Fresh ATM Encryption Flaws Raise New Fears, Can Hackers Really Force Cash Machines to Spill Millions? + Video

Listen to this Post

Featured ImageIntroduction: A Security Debate That Could Reshape ATM Protection

For years, banks and ATM manufacturers have invested billions of dollars into making cash machines resistant to both physical and digital attacks. Heavy steel vaults, encrypted storage, secure boot mechanisms, and proprietary security software were all designed to keep criminals away from customer funds.

However, new research presented ahead of Black Hat USA 2026 suggests that one overlooked layer of ATM protection may contain critical weaknesses. Security researcher Matt Burch uncovered nine vulnerabilities affecting CryptWare CryptoPro Secure Disk, a full-disk encryption solution used in enterprise environments and integrated into ATM security products.

The discovery has triggered an unusual debate. While the researcher believes the vulnerabilities could contribute to successful ATM jackpotting attacks under certain circumstances, ATM giant Diebold Nixdorf argues that the practical risk to its deployed systems is minimal. Regardless of who is ultimately correct, the findings serve as another reminder that encryption alone is never enough if the surrounding implementation contains weaknesses.

Researchers Discover Nine Vulnerabilities in ATM Encryption Software

Security researcher Matt Burch, Principal Security Researcher at Atredis Partners, is scheduled to reveal nine previously undisclosed vulnerabilities during Black Hat USA 2026.

The affected software is CryptWare CryptoPro Secure Disk, commonly referred to as CryptoPro. The solution provides full-disk encryption together with pre-boot authentication for Windows systems.

Unlike many encryption platforms that target only enterprise computers, CryptoPro is marketed toward both corporate environments and ATM manufacturers, making the discovery particularly noteworthy.

Although the vulnerabilities themselves are not disputed, the security community is divided over how dangerous they actually are.

The Disagreement Between the Researcher and Diebold

The central controversy

Instead, the debate focuses on whether those vulnerabilities can actually be used to steal money from ATMs.

Burch argues that CryptoPro represents a foundational security component within a broader ATM protection stack. If compromised, attackers could potentially bypass security controls and launch jackpotting attacks.

Diebold Nixdorf strongly disputes that conclusion.

According to the company, its ATM architecture does not rely on Microsoft BitLocker protected by CryptoPro in the manner described by the research. While acknowledging that certain CryptoPro components exist within its Vynamic Security Hard Disk Encryption solution, the company insists that the disclosed vulnerabilities present little or no practical risk in real-world deployments.

Understanding How Modern ATMs Are Built

Many people assume that ATMs are protected equally from top to bottom.

They are not.

The lower section contains the physical cash vault and is constructed using reinforced steel capable of resisting aggressive attacks.

The upper section houses the computer, motherboard, storage devices, and Windows operating system.

Ironically, this area often receives considerably less physical protection.

According to Burch, some ATM head units are protected using thinner steel or even plastic panels, making physical access significantly easier than attacking the cash vault itself.

Once attackers gain access to the internal computer hardware, software attacks become far more realistic.

Windows Powers More ATMs Than Most People Realize

Many ATMs still rely on Microsoft Windows operating systems.

Running above Windows is an extensive software ecosystem responsible for banking communication, transaction processing, hardware control, receipt printing, PIN management, and cash dispensing.

One of the most important technologies inside that stack is the XFS interface.

XFS acts as the communication bridge between banking software and ATM hardware, allowing applications to command devices such as card readers, PIN pads, cash dispensers, and receipt printers.

If malware successfully gains access to XFS, attackers can potentially instruct the machine to dispense money without authorization.

Jackpotting Continues to Grow Worldwide

Cybercriminals have increasingly shifted away from traditional bank robberies toward software-based ATM attacks.

Instead of breaking open the vault, attackers attempt to compromise the ATM’s operating system.

One of the best-known malware families involved in these attacks is Ploutus.

Since jackpotting attacks first appeared in the United States several years ago, incidents have steadily increased.

Law enforcement data indicates thousands of reported cases over recent years, with hundreds occurring during 2025 alone and resulting in losses exceeding $20 million.

The trend demonstrates that ATM malware remains an active criminal business.

Where CryptoPro Becomes Vulnerable

Burch’s research identified several weaknesses inside CryptoPro’s implementation.

One of the most significant issues involved the software’s pre-boot disk decryption process.

Under specific failure conditions, encrypted volumes could reportedly be mounted in plaintext rather than remaining inaccessible.

Another weakness involved how CryptoPro detected encrypted Linux disks.

Because the verification process relied on superficial checks, an attacker could allegedly manipulate the storage layout to convince the software that an encrypted disk existed when it actually did not.

As a result, protected information could become exposed.

Encryption Keys Should Never Sit Beside Protected Data

One of the more concerning findings involved secret key storage.

According to the research, CryptoPro stored encryption material and configuration information directly on the protected disk.

If attackers successfully accessed the drive during boot, they could potentially recover those secrets.

This effectively undermines the purpose of encryption.

As Burch explained, locking a box while leaving the key next to it provides only the illusion of security.

Secure Boot May Not Have Been Fully Secure

The researcher also examined

He claims attackers could potentially launch their own Linux boot environment rather than the trusted vendor environment.

If successful, this would provide attackers with extensive control before Windows even starts.

Operating before the operating system loads gives attackers an enormous advantage because many traditional endpoint security products are not yet active.

A Possible Jackpotting Attack Chain

According to

The attack sequence could involve:

Physical access to the ATM.

Booting an attacker-controlled Linux environment.

Recovering encryption secrets.

Decrypting the Windows installation.

Executing malicious code.

Accessing the XFS layer.

Triggering cash dispensing through established jackpotting techniques.

Whether every deployed ATM can actually be compromised this way remains the primary point of disagreement.

Diebold Maintains Real-World Risk Is Limited

Diebold Nixdorf reviewed the disclosed vulnerabilities alongside CryptoPro developers.

The company concluded that most findings do not directly affect deployed ATM systems.

Officials stated that only two of the reported vulnerabilities could theoretically impact certain hard disk encryption configurations under specific circumstances.

Those issues were reportedly addressed through software updates released during December 2025.

Although the company rejects the broader exploitation claims, it acknowledges that portions of CryptoPro are present within its security architecture.

Enterprise Organizations Should Also Pay Attention

The discussion extends well beyond ATM manufacturers.

CryptoPro is also deployed across numerous enterprise Windows environments.

The vendor claims hundreds of thousands of software licenses distributed across multiple industries and continents.

Organizations using full-disk encryption should therefore carefully examine how encryption keys, boot validation, authentication mechanisms, and recovery procedures are implemented.

Strong cryptography can be rendered ineffective if surrounding components expose sensitive secrets.

Deep Analysis

The vulnerabilities highlight a classic security principle: encryption is only as strong as its implementation. Even if algorithms like AES remain cryptographically secure, insecure key storage, weak boot validation, or improper fail-safe logic can completely bypass their protection.

Example Linux Boot Inspection

lsblk
blkid
mount
dmesg | grep -i luks

Verify LUKS Metadata

cryptsetup luksDump /dev/sda3

TPM Detection

tpm2_getcap properties-fixed

Secure Boot Status

Confirm-SecureBootUEFI

BitLocker Status

manage-bde -status

Windows Boot Configuration

bcdedit /enum

Event Log Investigation

Get-WinEvent -LogName Security

Integrity Verification

sfc /scannow
DISM /Online /Cleanup-Image /RestoreHealth

Recommended Defensive Practices

Store encryption keys inside TPM or hardware-backed security modules.

Prevent unauthorized boot devices through BIOS and UEFI protections.

Enable Secure Boot with strict signature enforcement.

Monitor physical tampering using chassis intrusion detection.

Regularly update ATM firmware and security software.

Restrict maintenance interfaces and removable media.

Perform penetration testing against pre-boot authentication workflows.

Validate fail-safe logic so encryption failures never expose plaintext volumes.

Proper implementation matters just as much as strong cryptographic algorithms. A single design mistake can undo multiple layers of otherwise robust protection.

What Undercode Say

The research presented by Matt Burch highlights one of cybersecurity’s oldest lessons: implementation failures often create more risk than broken encryption algorithms. Modern cryptography remains mathematically strong, yet attackers rarely attack the math itself. Instead, they target the surrounding ecosystem.

What makes these findings especially important is the growing convergence of physical and cyber security. ATMs are no longer isolated cash machines. They are specialized Windows computers connected to banking infrastructure, making them attractive targets for financially motivated attackers.

The disagreement between the researcher and Diebold is equally valuable. Security researchers frequently evaluate worst-case scenarios, while vendors focus on real-world deployment conditions. Both perspectives contribute to stronger products, provided vendors investigate disclosures thoroughly.

Another notable lesson is the importance of secure key management. Encryption without proper protection of key material creates a dangerous illusion of safety. Hardware-backed trust anchors such as TPMs and secure elements exist precisely to prevent software-accessible key exposure.

The pre-boot environment also deserves greater attention. Many organizations invest heavily in endpoint detection and response platforms, yet comparatively few monitor what happens before the operating system loads. Attackers increasingly understand this blind spot.

The research also reminds enterprises that proprietary security software deserves the same level of scrutiny as operating systems themselves. Third-party encryption products often become trusted implicitly despite operating with extremely high privileges.

Whether or not every Diebold ATM is vulnerable is almost secondary. The disclosure encourages vendors across the ATM industry to re-evaluate boot security, encryption architecture, physical access controls, firmware integrity, and key storage mechanisms.

Financial institutions should assume that sophisticated attackers will continue combining hardware manipulation with software exploitation. Future attacks will likely blend physical intrusion, firmware modification, operating system compromise, and malware deployment into coordinated campaigns.

Organizations operating Windows fleets can also learn from this research. Enterprise laptops, kiosks, medical devices, industrial control systems, and point-of-sale terminals frequently rely on similar encryption technologies. Weak implementation choices can have consequences far beyond banking.

The

Ultimately, the Black Hat presentation represents more than another vulnerability disclosure. It serves as a reminder that security must continuously evolve because attackers certainly do.

✅ Confirmed: Security researcher Matt Burch disclosed nine vulnerabilities affecting CryptWare CryptoPro Secure Disk and announced the research for presentation at Black Hat USA 2026.

✅ Confirmed: Diebold Nixdorf acknowledged reviewing the findings but stated that only a limited subset of the reported issues could theoretically affect certain ATM configurations, while maintaining that the overall real-world risk is low.

❌ Not Confirmed: There is currently no public evidence demonstrating that these vulnerabilities have been widely exploited to compromise deployed Diebold ATMs or that they have directly resulted in successful cash theft in real-world incidents.

Prediction

(+1) ATM manufacturers will increasingly adopt hardware-backed key protection, stronger Secure Boot enforcement, and more rigorous pre-boot integrity verification following public scrutiny of encryption implementations.

(-1) Cybercriminal groups specializing in jackpotting are likely to intensify research into pre-boot attacks, firmware manipulation, and encryption bypass techniques as traditional ATM malware becomes more difficult to deploy.

(+1) Enterprises using third-party full-disk encryption solutions will conduct broader security audits, leading to improved key management practices and stronger protection across Windows-based systems.

▶️ Related Video (76% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: www.darkreading.com
Extra Source Hub (Possible Sources for article):
https://www.pinterest.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube