ATMs and point-of-sale (POS) systems have been a target for many cybercriminal groups over the past several years resulting in some of the largest card breaches and money heists in history.
While attackers have various ways to break into these machines, researchers now warn that vulnerabilities in the drivers they contain could enable more persistent and damaging attacks.
Researchers from Eclypsium, a company that specialises in device security, have evaluated the security of device drivers, the programs that allow applications to talk to a system's hardware components and leverage their capabilities.
Over the past year, their research project, dubbed Screwed Drivers, has identified vulnerabilities and design flaws in 40 Windows drivers from at least 20 different hardware vendors, highlighting widespread issues with this attack surface.
Most people think of Windows in the context of servers, workstations and laptops, but these are not the only types of devices that run Microsoft's operating system.
Windows is also widespread in the world of ATMs, POS terminals, self-service kiosks, medical systems and other types of specialised equipment. These devices are generally harder to update because they're used in regulated industries and environments, so updates need to pass strict testing and certification.
Taking them offline for extended periods of time can lead to business disruption and financial loss.
Attacks against ATMs can take many forms, the Eclypsium researchers said in a new report:
"Attackers can deliver malware by compromising the banking network connected to the device, by compromising the device’s connection to card processors, or by gaining access to the ATM’s internal computer. And much like traditional attacks, attackers or malware often need to escalate privileges on the victim device to gain deeper access into the system. This is where the use of malicious or vulnerable drivers comes into play. By taking advantage of the functionality in insecure drivers, attacks or their malware can gain new privileges, access information, and ultimately steal money or customer data."
Vulnerability in Diebold Nixdorf ATM driver
As part of their research project, the Eclypsium researchers found a vulnerability in a driver used in an ATM model from Diebold Nixdorf, one of the largest manufacturers of devices for the banking and retail sectors. The driver enables applications to access the various x86 I/O ports of such a system.
ATMs are essentially computers with specialised peripherals like the card reader, PIN pad, network interfaces or the cash cassettes that are connected through various communication ports. By gaining access to the I/O ports through the vulnerable driver, an attacker can potentially read data exchanged between the ATM's central computer and the PCI-connected devices.
Moreover, this driver can be used to update the BIOS, the low-level firmware of a computer that starts before the operating system and initialises the hardware components. By exploiting this functionality, an attacker could deploy a BIOS rootkit that would survive OS re-installations, leading to a highly persistent attack.
To the researchers' knowledge, the vulnerability hasn't been exploited in any real-world attack, but based on their discussions with Diebold, they believe the same driver is used in other ATM models as well as POS systems. Diebold worked with the researchers and released patches earlier this year.
"This is just the tip of the iceberg in terms of what malicious drivers are capable of," the researchers said. "Our previous research has identified drivers that in addition to arbitrary I/O access, also had the ability to read/write to memory, Model Specific, debug, and control registers, as well as arbitrary PCI access.
These capabilities in a vulnerable driver could have a devastating impact on ATM or POS devices. Given that many of the drivers in these devices have not been closely analysed, they are likely to contain undiscovered vulnerabilities."
The potential for abuse
Both ATMs and POS systems have been targeted by hackers. There are cybercrime groups like Carbanak that specialise in breaking into financial institutions such as banks and slowly making their way into their ATM networks.
These groups are methodical and patient and can spend months inside networks until they learn a victim's workflows and how its systems work. When they decide to finally pull off the heist, they send money mules to collect cash from hacked ATMs, typically at night.
Another group known as FIN7, which is related to Carbanak, specialises in hacking into POS systems and targets companies from the hospitality and retail sectors to steal payment card data. Recently, the group was observed sending malicious USB dongles to their targets via regular mail, under the guise of a Best Buy gift card.
Even ransomware gangs have become interested in such systems because locking them could provide a bigger incentive for affected organisations to pay a ransom. Last week Symantec reported that Sodinokibi, one of the most sophisticated ransomware groups currently in operation, started scanning for POS software and systems in the environments they gain access to.
Vulnerabilities in drivers like the one found by Eclypsium don't provide hackers with their initial access to a system but can be used to escalate their privileges once they get that initial foothold through some other method.
As demonstrated repeatedly by Carbanak, FIN7 and other cybercrime groups, gaining access to networks and systems is not necessarily hard and can be done in a variety of ways.
"Once you find a vulnerability to get into an ATM computer, you can use this to gain additional privileges and access to some sub-interfaces that would allow you to do more interesting things," Jesse Michael, principal researcher at Eclypsium tells CSO.
"This gives you some capabilities to go talk to other devices like a peripheral that you want to access to do some operation as part of your attack process, so it's basically a breakdown within these layers of protection."
Hiding malware inside the BIOS to survive OS reinstallation could prove very useful to some of these advanced cybercriminal groups, because it means they can hit their targets repeatedly. More destructive attacks that leave devices un-bootable are also possible.
"This driver talks to the chipset's SPI controller to install BIOS updates, so if you wanted to just brick the system so it wouldn't boot at all, you could just write garbage to the boot block," Michael says.
Ransomware attacks in the past have encrypted the master boot record of computers leaving them un-bootable until the victims paid the ransom. Recovering from an attack of this type requires manual intervention and, in the case of ATMs that can be geographically dispersed, it means significant downtime.
In the context of POS systems, it could also mean financial loss if all terminals in a store or multiple stores suddenly stopped working.
Then there have been attacks like Shamoon that hit Saudi Aramco in 2012, or the attack against Sony Pictures in 2014 that was attributed to North Korea, whose goal was to disrupt normal business operations. Such disruptive attacks could be used to manipulate a company's stock price and profit from it.
Eclypsium's research highlights a lack of security by design in device drivers, as most of the issues found are architectural flaws rather than code vulnerabilities. In Michael's opinion, these problems are usually the result of developers fulfilling a business need, like the ability of an application to talk to a hardware component, without putting the proper controls in place.
"Most of these cases are examples of someone not really thinking through the ramifications of a feature being misused," Michael said. "It's a feature that's useful for their specific task, but they didn't think whether this is something that someone else can use for bad purposes or to do other things."