Vulnerabilities Found In Commonly Used Bitcoin ATM

Key points

  • Before Using Cryptocurrency ATM
  • If One Owns a Crypto ATM
  • Same QR Code for All ATMs   
  • The Hardware
  • The Software

Bitcoin ATMs offer a user-friendly environment for people to purchase cryptocurrencies. Kraken Security Labs has discovered many vulnerabilities in both hardware and software of commonly used ATMs of cryptocurrency: The General Bytes BATMtwo (GBBATM2). 

It was discovered that a large number of ATMs have been configured through the same default admin QR code. Anyone with this QR code had the power to compromise the ATMs. There were critical vulnerabilities in the management system of the ATM and the boot mechanism was also not secure. 

Uncovering the vulnerabilities is done by Kraken to achieve two goals, first is to make people aware of the vulnerability and secondly to notify the manufactures about the flaws, so they can be fixed. After intimating General Bytes about the issues, patches to their backend system were released. 

Kraken Security Labs has asked the users to be cautious before using ATMs. 

Before Using Cryptocurrency ATM

  • Cryptocurrency ATMs that you completely trust should be used. 
  • Ensure that the ATM has perimeter protections, such as surveillance cameras, that will ensure that there is no undetected access to the ATM.  

If One Owns a Crypto ATM

  • Default QR admin code should be changed
  • CAS server should be updated 
  • ATMs should be placed where there are security measures like surveillance cameras. 

Same QR Code for All ATMs   

When a new GBBATM2 is being set up, the owner is instructed to set up the ATM with an “Administrative Key” QR-code, which is scanned on the ATM. The password containing the QR code is required to be scanned separately for each ATM at the backend system. 

The problem here was that most of the ATM owners were not changing the default admin QR code. While testing, it was discovered that, for the administration key there was no fleet management, meaning each QR code could be changed manually. Thus, allowing anyone to take control of the ATM through the administrative interface, by simply resetting the management server address of the ATM. 

The Hardware

In GBBATM2 there is just a single compartment and a single tubular lock is used to protect it. Once the lock is bypassed, complete access to the internals of the device is gained. A person replacing the cash box could easily backdoor the device. 

There is also no method through which the system could notify that it has been compromised. 

The Software

In GBBATM2 the Android Operating system is missing many common security features. A user, with a simple USB keyboard, could easily gain access to the Android UI – allowing the infiltrator to easily install applications, copy files or carry out any false activities. Even the secure-boot functionality was not utilized in the ATM allowing it to easily be reprogrammed.    

Access to the bootloader was also easily available and Cross-Site Request Forgery protections were missing.  

Disclaimer: The article is just to provide information and shouldn’t be considered as any financial advice. It is advisable to conduct thorough research before investing in any cryptocurrency. 

Photo by – vjkombajn on Pixabay