Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

German ATM displays bank’s network config data to infosec bod

Not a planned hack – but still a massive fail

A chance finding by a German security researcher has revealed ATMs run by German Bank Sparkasse leaked potentially sensitive information during a software update.

Benjamin Kunz-Mejri, chief exec and founder of Germany based security firm Vulnerability Lab, came across the problem when he unsuccessfully attempted to use his card to withdraw funds. The cash machine become unavailable before Kunz-Mejri pressed a “special keyboard combination” that result in a display of a software update process on the ATM’s screen, as a blog post by Vulnerability Lab explains.

The screen went to temporarily not available mode. In this mode Benjamin used a special keyboard combination to trick the ATM into another mode. By usage of the special combination the console (cmd) became available ahead to the maintenance message on top of the screen after the card came out of the ATM. At that moment the researcher realises that there is a gap and used his iPhone to capture the bootChkN console output (Wincor Nixdorf) of the branch administrator.

The screen scrolled through a substantial amount of sensitive information including the bank’s main system branch usernames, serial numbers, firewall settings, network information, device IDs and more. “Using the data he would be easily able to takeover the ATM (Automated Teller Machine) of the Wincor Nixdorf series,” Vulnerability Lab claimed.

Kunz-Mejri used his iPhone to capture the bootChkN terminal output before reposting the images in a Vulnerability Lab advisory on the ATM insecurity find. During the ATM update process the keyboard was not disabled, something that played a central role in the resulting vulnerability.

The security researcher is well known for his work uncovering security bugs in the web-based applications of PayPal, Apple’s iTunes and others rather than vulnerabilities in hardware or embedded systems, much less ATMs.

The ATMs encountered by Kunz-Mejri were manufactured by Wincor Nixdorf. El Reg approached both the bank and Wincor Nixdorf for comment but is yet to hear back from either. We’ll update this story as and when we learn more.

Bank Sparkasse has reportedly pushed out updates that fix the issue, first uncovered by Kunz-Mejri on ATMs in the German city of Kassel. Vulnerability Lab praised Bank Sparkasse for responding promptly and professionally to his vulnerability report. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like