Sparkasse ATM Vulnerability disclosed by German Researcher - Integration as Pilot Program

Submitted by Editorial_Staff_Team on Mon, 11/02/2015 - 10:20

Sparkasse ATM Vulnerability disclosed by German Researcher - Integration as Pilot Program

The Sparkasse Bank is a financial institution with the task of population and income opportunities for safe investment to offer and to meet the local credit needs. The source of financial gain here is not the main purpose of the business. The German Sparkasse is well known for the new security concepts like the flickr pin code generator. The Sparkasse follows a straight policy to secure the cash machines (ATM) and SB terminals.

In the morning of the 24th april the core member Benjamin Kunz Mejri (CEO of Evolution Security and Founder of the Vulnerability Laboratory) was doing some transactions via ATM in a local German Sparkasse (Hessen). Due to his transaction the ATM was dropping his card of the shaft to process an interaction. The screen went to temporarily not available mode. In this mode Benjamin used a special keyboard combination to trick the ATM into another mode. By usage of the special combination the console (cmd) became available ahead to the maintenance message on top of the screen after the card came out of the ATM. At that moment the researcher realizes that there is a gap and used his iPhone to capture the bootChkN console output (Wincor Nixdorf) of the branch administrator.

After he saved the data via sync to his computer, he approved the recorded data for important credentials. A short time later Benjamin was able to reveal the branch office ATM username, ip, computer name, serial numbers, institute id, uid, fw id and other hardware related information. Using the data he would be easily able to takeover the ATM (Automated Teller Machine) of the Wincor Nixdorf series.

Due to that incident Benjamin was talking to his team colleagues and decided to report the issue to an official Sparkasse manager of an institute in Vellmar near Kassel. After some days an email arrived of a Sparkasse representative that requested the information of the recorded pictures. Benjamin transfered the images with the time-stemps to the representative of the Bank to assist the reproduce. Two weeks later the security team of the Sparkasse and service provider Wincor Nixdorf was able to recreate the problem by usage of the Evolution Security documentation (Advisory). As result of the security report to the management of the German Sparkasse Bank started to patch the problem in the terminals to prevent attacks.

The terminal will set the touch on (0) to disallow keyboard interaction, the log will be invisible with an echo off and the boot credentials like the Administrator username and Bank name will be removed. The update patch process started as a pilot project at the Kassel ATM. After the patch was succesfully implemented at the Kassel ATM´s the patch was provided nation-wide to secure all German Sparkasse ATM and SB-terminals against Hacker attacks.

The German Sparkasse rewarded the German security researcher with an acknowledgement card in form of a letter and a special little gift.

The German Sparkasse resolved the vulnerability and misconfiguration by fast coordination and cooperation with the main Manufacturer and Service Provider. At no time was the security vulnerability a critical risk for clients because of the German Sparkasse Bank and the Service Provider (Wincor Nixdorf) responded immediately. It looks like there is mainly a big difference between the European and the US automated teller machine security infrastructure. In the USA it takes up to 1 year since a reaction by the service provider or atm manufacturers becomes available to the researcher. In case of the German banking system everything is running well coordinated and fast. Especially this issues was nice to approve responsibility. The German Sparkasse Bank has no public security program that is available to resolve bug/vulnerability reports. As far as you report a serious issue or vulnerability it will be resolved and sometimes rewarded.

Update July 2015 - Nicht Betriebsbereit (SB Terminal)

Due to the update procedure the SB terminal was temporarily unavailable.

Sparkasse ATM Update July 2015

NOTE: Hacking or manipulation of automated teller machines and sb terminals is illegal. Do not try to adopt the technics or methods against productive systems without permission. The article has been censored to not demonstrate the full way on how the issue could be exploited manually by local attackers or individuals. The show stunt was a coordinated disclosure and out of the box! The results are research results that are not directed against the manufacturer of ATMs or banks. Repair after the destruction of an ATM can cost up to € 50,000!