powers the ATM’s peripherals, such as its cash dispenser, card reader or PIN keypad. The researchers found that an attacker could easily access the software and inject malicious commands. The potential result is emptying the ATM of all its cash — a possibility the researchers demonstrated during a presentation at their New York office.
This isn’t the first time vulnerabilities in ATMs have been discovered. According to a joint investigation published by Vice and German broadcaster Bayerischer Rundfunk in October, criminals in Europe were able to hack a different brand of ATMs to steal cash in 2017.
