In recent months, multiple US law enforcement agencies have responded to ATM jackpotting attacks targeting Direct Memory Access (DMA) of various ATM models and manufacturers by bypassing traditional security controls – resulting in significant financial loss and operational disruption.

DMA attack vulnerabilities may exist across all ATM manufacturers and models.

Attackers gain physical access to the ATM’s upper enclosure (top hat), power it down, open the main computer case (housing), connect malicious hardware (such as a DMA card or PCILeech device) to an internal port, and then power the ATM back up to directly access the memory by installing and/or executing malware on the ATM. This method is effective regardless of ATM brand or model, and older models may lack BIOS (Basic Input/Output System)1 or other firmware update support

Technical Details and Attack Vectors

• Hardware Exploitation: Attackers target PCIe and M.2 ports, now standard in many ATMs. DIMM slots for RAM modules are also potentially vulnerable.

• DMA Attack Mechanism: DMA attacks enable direct injection into RAM, bypassing antivirus, whitelisting, and other operating system (OS)-level controls.

• Security Override: Once RAM is accessed, attackers can override security factors and issue direct disk commands.

Device Components Used in Recent Attacks

The following images represent typical components recovered from ATM DMA incidents. These devices, which can include a Raspberry Pi, DMA card, PCI adapter card, hot spot device, and an external USB power supply, can be used to facilitate direct access to ATM memory and bypass security controls.

Mitigation Recommendations

Successful mitigation requires a multi-layered strategy and may include the following actions.

• Update and set strong BIOS passwords (never keep default passwords).

• Configure BIOS to disable unused ports or expansion slots that provide DMA access (PCIe, M.2, etc.).

• To mitigate unauthorized access for ATMs lacking BIOS or other firmware support, vulnerable ports may be physically shut with epoxy. A secondary option may be using tamper-proof seals on vulnerable ports. However, both methods may result in damage to the motherboard.

• Implement physical protection measures (to include protecting ports) and monitor physical access to ATMs.

• Implement additional software protections that monitor and block new hardware changes or that recognize that they may be bypassed if memory is compromised.

• Disable or physically secure unused expansion slots (network, Wi-Fi, video, etc.).

• Upgrade hardware to support Kernel DMA protection available in newer hardware and operating systems.

• Review logs for ATM power cycles, hardware changes, foreign device drivers, chained suspicious events, and cash discrepancies, which are key indicators of attack.

• Implement real-time monitoring to identify attacks in progress.

• Use Windows Group Policy to block unauthorized hardware changes.

• Use application and hardware whitelisting where possible.

• Employ advanced endpoint protection and sandboxing, as attackers may attempt to disable these tools.

Contact Your ATM Manufacturer for Further Guidance and Support

Background

DMA is a standard technology on most computers that provides the hardware with the ability to directly interact with the memory of the system for increased performance of large data transfers. DMA is legitimately used in standard technologies like PCI Express (PCIe), FireWire, Thunderbolt, PCMCIA (PC Card), CardBus, and ExpressCard.