German ATM displays bank’s network config data to infosec bod

A chance finding by a German security researcher has revealed ATMs run by German Bank Sparkasse leaked potentially sensitive information during a software update.

Benjamin Kunz-Mejri, chief exec and founder of Germany based security firm Vulnerability Lab, came across the problem when he unsuccessfully attempted to use his card to withdraw funds. The cash machine become unavailable before Kunz-Mejri pressed a “special keyboard combination” that result in a display of a software update process on the ATM’s screen, as a blog post by Vulnerability Lab explains.

The screen went to temporarily not available mode. In this mode Benjamin used a special keyboard combination to trick the ATM into another mode. By usage of the special combination the console (cmd) became available ahead to the maintenance message on top of the screen after the card came out of the ATM. At that moment the researcher realises that there is a gap and used his iPhone to capture the bootChkN console output (Wincor Nixdorf) of the branch administrator.

The screen scrolled through a substantial amount of sensitive information including the bank’s main system branch usernames, serial numbers, firewall settings, network information, device IDs and more. “Using the data he would be easily able to takeover the ATM (Automated Teller Machine) of the Wincor Nixdorf series,” Vulnerability Lab claimed.

Kunz-Mejri used his iPhone to capture the bootChkN terminal output before reposting the images in a Vulnerability Lab advisory on the ATM insecurity find. During the ATM update process the keyboard was not disabled, something that played a central role in the resulting vulnerability.

The security researcher is well known for his work uncovering security bugs in the web-based applications of PayPal, Apple’s iTunes and others rather than vulnerabilities in hardware or embedded systems, much less ATMs.

The ATMs encountered by Kunz-Mejri were manufactured by Wincor Nixdorf. El Reg approached both the bank and Wincor Nixdorf for comment but is yet to hear back from either. We’ll update this story as and when we learn more.

Bank Sparkasse has reportedly pushed out updates that fix the issue, first uncovered by Kunz-Mejri on ATMs in the German city of Kassel. Vulnerability Lab praised Bank Sparkasse for responding promptly and professionally to his vulnerability report. ®