Despite being one of the only ways to get money out from your bank account on the go, ATMs have notoriously had a litany of security issues over the years. Even now, there's not a whole lot stopping a hacker from placing a card skimmer on an ATM, as most people will never notice that it's there. There have, of course, also been a number of other attacks over the years that are more complex than that, but by and large, you should always be careful when using an ATM. Now there's a new way to hack an ATM, and all it requires is a smartphone with NFC.

As Wired reports, Josep Rodriguez is a researcher and consultant at IOActive, a security firm based in Seattle, Washington, and he has spent the last year finding vulnerabilities in NFC readers used in ATMs and point-of-sale systems. Many ATMs around the world allow you to tap your debit or credit card to then enter your PIN and withdraw cash, rather than requiring you to insert it into the ATM itself. While it's more convenient, it also gets around the problem of a physical card skimmer being present over the card reader. Contactless payments on point of sales systems are also ubiquitous at this point.

Google Pay being used for commuting

Hacking NFC readers

Rodriquez has built an Android app that gives his phone the power to mimic credit card communications and exploit flaws in the NFC systems' firmware. Waving his phone over the NFC reader, he can chain together multiple exploits to crash point-of-sales devices, hack them to collect and transmit card data, change the value of transactions, and even lock the devices with a ransomware message.

Furthermore, Rodriguez says that he can even force at least one unnamed brand of ATM to dispense cash, though it only works in combination with bugs he found in the ATM's software. This is called "jackpotting", for which there are many ways criminals have tried over the years to gain access to an ATM in order to steal cash. He declined to specify the brand or the methods due to nondisclosure agreements with the ATM vendors.

"You can modify the firmware and change the price to one dollar, for instance, even when the screen shows that you're paying 50 dollars. You can make the device useless, or install a kind of ransomware. There are a lot of possibilities here," says Rodriguez of the point-of-sale attacks he discovered. "If you chain the attack and also send a special payload to an ATM's computer, you can jackpot the ATM — like cash out, just by tapping your phone."

Source: Josep Rodriguez

Affected vendors include ID Tech, Ingenico, Verifone, Crane Payment Innovations, BBPOS, Nexgo, and an unnamed ATM vendor, and all of them were alerted between 7 months and a year ago. However, most point-of-sale systems don't receive software updates or do rarely, and it's likely that many of them require physical access to do so. Therefore, it's likely that many of them remain vulnerable. "Patching so many hundreds of thousands of ATMs physically, it's something that would require a lot of time," Rodriguez says.

To demonstrate the vulnerabilities, Rodriguez shared a video with Wired showing him waving a smartphone over the NFC reader of an ATM in Madrid, causing the machine to display an error message. He didn't show the jackpotting attack, as he could only legally test it on machines obtained as part of IOActive's security consulting, which would then violate their nondisclosure agreement. Rodriguez asked Wired not to publish the video for fear of legal liability.

The findings are "excellent research into the vulnerability of software running on embedded devices," says Karsten Nohl, the founder of security firm SRLabs and firmware-hacker, who reviewed Rodriguez's work. Nohl also mentioned that there are a few drawbacks for real-world thieves, including that a hacked NFC reader would only allow an attacker to steal mag stripe credit card data, not the PIN or data from EMV chips. The ATM jackpot attack also requires a vulnerability in the ATM firmware, which is a large barrier.

Even still, gaining access to execute code on these machines is a major security flaw in itself, and is often the first entry-point in any system even if it's no more than user-level access. Once you get past the outside layer of security, often it's the case that the internal software systems are nowhere near as secure.

Red Balloon CEO and chief scientist Ang Cui, was impressed by the findings. "I think it's very plausible that once you have code execution on any of these devices, you should be able to get right to the main controller, because that thing is full of vulnerabilities that haven't been fixed for over a decade," Cui says. "From there," he adds, "you can absolutely control the cassette dispenser" that holds and releases cash to users.

Custom code execution

The ability to execute custom code on any machine is a major vulnerability and gives an attacker the ability to probe underlying systems in a machine to find more vulnerabilities. The Nintendo 3DS is a prime example of this: a game called Cubic Ninja was famously one of the earliest ways to exploit the 3DS and execute homebrew. The exploit, dubbed "Ninjhax", caused a buffer overflow which triggered the execution of custom code. While the game itself only had user-level access to the system, Ninjhax became the base of further exploits for running custom firmware on the 3DS.

buffer overflow example

To simplify: a buffer overflow is triggered when the volume of data sent exceeds the allocated storage for that data, meaning that the excess data is then stored in adjacent memory regions. If an adjacent memory region can execute code, then an attacker can abuse this to fill the buffer with garbage data, and then append executable code to the end of it, where it will be read into adjacent memory. Not all buffer overflow attacks can execute code, and many will simply just crash a program or cause unexpected behavior. For example, if a field can only take 8 bytes of data and an attacker forced input of 10 bytes, then the additional 2 bytes at the end would overflow into another region of memory.

Read more: "PSA: If your PC runs Linux, you should update Sudo now"

Rodriguez notes that buffer overflow attacks on NFC readers and point-of-sale devices are possible, as he bought many of these from eBay over the last year. He pointed out that many of them suffered from the same security flaw: they didn't validate the size of the data sent via NFC from a credit card. Making an app that sent data hundreds of times larger than the reader expects, it was possible to trigger a buffer overflow.

When Wired reached out to the affected companies for comment, ID Tech, BBPOS, and Nexgo did not respond to requests for comment. The ATM Industry Association also declined to comment. Ingenico responded in a statement that security mitigations meant that Rodriguez's buffer overflow could only crash devices, not gain custom code execution. Rodriguez is doubtful that they would have actually prevented code execution but hasn't created a proof of concept to demonstrate. Ingenico said that "considering the inconvenience and impact for our customers", it was issuing a fix anyway.

Verifone said it had found and fixed the point-of-sale vulnerabilities in 2018 before they were reported, though this only shows how these devices are never updated. Rodriguez says that he tested his NFC attacks on a Verifone device at a restaurant last year, finding that it still remained vulnerable.

"These vulnerabilities have been present in firmware for years, and we’re using these devices daily to handle our credit cards, our money," Rodriguez says. "They need to be secured." Rodriguez plans to share technical details of these vulnerabilities in a webinar in the coming weeks.