Security Affairs
JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Experts found critical flaws in Diebold Opteva ATM that allow to vend notes from the machine

Experts at the US firm IOActive have discovered a critical physical and authentication bypass vulnerability in the Diebold Opteva ATM. The researchers have found two vulnerabilities in the Diebold Opteva ATM machines with the AFD platform that could be chained to allow an unauthorized user to vend notes from the device. “IOActive has discovered two vulnerabilities in Opteva […]

Diebold Opteva ATM

Experts at the US firm IOActive have discovered a critical physical and authentication bypass vulnerability in the Diebold Opteva ATM.

The researchers have found two vulnerabilities in the Diebold Opteva ATM machines with the AFD platform that could be chained to allow an unauthorized user to vend notes from the device.

“IOActive has discovered two vulnerabilities in Opteva ATMs with the AFD platform that, when combined, may allow an unauthorized user to vend notes from the device.” reads the advisory.

Diebold Opteva ATM

The Diebold Opteva line of ATMs with the AFD platform is composed of an upper cabinet for the operating system and a lower cabinet for the safe, each part requests its own authentication requirements.

Chaining the vulnerabilities allows the attacker to bypass both authentication mechanisms and take the control of the Diebold Opteva ATM.

In the attack scenario presented IOActive, the researchers physical accessed to the internal computer by inserting a metal rod through a speaker hole on the front of the ATM, lifting a metal locking bar and gaining access to the upper cabinet of the Diebold Opteva ATM that contains the computer. Once accessed to the computer, the researchers removed the USB connection from the Windows host and gained a direct line of communication to the AFD controller for the safe.

At this point, the hackers triggered the second flaw to get to the money.

The experts made a reverse engineering of the AFD’s protocol and firmware, they were able to gain access to the content of the safe without authenticating.

“Using the USB that connects the AFD to the computer in the upper cabinet, the team was able to initiate two-way communication. This would normally require a shared encryption key and a device identifier; however, the team was able to complete the authentication protocol unencrypted and set up communications without properly authenticating. This allowed the team to act as an authenticated user and gain access to the contents of the safe.” continues the analysis. “The protocol does not require any device specific knowledge to carry out the attack. This would imply that an attacker with access to one device could reverse engineer enough of the controller protocol to effectively bypass authentication and vend notes from any other device that uses an AFD as long as the vulnerability remains unpatched.”

IOActive reported the issue to Diebold in February 2016, only one year later, in May 2017 Diebold responds, “[your]..system is very old (2008/2009 vintage) and is unpatched;”

IOActive asked if retesting a recent supported version would be possible, but without receiving a reply.

Finally, on July 26, 2017, IOActive opted for the public disclosure.

Unfortunately, it is still unclear whether the ATMs have been patched, nor whether any newer firmware versions are still vulnerable.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  (Diebold Opteva ATM, hacking)

[adrotate banner=”13″]