Aug 15 2023

Hacking ATMs by exploiting flaws in ScrutisWeb ATM fleet software

Category: Hackingdisc7 @ 1:08 pm

Researchers found several flaws in the ScrutisWeb ATM fleet monitoring software that can expose ATMs to hack. 

Researchers from the Synack Red Team found multi flaws (CVE-2023-33871, CVE-2023-38257, CVE-2023-35763 and CVE-2023-35189) in the ScrutisWeb ATM fleet monitoring software that can be exploited to remotely hack ATMs. 

ScrutisWeb software is developed by Lagona, it allows to remotely manage ATMs fleets. Operators can use the software to send and receive files to a device, modifying data, reboot a device or shut down a terminal.

The researchers discovered multiple vulnerabilities, including Absolute Path Traversal and Authorization Bypass Through User-Controlled Key issues, Hardcoded Cryptographic Key, and Unrestricted Upload of File with Dangerous Type.

Lagona addressed the vulnerabilities in July 2023 with the release of ScrutisWeb version 2.1.38. 

The CVE-2023-33871 is an Absolute Path Traversal that an allow to download configurations, logs and databases from the server.

The CVE-2023-35189 is a Remote Code Execution that could be chained with the other issues to gain user access to the ATM controller.

The CVE-2023-38257 is an Insecure Direct Object Reference that can be exploited to retrieve information about all users on the system.ì, including administrators.

The CVE-2023-35763 is Hardcoded encryption key that can allow to retrieve Plaintext administrator credentials.

The US Cybersecurity and Infrastructure Security Agency (CISA) recently published an advisory for these vulnerabilities, the agency also provides the following recommendations:

  • Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolate them from business networks.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

Tags: ATM

Jul 29 2010

Hacker finds a way into ATM computers

Category: CybercrimeDISC @ 6:23 pm
Nice ATM
Image via Wikipedia

Understanding and Managing Cybercrime

by Jordan Robertson
A hacker has discovered a way to force ATMs to disgorge their cash by hijacking the computers inside them.

The attacks demonstrated Wednesday at a security conference were done at stand-alone ATMs. But they could potentially be used against the ATMs operated by mainstream banks, the hacker said.

Criminals use many ways to tamper with ATMs, ranging from sophisticated to foolhardy: installing fake card readers to steal card numbers, and even hauling the machines away with trucks in hopes of cracking them open later.

Computer hacker Barnaby Jack spent two years tinkering in his Silicon Valley apartment with ATMs he bought online. These were stand-alone machines, the type seen in front of convenience stores, rather than the ones in bank branches.

His goal was to find ways to take control of ATMs by exploiting weaknesses in the computers that run the machines.

He showed off his results at the Black Hat conference, an annual gathering devoted to exposing the latest computer-security vulnerabilities.

In one demonstration Tuesday, Jack, director of security research for IOActive Inc. in Seattle, showed how to get ATMs to spit out money:

He found that the physical keys that came with his machines were the same for all ATMs of that type made by that manufacturer. He figured this out by ordering three ATMs from different manufacturers for a few thousand dollars each. Then he compared the keys he got with pictures of other keys, found on the Internet.

He used his key to unlock a compartment in the ATM that had standard USB slots. He then inserted a program he had written into one of them, commanding the ATM to dump its vaults.

This article appeared on page D – 6 of the San Francisco Chronicle

Tags: ATM, Automated teller machine, Barnaby Jack, BlackHat, Computer security, San Francisco Chronicle, Seattle, Silicon Valley