Faulty Windows drivers are to blame for many attacks against ATM and point-of-sale (POS) devices, according to research from Portland, Oregon–based hardware security research company Eclypsium. In a report released this week, it built on previous research highlighting how attackers can exploit poorly designed third-party drivers to gain control over the kernel of Microsoft's operating system and the underlying device firmware. It went on to explain how people can exploit these vulnerabilities to target highly regulated devices.
The researchers found a vulnerable Windows driver exposing a Diebold Nixdorf ATM to attack after acquiring the computer used in the ATM, which controls critical components, including the cash cassettes. The hardware driver provided arbitrary access to I/O ports on the system, enabling it to access devices connected via the PCI interface. The system also used the driver to update the device's BIOS firmware, which could enable it to install a boot kit, they warned. The ATM vendor has already worked with Eclypsium to fix the problem, the report said.
This is not an isolated problem, the researchers warned. "These capabilities in a vulnerable driver could have a devastating impact on ATM or POS devices. Given that many of the drivers in these devices have not been closely analyzed, they are likely to contain undiscovered vulnerabilities," the report said.
Eclypsium drilled down into the specific driver problems that create problems for the Windows kernel in previous research. It named several vendors that had released vulnerable drivers for their devices.
For a long time, there was no way for Windows to mitigate these problems. That changed with the introduction of hypervisor-enforced code integrity (HVCI), which protects Windows from malicious code using built-in virtualization features. The problem is that this feature requires newer processors and isn't yet supported by many third-party drivers, they warned.
ATM hardware doesn't get replaced all that often, meaning that many of them won't be equipped with HVCI. Regulations also slow down the driver patching process, the researchers added. If a device is certified to external security standards, then any change that a vendor makes to its software or firmware could result in delays as it goes through the certification process again, they said.
Other security companies have also highlighted problems with patching ATM software. In a 2019 white paper about ATM security challenges, Fortinet pointed out that manual processes for patching ATMs might fall outside the scope of corporate patch management systems that banks use for conventional IT equipment. That can make it difficult for IT administrators to patch thousands of ATMs across a distributed infrastructure, it warned.
Attacks on ATM hardware (as opposed to the use of add-on skimming devices) are a perennial problem for banks. In September 2019, malware from the Lazarus Group was discovered targeting ATMs in Indian banks. Cash-out crews have also reportedly been targeting US ATMs with 'jackpotting' attacks, in which malware forces devices to continually dispense cash, since 2018.