Never say your machine can’t be.
That’s perhaps one of the lessons ATM maker Diebold Nixdorf learned after security researchers showed how they could turn one of the company’s machines into a cash fountain. A simple hack of an exposed USB in one of Diebold Nixdorf’s popular Opteva ATMs allowed researchers at security company IOActive to get it to spew out cash until it was empty.
During IOActive’s “Breaking Embedded Devices” panel at Black Hat on Wednesday, researchers showed that it’s not just computers, phones and servers that can be exploited — it’s anything with a chip or an internet connection, no matter how small its function.
Embedded systems, as the term denotes, are mass produced systems that only have a single role in a machine, whether it’s to dispense cash or check how much ink is in your printer. Because they have such simple jobs, security often isn’t a priority.
But IOActive showed at Black Hat that a machine’s security is only as strong as its weakest link, and embedded systems make for easy targets.
In the past, we’ve seen researchers use vulnerabilities to hijack cars, smart homes and guns. Connected toys have shown that they still have a security roadblock to overcome. And the majority of people are nervous that their smart refrigerator or connected diaper pads will get hacked.
The ATM hack is just the latest example of how security, especially when it comes to the little things, can get overlooked.
Mike Davis, the director of embedded systems security at IOActive, said he reached out to Diebold Nixdorf multiple times about the vulnerability. He said he told the company that it had a security flaw near the ATM’s speakers in the upper section. The same spot provided an opening for potential hackers to loosen and expose a USB port.
“It’s a little bit like a magic trick, but no kidding, it took seconds to getting the ATM to open,” Davis said.
When Diebold Nixdorf learned about the opening, Davis said,…