Rewterz Threat Advisory – Flaws in ATM Dispenser Controllers Allowed Hackers to Steal Cash

Some ATM dispenser vulnerabilities can be exploited to install outdated firmware which in turn would give access to hackers to dispense unauthorized cash

IMPACT:  HIGH

PUBLISH DATE:  14-08-2018

OVERVIEW

Two serious vulnerabilities have been detected by researchers that affect ATM currency dispensers manufactured by NCR. These vulnerabilities could be exploited to install outdated firmware and get ATMs to dispense unauthorized cash. However, the flaws have been patched.

Researchers have launched successful black box attacks against the S1 and S2 cash dispenser controllers made by NCR. The experts used a method called “logical attack” for which they required physical access to the device they were targeting. In this case, it was possible for the attackers to exploit the poor physical security of the device and successfully install vulnerable firmware, and issue commands that would instruct the machine to dispense cash.

BACKGROUND INFORMATION

Two vulnerabilities have been pinpointed which direct the firmware of cash dispenser controllers to rollback to an older vulnerable version. CVE-2017-17668 affects the S1 controller, and CVE-2018-5717 affects the S2 controller.

An unauthorized attacker can use these flaws to execute arbitrary code, bypass the firmware anti-rollback mechanism, and install older versions of the firmware that contains known vulnerabilities.

ANALYSIS

Using these security loopholes, an attacker is able to roll back the firmware to an older, vulnerable version. The flaws CVE-2017-17668 (for S1 controller) and CVE-2018-5717 (for S2 controller) are similar and both are related to insufficient protection of the memory write mechanism.

They can be exploited by an unauthenticated attacker to execute arbitrary code, bypass the firmware anti-rollback mechanism, and install firmware containing known vulnerabilities.

One of the researchers claims that not all requests sent to the dispenser from the ATM computer are encrypted. The encryption is only applied to critical requests like that of dispensing cash. The problem is, some of the requests that are deemed to be non-critical by the manufacturers may prove to be dangerous and could be exploited.

NCR was notified about the flaws so the vendor has released critical firmware updates for better protection against these black box attacks. The updates address the firmware rollback vulnerability to protect the physical authentication mechanisms of the device.

MITIGATION

NCR is releasing a critical platform firmware component update for both the S1 and the S2 dispensers. This update addresses two vulnerabilities to prevent black box attacks.

• The physical authentication mechanism used to authorize encrypted communications to the dispenser has been strengthened to protect against an attacker who attempts to manipulate dispenser electronics using endoscope technology.
• A vulnerability in the anti-roll back protection has been addressed.

For endoscope attacks:

• The authentication sequence mechanism for detection of cassette removal has been strengthened so that an attacker cannot stimulate cassette removal using an external magnet near the sensor.
• If the attack techniques evolve farther than endoscope attacks, additional authentication sequence options have been added to provide higher security mechanisms.

UPDATES

This firmware update to the S1 and S2 Currency Dispensers is released as an APTRA XFS platform update package.  APTRA XFS Module and Security Update Package 01.00.00

The respective versions are:

• S1: USBCurrencyDispenser 03.07.00, firmware 0x0156
• S2: USBMediaDispenser 02.05.00, firmware 0x0108

Along with updates against black box attacks, NCR further recommends the following settings for extra layer of protection.

If you think you are a victim of a cyber-security attack. Immediately send an email to info@rewterz.com for a rapid response.