How one small hack turned a secure ATM into a cash-spitting monster

During a panel titled "Breaking Embedded Devices," IOActive researchers demonstrated how any machine with a chip or internet connection can be compromised. Embedded systems are particularly at risk: These are mass-produced items that have one role in a machine, such as dispensing cash from an ATM or checking how much ink is in a printer, and are therefore overlooked in terms of security, Ng reported.

More about cybersecurity

• IT pro’s guide to GDPR compliance (free PDF)
• GDPR vs. ePrivacy: The 3 differences you need to know
• Facebook data privacy scandal: A cheat sheet
• Microsoft: Here's our 4 step plan for getting rid of passwords forever

The ATM—a popular Opteva model from Diebold Nixdorf—contained a security flaw located near its speakers, IOActive found. This spot offered an opening that criminals could loosen to expose a USB port.

"It's a little bit like a magic trick, but no kidding, it took seconds to getting the ATM to open," Mike Davis, the director of embedded systems security at IOActive, told Ng. Davis said he alerted Diebold Nixdorf to the issue, but the company "didn't consider it enough of a security issue to address," as it was not located near the part of the ATM where the cash is stored, and therefore was not a concern.

SEE: Learn Website Hacking and Penetration Testing From Scratch(TechRepublic Academy)

To prove that it was a major flaw, IOActive's team plugged a netbook into the exposed USB port and added in code to the ATM's Automatic Funds Distributor—a bot in the embedded system that determines how much money to release. They were able to reverse engineer the bot, and lead the machine to empty out all of the cash it contained.

IOActive said that it has tried to work with Diebold Nixdorf to test out security flaws on other machines, but the company declined the help, Ng reported. The machine that was hacked was built in 2008 or 2009, and never received security patches or maintenance, a spokeswoman for Diebold Nixdorf told Ng.

"Like any connected device that does not receive proper maintenance and patching—especially one nearly 10 years old—the risk for it to be compromised increases," the spokeswoman said.The company did not say how many of its ATMs from that time period were still in use. In most cases, the spokeswoman said, it's the job of the financial institution to keep ATM software up to date. It remains unclear if this vulnerability has since been fixed, Ng reported.

A number of connected devices have proven hackable in recent years, including cars, drones, routers, smart home gadgets, and even guns. With Gartner predicting that 8.4 billion connected devices will be in use worldwide this year, security issues abound. It's extremely important for manufacturers to ensure Internet of Things (IoT) devices are secure, and for enterprise and consumer users to have security protocols in place.

Image: iStockphoto/selensergen

The 3 big takeaways for TechRepublic readers

1. At a BlackHat 2017 panel, security firm IOActive demonstrated how it was able to hack an ATM to cause it to release all of its cash.

2. The firm was able to do this by exploiting an exposed USB near the ATM's speakers, and using code to reverse engineer the machine's funds distributor bot.

3. This demonstrates how important it is for companies to secure embedded systems and Internet of Things devices.