The State of ATM Security: DMA Vulnerabilities are Lurking

According to estimates from the ATM industry association (ATMIA), there are more than three million automated teller machines (ATMs) across the globe today, making it the most common method for consumers to interact physically with their bank. Since its inception in 1967, criminals have discovered many ways to hack into ATMs – and technological advancements have only made their efforts more lucrative. 

Modern hackers aren’t solely after cash. Account numbers, pin numbers, debit card information, and points-of-entry to the internal network or firmware provider, can be accessed by exploiting known security vulnerabilities. 

One particular cybersecurity threat banks must pay closer attention to is direct memory access (DMA) attacks. DMA attacks target the areas of a computer that require direct memory access, such as the PCI bus or USB/Thunderbolt ports. DMA attacks enable an adversary with physical access to a device to read and overwrite memory, giving them full control over the operating system (OS) kernel and the ability to perform malicious activity. Unfortunately, many devices exist today that have not addressed the concerns that DMA vulnerabilities revealed years ago. 

In this blog post, I will explore common ATM security vulnerabilities and attack tactics and explain why DMA attacks require heightened awareness. Additionally, I will share best practices to implement to help strengthen your ATM cybersecurity efforts.

Common ATM security vulnerabilities

ATMs have a lengthy shelf life for an embedded device, often lasting 10 years before needing to be replaced. The ATMs are typically composed of a Windows Desktop PC provided by the ATM manufacturers (e.g. Diebold, NCR, Hyosung). The bank is then responsible for hardening the OS and ensuring updates and patches are applied to the system as needed.

Further, many ATMs that exist today still run on older more vulnerable versions of Windows. These systems can become very expensive to maintain and can take significant resources to properly protect. Keeping these systems secure becomes more difficult as they get older and require a lot of work to keep up with the latest attacks. When keeping these systems properly hardened, it’s easy to miss some potentially unrelated security measures – until it’s too late. 

It’s not always an outdated OS itself that the attackers target. While there are zero-day vulnerabilities that exist, we often see the security risks within the bank’s custom ATM user interface and applications, a lack complete of system hardening, vulnerabilities in custom security protections from the vendor/manufacturer, or unencrypted communications over the USB. Here is a sampling of the top five common ATM attacks: 

1. Sensor Tampering/Forking Attacks: Tampering with the sensors to take out money from the ATM without it debiting the accounts. Example: Australia forking attack, 2014
2. Black Box: Connecting an external device (“black box”) to the ATM’s cash dispenser, then using native commands to cause the machine to release currency, bypassing the need for a card or transaction authorization. Example: Diebold code theft, 2020
3. Peripherals/Communication: Most of the important devices inside of a typical ATM are peripherals that communicate over USB and serial busses. There are some systems that have not properly implemented encryption over these media. This leads to attackers spying on the USB, replaying attacks, man in the middle attacks, or fuzzing the interfaces altering software.   These attacks aren’t always limited to the bus lines, the peripherals and the systems that support them are also vulnerable to communication attacks. Example: NFC Replay attacks, HITBGSEC 2018 D2
4. Malware/Jackpotting: An attacker finds some flaw in the system that allows them to install their own custom software to the ATM: via an insecure firmware update, a leaked/outdated certificate, or a flaw in the encryption. These attacks do not have to be against the ATM itself, some forms of ATM malware can be administered without physical access to the machine by leveraging a known exploit against a financial institution’s servers. The malware would then be passed to every ATM in the chain, compromising many machines in one strike. Examples of ATM malware families: Ploutus, Anunak/Carbanak, Cutlet Maker, SUCEFUL
5. Direct Memory Access (DMA): DMA allows devices to directly communicate with the system’s memory by bypassing the OS and manipulating firmware. If exploited, adversaries can gain direct access to information and privileges. They often require physical access but can also be deployed remotely. Example: DMA attack, PCILeech USB3380

The risk of DMA vulnerabilities

Despite the security precautions hardware and software vendors have implemented, DMA attacks remain a reality for many enterprise devices today. DMA attacks began making waves mostly as theoretical attacks until video game hackers caught wind. In the video game space, DMA attacks allow players to bypass protections without triggering the anti-cheat software placed by game manufacturers – but the threat reaches much farther than one industry. 

Any system where an attacker has physical access to the machine is vulnerable. And these attackers’ techniques have gotten much more covert over the years. DMA attacks have been gaining traction in the red team space and banks are shocked at how easy it is to bypass their ATM security using a single technique. Currently, not many banks are testing for DMA vulnerabilities today possibly due to the lack of awareness around this particular attack vector.

As mentioned earlier, DMA attacks may grant adversaries full control over the all the device’s memory, including the kernel as well as the entire OS. The problem with this access is that the memory is not, at least by default, segmented. This access is granted at the hardware level, and thus it can replace any area of memory it has access to… regardless of the privilege that memory is protected by. 

DMA attacks have also evolved. One avenue of accessing the systems that have DMA access are PCIe cards. These cards are similar to the cards used for adding graphic cards to a PC but modified to communicate with outside controllers to give attackers access to the computer’s memory. These custom cards now are Wi-Fi enabled. This allows for attackers insert their attack hardware and leave. The attacker can then wait until a system is up and running, then at their leisure, draw secrets from the systems ram (encryption keys, pins, credit card numbers, etc.) or modify a running authenticated system to run shellcode dynamically placed into memory outside the purview of the most thorough antivirus or malware protection. 

Remediating this issue is no easy task. ATMs employ a number of security precautions: hard drive encryption, firewalls, process monitoring software, etc. to ensure the system has not been modified. Unfortunately, DMA attacks can easily bypass these protections. 

The best way to prevent ATM security attacks, like DMA attacks, is to strengthen your foundational cybersecurity efforts and gain a better understanding of your preparedness and the impact an attack on your devices would have. To help, here are six ATM security best practices to follow, beyond physically disabling the PCIe bus with epoxy.

6 ATM security best practices

1. Disable hardware that isn’t supposed be in the system by default. Anything that is USB that is not used, disable. This includes thunderbolt adapters, storage devices, and USB ethernet adapters. Anything that increases the attack surface and isn’t needed should be removed.
2. Ensure encryption is set up properly and confirm all links in the chain of encryption are followed. Make sure the encryption keys are kept safe. And, that communications between peripherals are encrypted as well.
3. If the version of Windows used allows memory segmentation, enable it. For DMA vulnerabilities, if using windows 10, turn kernel DMA protection on.
4. Ensure the Operating Systems are properly hardened.
5. Limit the types of USB devices the ATM accepts and limit the value of the vendor ID (VID) and product ID (PID). For example, there is no reason for an external graphics card or an audio adapter to be accepted in the USB.
6. Perform a penetration test of your ATM applications to gain a better understanding of the impact an ATM security incident or breach would have on your systems – and learn if your existing security controls are working as they’re supposed to. 

The importance of ATM penetration testing services

Penetration testing services can tell you where your security is and, more importantly, where it is lacking. Pentesting can verify whether the ATM peripherals that handle sensitive data are properly encrypted or that encryption keys cannot be extracted from the firmware or the card reader. Is the encryption used to protect the hard drive strong enough or configured correctly? Is there any method that attackers can use to gain access to the keys – if so, what can they do once they have the keys? 

Sometimes, it is not possible to prevent every attack. In these cases, you need to know what will happen once there is a breach and how well you are protected once a weakness is found. Then, make it as difficult as possible for an attacker to maneuver inside a system. Using outside pentesting teams is a great way to keep appraised of the latest attack methods and view your system from the perspective of an adversary.

Larry Trowell