IOActive published a newsletter informing about the discovery of critical vulnerabilities in ATMs Diebold Opteva. Using their combination, attackers can access the banknotes in the ATM safe.

Two vulnerabilities. Use sequentially.

Experts at IOActive immediately discovered two vulnerabilities in Diebold's ATMs - physical and software. They relate to the Opteva series - ATMs based on the AFD platform (Advanced Function Dispenser - extended dispenser). In them, the banknote store and the control computer are physically separated, and each section requires a separate authorization to gain access. However, researchers were able to find vulnerabilities in both places.

Pushing into the hole of the loudspeaker on the front panel of the iron rod, they managed to lift the metal plate locking the device and get physical access to the installed computer, to which the USB controller AFD. Researchers connected to it their own computer.

IOActive also produced reverse engineering of the communication protocol and the AFD software shell. It turned out that AFD does not check the connected external devices and does not exchange encrypted keys with them. As a result, experts managed to get access to AFD and contents of tapes with bills - without any authorization.

Sluggish reaction.

Diebold was informed of the vulnerability as early as in early 2016.. In January 2017. She was provided with information on software gaps in device protection. The reaction of the ATM manufacturer was exceptionally sluggish. Only at the end of March 2016. Representatives of Diebold said that the system used in the testing is obsolete and devoid of software updates.

On the question whether in principle updates were issued for this particular vulnerability, there was no response. After waiting for three months and without receiving any feedback, IOActive decided to publish the results of the study.