Diebold-Nixdorf: Wincor Cineo ATMs

Main article: ATMs in Russia

2021: Detection of vulnerability of Wincor Cineo ATMs with RM3 and CMD-V5 dispensers

On October 25, 2021, the company Positive Technologies reported that experts Vladimir Kononovich and Alexei Stennikov discovered vulnerabilities ATMs in Wincor Cineo with dispensers RM3 and CMD-V5 (as of October 2021, the Wincor brand belongs to the company). Diebold Nixdorf Researchers managed to get around the protection attacks type of black box and issue cash. If you have access to the - USB port of the dispenser controller, the attacker can install an outdated or modified version of ON the firmware (for example, with disabled) to enciphering bypass encryption and issue cash. Diebold Nixdorf has released more than 1 million and as of ATM October 2021 is a major manufacturer of ATMs.

Most previous generations of ATMs could not resist black box attacks, during which computers or mobile devices are connected to the dispenser, a special code is sent to the dispenser, and the ATM begins to issue money. In 2018, according to Positive Technologies, 69% of the investigated ATMs were vulnerable to such an attack, and they could be hacked in a few minutes. More modern ATMs, including Wincor Cineo, have built-in protection against black box attacks. End-to-end encryption is installed between the ATM computer and the dispenser, the computer sends encrypted commands to the dispenser, and a hacker without encryption keys, which are stored on the ATM computer, will not be able to extract money.

"In the case of Wincor Cineo, we were able to understand the encryption of commands that is used in the interaction between the PC and the controller, and bypass the protection against attack type black box. On the ad site, the same controller was purchased that controls the issuance as installed in serial ATM Wincor. The code errors and old encryption keys found in the controller made it possible to connect to ATM using their own computer (as in the case of the classic black box attack), bypass encryption and issue cash. The attack scheme consists of three points: connecting a computer to an ATM, downloading outdated and vulnerable firmware, and in the end - operating these vulnerabilities to gain access to the contents of cassettes inside a secure safe, "- said Vladimir Kononovich, senior specialist safety industrial in the management systems department of Positive Technologies.

According to Vladimir, perhaps some manufacturers are counting on security through obscurity - the poor study of proprietary protocols, the inaccessibility of equipment for finding vulnerabilities in such devices. However, a Positive Technologies study shows that decommissioned equipment is easy to find in an open sale and study what criminal groups can use.

Both vulnerabilities were rated 6.8 on the CVSS v3.0. The first BDU error: 2021-04967 was detected in the CMD-V5 model dispenser firmware (all versions up to 141128 1002 CD5_ATM.BTR and 170329 2332 CD5_ATM.FRM inclusive). The second BDU vulnerability: 2021-04968 was found in the RM3/CRS dispenser firmware (all versions up to 41128 1002 RM3_CRS.BTR and 170329 2332 RM3_CRS.FRM inclusive).

To fix vulnerabilities credit , organizations need to request the latest version of firmware from ATM manufacturers. In addition, as an additional protection factor, it is recommended that the vendor include physical authentication for the operator in the time installation of the built-in. software

Vulnerabilities were discovered by Vladimir Kononovich and Alexei Stennikov in February 2018, in the same month the manufacturer was notified of them. According to the information company, Positive Technologies is guided by the principles of responsible disclosure: all information available to the company about identified vulnerabilities is primarily provided to the manufacturer. If the company does not receive a written response from the manufacturer within 90 days, it reserves the right to publish the findings of the studies in a limited format, without mentioning information that would allow third parties to exploit the vulnerability. More than three years have passed since the notification, the vulnerabilities, according to Diebold Nixdorf experts, have been corrected, which gives Positive Technologies the right to publish information about the study.

In 2018, Positive Technologies experts helped eliminate vulnerabilities in ATMs of another large manufacturer in the market - NCR.