It has been reported that a joint investigation between Motherboard and the German broadcaster Bayerischer Rundfunk (BR) has uncovered new details about a spate of so-called “jackpotting” attacks on ATMs in Germany in 2017 that saw thieves make off with more than a million Euros. Jackpotting is a technique where cybercriminals use malware or a piece of hardware to trick an ATM into ejecting all of its cash, no stolen credit card required. Hackers typically install the malware onto an ATM by physically opening a panel on the machine to reveal a USB port.
Please see below for commentary from cybersecurity experts.
We like to think of cybersecurity as being limited to software, but the physical security of devices is part of the equation. If you logically protect a system, but leave exposed physical access, you have left risk unaddressed.
Requiring that criminals physically access a machine to carry out an attack does limit the scalability of that attack technique. We won’t see hundreds of ATMs simultaneously jackpotted with this technique, but it’s still a problem for the ATM owners.
Other industries have dealt with the threat of USB-based attacks by disabling the ports in the operating system or even going so far as to fill them with glue. While this is a particularly dramatic attack, using USB ports to carry out attacks isn’t new.
An ATM is nothing but a computer connected to a safe that ejects cash through a mechanical system when certain commands are prompted. Normally, ATM operating systems are custom made to work on embedded computer systems, but nevertheless remain operating systems on which software is run, meaning they are vulnerable to being exploited by bad actors.
In this case, the exploit was delivered with a USB port, which means that criminals had to gain physical access to the port by breaking the panel that protected it. This should serve as a reminder that USB ports are a vulnerable entry point, not only for ATMs, but for all machines from personal computers to Operational Technology and mobile phones.
Users should remember to be wary of USB sticks they insert in their machines, as they could be carrying malicious software. Equally, it is important to remember that plugging mobile phones to USB charging cables could also lead to a malware infection, which is why it is prudent not to use unauthorised cables or charging stations in public places.
ATM Jackpotting attacks are not new. The late Barnaby Jack demonstrated a version of this attack back in 2010. With the introduction of chips into cards, skimming has become more difficult, so it appears as if criminals are investing more time and resources into figuring out how to jackpot ATMs themselves. Many ATMs run a version of windows and if they can be physically tampered with, ports can be accessed and malware uploaded that can trick the machine into dispensing all of its cash. With criminals focusing on ATM software, it\’s time the banking industry took a closer look at the software and security controls of the machines and the network or risk further losses.
The fact that criminals can access a USB port on public ATMs is worrying, and securing that physical access should be the first priority. After that, updating the software on ATMs to prevent jackpotting attacks should be the next step. Many ATMs are old and run on Windows XP or some other ageing operating system. They might not receive official support from Microsoft anymore, so it\’s up to banks to secure them.
So far as I can tell, this attack doesn\’t affect legitimate ATM users, although it\’s certainly plausible that some other type of attack could be carried out with physical access to a USB port.