Security researchers Brenda So and Trey Keown of the Red Balloon security firm unveiled two new "jackpotting" flaws that force Nautilus ATMs to dispense cash on command.
The bugs have lain dormant within the ATMs' underlying software—a 10-year-old version of Windows no longer supported by Microsoft—which the researchers reverse-engineered.
The Extensions for Financial Services software layer contained the first vulnerability, based on its implementation by the manufacturer; Keown said transmitting a malicious request over the network could trigger the cash dispenser and dump the cash inside.
The second flaw resided in the ATM's remote management software, and So said switching its payment processor with a hacker-controlled server to extract data like credit card numbers was possible.
The researchers privately disclosed their findings to Nautilus last year, and Bloomberg reported roughly 80,000 Nautilus ATMs in the U.S. were vulnerable at the time.
View Full Article
Abstracts Copyright © 2020 SmithBucklin, Washington, DC, USA
No entries found