Cybersecurity researchers have discovered multiple vulnerabilities in the ATM used by a well-known ATM manufacturer that can be exploited to make cash withdrawals. Wincor Cineo ATM vulnerabilities with RM3 and CMD-V5 ATMs were discovered by Vladimir Kononovich of Positive Technologies and independent researcher Alexey Stennikov. The researchers managed to bypass the protection against black box attacks on modern ATMs by accessing the USB port of the vendor controller, to install an outdated or modified firmware version, which allowed them to bypass the encryption and make cash withdrawals. The researchers note that Wincor is currently owned by Diebold Nixdorf, which is one of the world's largest ATM manufacturers, with more than a million ATMs installed, giving it around 32% of the global market share. .
Free money
In 2018 research, Positive Technologies showed that approximately 69% of ATMs are vulnerable to so-called black box attacks and can be broken into within minutes. However, the researchers note that the current generation of ATMs, including the Wincor Cineo, have built-in protection against black box attacks through end-to-end encryption between the ATM computer and the ATM tickets. “In the case of Wincor Cineo, we were able to understand the command encryption used in the interaction between the PC and the controller, and bypass the protection against black box attacks,” says Kononovich. He adds that the researchers obtained the same timing controller used in Wincor ATMs from "a popular website." They then took advantage of bugs in the driver code and old encryption keys to connect to an ATM using their own computer, download old firmware, and bypass the encryption. Kononovich says that some manufacturers rely on security through obscurity and are betting that it will be difficult for hackers to get the hardware inside their ATMs to find the vulnerabilities. "However, our research shows that it is not difficult to find and analyze this type of equipment on the open market, which can be used by criminal groups," concludes Kononovich.