Historically, ATMs have been designed without privileged separation between the safe and the internal operating system. In an attempt to address this security concern, Diebold developed the AFD platform. The Opteva line of ATMs with the AFD platform contain an upper cabinet for the operating system and a lower cabinet for the safe, each with its own authentication requirements.
Using reverse engineering and protocol analysis, IOActive found a critical vulnerability in the tested version of the Opteva ATM with the AFD platform. Despite its separation of privilege and authentication requirements, the ATM is still vulnerable to a malicious attacker, compromising its integrity and causing unauthenticated vending from the AFD.