Learn about ATM technology through NCR vulnerabilities (26th Aug 2020)

Preface: A few years ago, ATM attackers might have the opportunity to compromise ATM machines through this method (Raspberry Pi + Python + Wifi). It looks that it is not possible right now.

Study Road Map: From a security perspective, the design weaknesses disclosed by the vendor this time are divided by 3 types.
– Insufficient encryption strength (CVE-2020-10125),
– Main weaknesses in authentication bypass (CVE-2020-10126)
– Lack of data protection (CVE-2020-10124)

Before reading the details of the vulnerability note (VU#815655). We should know the main product specifications.
1. What is XFS?
eXtensions for Financial Services, or XFS, is an open systems middleware international standard promoted by the European Committee for Standardization (CEN) that allows software from multiple vendors to run on different manufacturers’ATMs and other types of payment terminals.

2. What is BNA?
BNA (Bunched Note Acceptor) – Depository that accepts many varied notes without an envelope.

3. Read the vulnerability description (see URL below). Increase your imagination through attached diagram. Maybe you will dig more details, not just the official announcement.

https://kb.cert.org/vuls/id/815655

4. Take your time.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.