Security firm Red Balloon has spotted two security flaws in software used on ATMs made by Nautilus Hyosung America, and one in a mobile ATM support app, the companies said in a joint statement Monday.
While the companies aren’t releasing all of the details of the vulnerabilities, which can be fixed with a security patch distributed by Nautilus Hyosung, Bloomberg reports that one of the bugs could have allowed hackers to siphon off card data belonging to ATM users, while another would have allowed them to send remote commands to the machines, including causing them to spew out cash. There’s no sign the vulnerabilities have ever actually been exploited, according to the companies.
“We commend Nautilus Hyosung America for its fast and diligent response to these disclosures, and for taking the appropriate steps to fix these problems,” said Ang Cui, CEO of Red Balloon Security. “If left unaddressed, the vulnerabilities we discovered could have created a potential for exploitation.”
Nautilus Hyosung is the largest ATM provider in the United States, with more than 140,000 ATMs installed, the company said. The flaws are only found in ATMs in the United States and only in ones at retail locations, not banks.
The companies say they plan to continue to work together to secure Nautilus Hyosung ATMs.
Real-world ATM hacks aren’t unheard of: In 2018, the Secret Service warned that thieves could put malware on ATMs that would let them extract cash from the machines, a technique sometimes known as jackpotting.