A pair of security researchers has discovered two vulnerabilities in cash machines widely used across the US that could allow a determined criminal to steal cash and customer data.
Brenda So and Trey Keown, of New York-based Red Balloon Security, found the flaws in machines manufactured by Nautilus Hyosung America, the largest provider of automatic teller machines in the US. By gaining access to the same network as the target ATM, the researchers were able to obtain full control of the machine and bypass its security measures. They also discovered master keys to the ATMs for sale on Amazon.com – something other researchers have previously pointed out.
In a joint statement Monday, Red Balloon and Nautilus Hyosung said they had no evidence anyone has ever taken advantage of the vulnerabilities. The researchers said the flaws only affected retail versions of Nautilus ATMs, not ones used in financial institutions. According to an estimate by Red Balloon, more than 80,000 machines are vulnerable. Nautilus has more than 150,000 installed ATMs in the US, according to the statement.
Nautilus is a subsidiary of closely-held conglomerate Hyosung Corporation, based in South Korea. The security flaws only exist in ATMs developed and distributed by its US subsidiary.
The researchers said they reported the flaws to the company in the summer and a fix was developed within a week. “Nautilus Hyosung America has already issued firmware security updates to mitigate possible threats,” the company said in the statement. Nautilus said it “notified all of its commercial customers to immediately update their ATMs with these patches,” which were first released on September 4. Red Balloon said it is working with Nautilus to improve the security of its ATMs.
Red Balloon provides security to computers embedded inside a product, like a printer or ATM.