How one small hack turned a secure ATM into a cash-spitting monster

At BlackHat 2017, security researchers demonstrated how a small flaw in an ATM allowed them to empty all the cash out.

What business leaders can learn about cybersecurity from the OPM hack

ATMs just became a little less trustworthy: At BlackHat 2017, security firm IOActive showed just how easy it can be to hack into the machine, exploiting a vulnerability that made it spit out cash until it was completely empty, CNET's Alfred Ng reported.

During a panel titled "Breaking Embedded Devices," IOActive researchers demonstrated how any machine with a chip or internet connection can be compromised. Embedded systems are particularly at risk: These are mass-produced items that have one role in a machine, such as dispensing cash from an ATM or checking how much ink is in a printer, and are therefore overlooked in terms of security, Ng reported.

The ATM--a popular Opteva model from Diebold Nixdorf--contained a security flaw located near its speakers, IOActive found. This spot offered an opening that criminals could loosen to expose a USB port.

"It's a little bit like a magic trick, but no kidding, it took seconds to getting the ATM to open," Mike Davis, the director of embedded systems security at IOActive, told Ng. Davis said he alerted Diebold Nixdorf to the issue, but the company "didn't consider it enough of a security issue to address," as it was not located near the part of the ATM where the cash is stored, and therefore was not a concern.

SEE: Learn Website Hacking and Penetration Testing From Scratch (TechRepublic Academy)

To prove that it was a major flaw, IOActive's team plugged a netbook into the exposed USB port and added in code to the ATM's Automatic Funds Distributor--a bot in the embedded system that determines how much money to release. They were able to reverse engineer the bot, and lead the machine to empty out all of the cash it contained.

IOActive said that it has tried to work with Diebold Nixdorf to test out security flaws on other machines, but the company declined the help, Ng reported. The machine that was hacked was built in 2008 or 2009, and never received security patches or maintenance, a spokeswoman for Diebold Nixdorf told Ng.

"Like any connected device that does not receive proper maintenance and patching--especially one nearly 10 years old--the risk for it to be compromised increases," the spokeswoman said.

The company did not say how many of its ATMs from that time period were still in use. In most cases, the spokeswoman said, it's the job of the financial institution to keep ATM software up to date. It remains unclear if this vulnerability has since been fixed, Ng reported.

A number of connected devices have proven hackable in recent years, including cars, drones, routers, smart home gadgets, and even guns. With Gartner predicting that 8.4 billion connected devices will be in use worldwide this year, security issues abound. It's extremely important for manufacturers to ensure Internet of Things (IoT) devices are secure, and for enterprise and consumer users to have security protocols in place.

Image: iStockphoto/selensergen

The 3 big takeaways for TechRepublic readers

1. At a BlackHat 2017 panel, security firm IOActive demonstrated how it was able to hack an ATM to cause it to release all of its cash.

2. The firm was able to do this by exploiting an exposed USB near the ATM's speakers, and using code to reverse engineer the machine's funds distributor bot.

3. This demonstrates how important it is for companies to secure embedded systems and Internet of Things devices.

Also see