Posts Tagged ‘ZeroDayVulnerabilities’
[DefCon32] Where’s the Money? Defeating ATM Disk Encryption
In an era where automated teller machines safeguard substantial sums, vulnerabilities in their protective mechanisms pose significant threats. Matt Burch, an independent security researcher specializing in IoT and hardware, unveils critical flaws in Diebold Nixdorf’s Vynamic Security Suite (VSS), the dominant solution in the sector. His investigation, conducted alongside a colleague, exposes six zero-day issues enabling full system compromise within minutes, highlighting systemic risks across financial, gaming, and retail domains.
Matt’s journey stems from a fascination with the surge in ATM crimes, up over 600% recently. Targeting enterprise-grade units holding up to $400,000, he dissects VSS’s full disk encryption, revealing offline code injection and decryption paths. Diebold Nixdorf, one of three primary North American manufacturers with global reach, deploys VSS widely, including in Las Vegas casinos.
ATM architecture divides into a fortified vault for currency and a less secure “top hat” housing computing elements. The vault features robust steel, multi-factor locks, and tamper sensors, while the upper section uses thin metal and vulnerable locks, facilitating entry via simple tools.
VSS integrates endpoint protection, whitelisting, and encryption, yet Matt identifies gaps in its pre-boot authentication (PBA). This layered integrity check, spanning phases, fails to prevent unauthorized access.
Pre-Boot Authentication Vulnerabilities
VSS’s PBA employs a custom Linux-based “Super Sheep” OS for initial validation. Phase one mounts the Windows partition read-only, computing SHA-256 sums for critical files. Successful checks lead to phase two, decrypting and booting Windows.
Matt exploits unencrypted Linux elements, mounting drives offline to inject code. CVE-2023-33204 allows execution via root’s .profile, bypassing sums by targeting non-checked files. Demonstrations show callback shells post-reboot.
Service releases introduce patches, yet recursive flaws emerge. CVE-2023-33205 leverages credential stuffing on weak defaults, enabling admin escalation and command injection.
Recursive Flaws and Persistence
Patches inadvertently create new vectors. Service Release 15 removes directories but overlooks symlinks, leading to CVE-2023-33206. Attackers create traversal links, injecting payloads into root’s directory for execution.
Further updates validate symlinks, yet CVE-2023-40261 strips execute permissions from integrity modules, disabling VSS entirely. This permits arbitrary unsigned binaries, affecting all versions.
Impacts span VSS iterations, with vulnerabilities identified from April to July 2023. Diebold’s responses include end-of-life for older variants and redesigns.
Mitigation and Broader Implications
Defending requires patching to latest releases, enabling security checks to withhold TPM keys, and monitoring physical access. Disabling unused ports and securing drives reduce risks. Alternatives like BitLocker offer robust encryption.
Matt’s findings influence Diebold’s Version 4.4, introducing full Super Sheep encryption. Yet, persistent unencrypted elements suggest ongoing challenges, with likely undiscovered exploits.
This research underscores the need for comprehensive security in high-value systems, where physical and digital safeguards must align.