Hardwear.io 2021 – Vladimir Kononovich: Blackboxing Diebold-Nixdorf ATMs

Abstract Blackboxing Wincor dispensers

Despite the fact that the most popular attacks on ATMs are still Malware/Logical attacks, another popular vector is cash-dispenser Blackbox attacks, which is not slowing down. This vector implies a direct connection to these devices through a drilled hole in the ATM case. Trying to resist cybercryminals, large ATM vendors are introducing cryptographic methods of protection, while telling banks: buy our new ATMs, now they are definitely protected from Blackbox! However, is everything really as rosy as the vendor describes?

In an attempt to defend against any ATM-attacks, vendors for the most part still use the same old method: security through obscurity. They think: if an attacker does not have access to the ATM documentation, if we encrypt the firmware, then he will never be able to hack our products. On the one hand, this is how it should work. But, on the other hand… Insiders, “buddies” in the service center, cash-dispensers on eBay – and that’s it, the attacker has everything to carry out his plans. Let’s take the path of an attacker but for good purposes!

In our presentation, we will go through the same interesting path that cybercriminals take when preparing Blackbox attacks: we’ll buy a Wincor dispenser (the main board) on eBay, find a 0-day vulnerability, use it in laboratory conditions, and withdraw banknotes. In addition, we will also be very lucky to find another vendor’s cash dispenser with the same vulnerability!

Hardwear.io Netherlands 2021

Hardwear.io Netherlands 2021 returns as a physical conference in The Hague between October 25 – 29, 2021. In the past 1.5 years we’ve up-skilled in virtual event management and we’ve also successfully navigated the swaths of new platforms – and even though it was an amazing experience, our hearts still beat for in-person events!

Throughout the past months, our goal was to knuckle down and build a physical event so that when this pandemic is over everyone can get to meet again, and hang out in a safe environment. And finally, physical events are back – we did it!

Oct 25-29: fasten your seatbelts for intensive in-person trainings, top-notch hardware-security talks, professional networking, stimulating CTFs and a challenging HardPwn.

Join Hardwear.io NL 2021 to learn, network, and collaborate with like-minded professionals!


Register HERE