An ATM attack that has been popular outside the US for several years now appears to have made its way stateside.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- Jackpotting attacks can empty ATMs in minutes. They are performed by accessing a USB port on the machine and injecting malicious code.
- The affected ATMs are standalone internet-connected units, which should serve as yet another reminder of the security risk of IoT hardware.—TechRepublic
ATM manufacturers Diebold Nixdorf Inc and NCR Corp have confirmed that they notified clients of the spread of jackpotting, a hack that empties ATMs of cash, into the United States.
Jackpotting has been a growing security threat in Europe, Mexico, and elsewhere in the world, but warnings from the two companies marks the first time it has been considered a risk for US-based cash dispensers.
As covered previously by TechRepublic, breaking into an ATM is as easily done as it is said. Demonstrators at BlackHat 2017 were able to force open an ATM to gain access to an unprotected USB port, and within minutes were able to empty it of its cash reserves.
Particularly at risk are small standalone ATMs, such as those found at pharmacies, drive-throughs, and big box stores.
The anatomy of a jackpotting attack
The method demonstrated at BlackHat 2017 is just one way to empty out an ATM. In its presentation, a security team from IOActive attacked an Optiva ATM from Diebold Nixdorf. By prying open a panel, the team was able to attach a netbook to the ATM via USB, inject code into the ATM's software, reverse engineer it, and dispense all the cash.
IOActive's BlackHat panel, titled "Breaking Embedded Devices," was focused on flaws particular to internet-connected devices that have chipsets with a single role in a machine. In the case of ATMs, that role is dispensing cash. Despite the sensitive nature of that role, IOActive made the argument (arguably successfully) that embedded devices like ATMs often have their security overlooked.
SEE: Enterprise IoT Research 2017: Benefits, Trends, and Security Concerns (Tech Pro Research)
KrebsOnSecurity, the blog that broke the news of jackpotting's spread to the US, mentions a malware strain called Ploutus.D being used to jackpot ATMs in Mexico, and now the US. KrebsOnSecurity also said that warnings from the Secret Service specifically mention the attack being used on Diebold Nixdorf machines, and even more particularly on Optiva 500 and 700 model standalone ATMs.
The US attacks appear to be using a laptop wired into the target ATM via USB. The criminals use Ploutus.D to infect the ATM and can then make it dispense cash at regular intervals until the machine is empty.
Ploutus.D can make internet-connected ATMs dispense cash using an SMS code as well, meaning the attacker doesn't even need to maintain a physical connection to empty it.
Another security lesson
Not every hardware manufacturer, or infosec professional, deals with as sensitive an issue as dispensing cash. That doesn't mean the security concerns of other internet-connected devices are any less important, though.
No matter what kind of data a company deals with, protecting end-point hardware is essential. In the case of standalone machines like ATMs, access points such as USB ports need to be thoroughly protected, as well as being disabled to prevent attackers from using them if they do gain access.
It's also worth noting that the Secret Service's memo warned that ATMs running Windows XP are particularly vulnerable. Hopefully most companies aren't still running essential systems on XP and other out-of-support OSes, but the warning remains the same: Everything needs to be kept up to date.
Increased reliance on connected systems and the Internet of Things means more points of hacker-induced failure. It's up to infosec professionals and IT teams to close off every attack vector and point of failure, or risk losses of both money and data.
- IoT security: What you should know, what you can do (free PDF) (TechRepublic)
- An Internet of Things 'crime harvest' is coming unless security problems are fixed (ZDNet)
- Why preventing IoT attacks isn't just the responsibility of security experts (TechRepublic)
- IoT devices are an enterprise security time bomb (ZDNet)
- Why won't enterprises take IoT security seriously? (TechRepublic)