Nautilus ATM Flaws Could Allow Hackers Access to Cash, Data

(Bloomberg) -- A pair of security researchers has discovered two vulnerabilities in ATMs widely used across the U.S. that could allow a determined criminal to steal cash and customer data.

Brenda So and Trey Keown, of New York-based Red Balloon Security Inc., found the flaws in machines manufactured by Nautilus Hyosung America Inc., the largest provider of ATMs in the U.S. By gaining access to the same network as the target ATM, the researchers were able to obtain full control of the machine and bypass its security measures. They also discovered master keys to the ATMs for sale on Amazon.com -- something other researchers have previously pointed out.

In a joint statement Monday, Red Balloon and Nautilus Hyosung said they had no evidence anyone has ever taken advantage of the vulnerabilities. The researchers said the flaws only affected retail versions of Nautilus ATMs, not ones used in financial institutions. According to an estimate by Red Balloon, more than 80,000 machines are vulnerable. Nautilus has more than 150,000 installed ATMs in the U.S., according to the statement.

Nautilus is a subsidiary of closely held conglomerate Hyosung Corp., based in South Korea. The security flaws only exist in ATMs developed and distributed by the U.S. subsidiary.

The researchers said they reported the flaws to the company in the summer and a fix was developed within a week. “Nautilus Hyosung America has already issued firmware security updates to mitigate possible threats,” the company said in the statement. Nautilus said it “notified all of its commercial customers to immediately update their ATMs with these patches,” which were first released on Sept. 4. Red Balloon said it’s working with Nautilus to improve the security of its ATMs.

Red Balloon provides security to computers embedded inside a product, like a printer or ATM.

Security Updates

It’s unclear how many ATMs have actually received the fix. To install the patch, a technician or ATM owner would have to manually insert a USB stick with the software update into the machine or download it from Nautilus, the security researchers said. Red Balloon said it won’t release a detailed breakdown of exactly how the flaws work, in order to prevent criminals from replicating their work, but may provide more technical details in the future.

Ang Cui, chief executive officer and founder of Red Balloon, said updating all of the ATMs would likely be difficult. “Getting people to do security updates and firmware has been a thing that we’ve studied for a decade,” Cui said. “People just don’t want to think about it. They don’t want to do it.”

The researchers also discovered a flaw in a mobile application developed by Nautilus and used by ATM owners and technicians. By exploiting the flaw, the researchers said they could access information on user accounts, ATMs -- including cash balances, location, software version -- and service requests. The information that could be gleaned from the mobile app would be very useful to a potential criminal in deciding which ATMs would be the most vulnerable and have the highest payout, the security researchers said. The flaw found in the app was in the process of being fixed, they said.

“While we have no evidence this vulnerability has been utilized, Hyosung has decided to disable this service until the updated versions are released as a precautionary measure,” Keith Lennard, Nautilus Hyosung America’s vice president, head of software, said in an email. The company didn’t respond to further requests for comment.

All of the vulnerabilities that were discovered could be accessed remotely, meaning an attacker would not need physical access to the ATM in order to hack it, only to be on the same network.

Emptying ATMs

One of the ATM vulnerabilities discovered by Red Balloon targets a machine’s “remote management system” and would allow a criminal to steal the data of any credit card or debit card entered into the ATM as a transaction takes place. In theory, an attacker could sweep up the card data of everyone who used the ATM without being noticed.

The second vulnerability was discovered in the software that powers the ATM’s peripherals, such as its cash dispenser, card reader or PIN keypad. The researchers found that an attacker could easily access the software and inject malicious commands. The potential result is emptying the ATM of all its cash -- a possibility the researchers demonstrated during a presentation at their New York office.

This isn’t the first time vulnerabilities in ATMs have been discovered. According to a joint investigation published by Vice and German broadcaster Bayerischer Rundfunk in October, criminals in Europe were able to hack a different brand of ATMs to steal cash in 2017.

To contact the reporter on this story: William Turton in New York at wturton1@bloomberg.net

To contact the editors responsible for this story: Andrew Martin at amartin146@bloomberg.net, Molly Schuetz

©2019 Bloomberg L.P.