Some ATM dispenser vulnerabilities can be exploited to install outdated firmware which in turn would give access to hackers to dispense unauthorized cash
Two serious vulnerabilities have been detected by researchers that affect ATM currency dispensers manufactured by NCR. These vulnerabilities could be exploited to install outdated firmware and get ATMs to dispense unauthorized cash. However, the flaws have been patched.
Researchers have launched successful black box attacks against the S1 and S2 cash dispenser controllers made by NCR. The experts used a method called “logical attack” for which they required physical access to the device they were targeting. In this case, it was possible for the attackers to exploit the poor physical security of the device and successfully install vulnerable firmware, and issue commands that would instruct the machine to dispense cash.
Two vulnerabilities have been pinpointed which direct the firmware of cash dispenser controllers to rollback to an older vulnerable version. CVE-2017-17668 affects the S1 controller, and CVE-2018-5717 affects the S2 controller.
An unauthorized attacker can use these flaws to execute arbitrary code, bypass the firmware anti-rollback mechanism, and install older versions of the firmware that contains known vulnerabilities.
Using these security loopholes, an attacker is able to roll back the firmware to an older, vulnerable version. The flaws CVE-2017-17668 (for S1 controller) and CVE-2018-5717 (for S2 controller) are similar and both are related to insufficient protection of the memory write mechanism.
They can be exploited by an unauthenticated attacker to execute arbitrary code, bypass the firmware anti-rollback mechanism, and install firmware containing known vulnerabilities.
One of the researchers claims that not all requests sent to the dispenser from the ATM computer are encrypted. The encryption is only applied to critical requests like that of dispensing cash. The problem is, some of the requests that are deemed to be non-critical by the manufacturers may prove to be dangerous and could be exploited.
NCR was notified about the flaws so the vendor has released critical firmware updates for better protection against these black box attacks. The updates address the firmware rollback vulnerability to protect the physical authentication mechanisms of the device.
NCR is releasing a critical platform firmware component update for both the S1 and the S2 dispensers. This update addresses two vulnerabilities to prevent black box attacks.
For endoscope attacks:
This firmware update to the S1 and S2 Currency Dispensers is released as an APTRA XFS platform update package. APTRA XFS Module and Security Update Package 01.00.00
The respective versions are:
Along with updates against black box attacks, NCR further recommends the following settings for extra layer of protection.
If you think you are a victim of a cyber-security attack. Immediately send an email to firstname.lastname@example.org for a rapid response.