Hackers can still steal wads of cash from ATMs. Here’s the vulnerabilities that could let them in.

Hackers may love ransomware, but ATM vulnerabilities still abound, Red Balloon Security researchers explain at DEF CON 2020.
(Getty Images)

Thanks to a pair of zero-day vulnerabilities in a popular ATM, hackers could be pilfering off customers’ sensitive banking information or withdrawing hefty wads of cash, according to research from New York-based Red Balloon Security.

If exploited properly, one of the vulnerabilities the researchers found in Nautilus Hyosung America ATMs would allow attackers to essentially empty the machines of cash, the researchers, Brenda So and Trey Keown, told CyberScoop. The root of the vulnerability lies in the way Nautilus implemented eXtensions for Financial Services, the software used to dispense money.

The other vulnerability would allow attackers to execute malicious code in the the ATM’s remote administration interface, which normally allows ATM owners to check the amount of cash available in their machines.

In experimenting with the flaw, So and Keown wrote shell code and sent a malicious payload to the ATM. Hackers that are able to do the same could point a vulnerable ATM to a hacker-controlled server, which could allow them to steal sensitive customer information, such as credit card numbers or even PINs, So and Keown told CyberScoop.


“You’re literally trusting this machine to hold thousands of dollars, but it’s running [Windows operating system] CE 6.0? It is just a computer, on a network, running an older operating system,” Keown said, noting that the latest release for CE 6.0 was over a decade ago in 2009. “This is still a problem. Let’s focus some effort here and see if we can’t move the needle in the right direction.”

It’s unclear if the vulnerabilities, which the security researchers uncovered over a year ago, have been exploited. And although Nautilus has issued a fix, there is always the chance that many machines still remain vulnerable, the researchers told CyberScoop.

It’s a reminder that although cyber-enabled financial heists have in some ways graduated to more disruptive ransomware attacks, hackers can still rely on network-based exploits against ATMs to make a quick buck. Generally speaking, ATMs are also a perennial target for hackers sponsored by the North Korean government, according to the U.S. Department of the Treasury.

So hopes that by demonstrating their findings at DEF CON this year, they can expose how ATM security has flown under the radar. One of the vulnerabilities the Red Balloon security researchers found, for instance, is on the same interface exploited by Barnaby Jack, a programmer who gained recognition for his demonstration of an ATM “jackpot” hack in 2010.

“Obviously we’re not the first people to look at ATMs. 10 years ago Barnaby Jack did a classic talk on ATM security. What we’re doing right now is basically an extension of his work. It’s been around one decade since his talk,” So said. “Have things improved? We realize although the vulnerabilities have been patched there are still other vulnerabilities [on that interface] that we found within a relatively short period of time.”


So and Keown will also be holding a question-and-answer session on Saturday in an effort to try to boost collective knowledge of ATM security issues.

“We understand not a lot of people would have the opportunity to open up an ATM and inspect what’s insight because of the high barrier of entry to even getting an ATM,” So told CyberScoop. “We hope through our talk we are able to shed light to other researchers to how ATMs work, how network protocols work, how firmware works, and so on.”

Bloomberg first reported the existence of the flaws last year.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts