The researchers have found two vulnerabilities in the Diebold Opteva ATM machines with the AFD platform that could be chained to allow an unauthorized user to vend notes from the device.
“IOActive has discovered two vulnerabilities in Opteva ATMs with the AFD platform that, when combined, may allow an unauthorized user to vend notes from the device.” reads the advisory.
The Diebold Opteva line of ATMs with the AFD platform is composed of an upper cabinet for the operating system and a lower cabinet for the safe, each part requests its own authentication requirements.
Chaining the vulnerabilities allows the attacker to bypass both authentication mechanisms and take the control of the Diebold Opteva ATM.
In the attack scenario presented IOActive, the researchers physical accessed to the internal computer by inserting a metal rod through a speaker hole on the front of the ATM, lifting a metal locking bar and gaining access to the upper cabinet of the Diebold Opteva ATM that contains the computer. Once accessed to the computer, the researchers removed the USB connection from the Windows host and gained a direct line of communication to the AFD controller for the safe.
At this point, the hackers triggered the second flaw to get to the money.
The experts made a reverse engineering of the AFD’s protocol and firmware, they were able to gain access to the content of the safe without authenticating.
“Using the USB that connects the AFD to the computer in the upper cabinet, the team was able to initiate two-way communication. This would normally require a shared encryption key and a device identifier; however, the team was able to complete the authentication protocol unencrypted and set up communications without properly authenticating. This allowed the team to act as an authenticated user and gain access to the contents of the safe.” continues the analysis. “The protocol does not require any device specific knowledge to carry out the attack. This would imply that an attacker with access to one device could reverse engineer enough of the controller protocol to effectively bypass authentication and vend notes from any other device that uses an AFD as long as the vulnerability remains unpatched.”
IOActive reported the issue to Diebold in February 2016, only one year later, in May 2017 Diebold responds, “[your]..system is very old (2008/2009 vintage) and is unpatched;”
IOActive asked if retesting a recent supported version would be possible, but without receiving a reply.
Finally, on July 26, 2017, IOActive opted for the public disclosure.
Unfortunately, it is still unclear whether the ATMs have been patched, nor whether any newer firmware versions are still vulnerable.
(Security Affairs – (Diebold Opteva ATM, hacking)