Driver vulnerabilities may facilitate attacks on ATMs, point-of – sale (PoS) systems and other devices, as warned Monday by firmware security firm Eclypsium.
Last year, Eclypsium analyzed system drivers from major vendors and found that there were significant vulnerabilities that could be exploited to deploy persistent malware on more than 40 drivers made by 20 companies.
The company also advises that the Windows drivers used in ATMs and PoS apps can be very useful to threatening actors who attack these types of systems.
In the past few years , a small number of ATM malware families have appeared including those such as Skimer, Alice, CUTLET MAKER, Ploutus, Tyupkin, ATMJackpot, Suceful, RIPPER, WinPot, PRILEX, ATMii and GreenDispenser. Some of these malware pieces allow their operators to conduct so-called “jackpotting” attacks, where the attacker instructs the targeted ATM to offer cash.
The vulnerabilities affecting drivers operating on ATMs or PoS systems, according to Eclypsium, may allow attackers to escalate privileges and gain “deeper access” to the targeted network.
“By exploiting the functionality of unsafe drivers, attackers or their malware may obtain new rights, access information, and eventually steal money or customer data,” explained Eclypsium.
The security company , for example, identified a weakness found in a driver present on Diebold Nixdorf ATMs by its researchers. The driver in question provides access to x86 I / O ports, which is comparatively limited compared to other drivers in terms of functionality. However, a driver that provides arbitrary access to I / O ports could be useful in the initial phases of an attack as it may allow the attacker to access PCI-connected devices, including external devices and the SPI controller that provides access to the firmware of the network.
“What ‘PCI access’ means is that software can communicate with PCI devices and use them as a result,” said Mickey Shkatov, Eclypsium’s main researcher. “Take the following flow as an example: the software uses the driver to perform I / O operations that translate into legacy PCI access, then the software uses that PCI access to direct a computer to perform actions.”
“The Intel SPI controller is such a tool that the onboard non-volatile memory will read / write to the processor firmware in effect. By gaining arbitrary access to the I / O ports, an attacker could theoretically obtain arbitrary PCI access, which in effect could allow the attacker to target data from and to PCI-connected devices, “explained Shkatov.
Eclypsium also pointed out that it might allow an attacker to install a bootkit on the targeted computer in the case of the driver used by Diebold Nixdorf, since the driver is also leveraged to upgrade the firmware for the BIOS.
The vendor was reported with the vulnerability which released patches earlier this year. At the other hand, these types of security vulnerabilities that pose a danger for an prolonged period of time because tightly controlled system manufacturers usually need to issue fixes much longer due to compliance requirements. In this situation , for example, Eclypsium states that its work was completed in May 2019, but until now it has not been able to report its findings.
In fact, upgrades will take a lot of time to hit all end computers, which also also run obsolete operating systems like Windows XP and Windows 7.
Eclypsium claims that many other vulnerable drivers are likely to expose ATMs to attacks, and that they could be affected by even more severe security holes.