Most Bitcoin ATMs that have popped up everywhere from gas stations and smokehouses to bars and malls across the United States have major security vulnerabilities that make them vulnerable to hackers, according to a new report by security researchers with the Kraken crypto exchange.
The howmanybitcoinatms.com website estimates that there are over 42,000 active Bitcoin ATMs in the United States, a massive increase from January 2021, when Reuters reported the site lists 28,000. These ATMs allow users to buy cryptocurrency in cash or on credit (but not always the other way around) and process sensitive financial data. Unlike traditional ATMs operated by banks, the distributed nature of cryptocurrency networks and the lack of regulation means customers will likely have less recourse if something goes wrong. Additionally, target markets for devices include people who hold money in cryptocurrency rather than banks, and people who don’t want their transfers to attract attention, either for legitimate purposes. or otherwise. Mall are also located in risky places like liquor stores. Thus, Bitcoin ATMs were juicy targets for malware and scams in the past.
Kraken has discovered a number of software and hardware flaws with the General Bytes BATMtwo ATM model (GBBATM2). Coin-operated radar estimates the manufacturer supplied nearly 23% of all crypto ATMs in the world; in the United States this percentage is 18.5%, while in Europe it is 65.4%.
For example, owners have installed many GBBATM2 units without changing the default admin QR code that serves as a password, meaning that anyone who gets that code can eventually take control. Other issues Kraken wrote that this included a lack of secure boot mechanisms, meaning a hacker could trick a GBBATM2 into executing malicious code and “critical vulnerabilities in the ATM management system”.
The QR code issue is particularly serious, Kraken researchers wrote, as it found that the default code is shared between units. It’s a bit like buying a new computer and forgetting to change the password to something other than “admin”:
When an owner receives the GBBATM2, they are asked to configure the ATM with a QR code “administration key” which must be scanned at the ATM. The QR code containing a password must be set separately for each ATM in the backend system.
However, when examining the code behind the admin interface, we found that it contains a hash of a factory default setting admin key. We bought several used ATMs from different sources and our investigation revealed that each had the same default key configuration.
Kraken discovered that there was no “fleet management” for administration QR codes, meaning that each unit must have these critical passwords updated manually. This means that anyone with knowledge of the vulnerability could take control of a GBBATM2 with the default code “through the administration interface by simply changing the address of the management server of the ATM,” the researchers wrote.
The Kraken report also noted that the unit’s interns are housed in a “single compartment protected by a single tubular lock”, while the GBBATM2 has no local or server-side alarms to notify anyone of its opening. This is generally insecure, but it is especially bad because the owners are probably not the only ones with the keys, because someone has to change the till. According to the report, anyone with the key could compromise internal components such as the cash register or computer, or peripherals such as the fingerprint reader and camera.
The Android operating system running on the GBBATM2 also lacks basic security features, Kraken wrote, such as locking down the full Android UI:
We have found that by connecting a USB keyboard to the BATM, it is possible to directly access Android’s full user interface, which allows anyone to install apps, copy files, or conduct tasks. other malicious activities (such as sending private keys to the attacker). Android supports a “kiosk mode” that locks the user interface into a single app, which could prevent someone from accessing other areas of the software, but this was not enabled on the ATM.
Other serious flaws included the inability to activate the secure boot feature or lock the bootloader. In the first case, Kraken wrote, this means that privileged code could be executed by a malicious party simply by plugging a USB cable into a system board and rebooting while holding a button down, while in the second, l The attacker would just need to plug a serial cable into a UART port. The company also discovered that the cryptographic application server (CAS) that runs the ATMs also did not have a cross-site request forgery system in place, meaning that attackers could potentially forge authenticated requests.
Kraken recommends anyone using a Bitcoin ATM to conduct cryptocurrency transactions in trusted locations protected by surveillance cameras. For the operators, they are practically begging you to change the default QR code and install these cameras in the first place. The report states that General Bytes has updated its backend since learning of the vulnerabilities in April 2021 and that operators should install the latest versions of the CAS, although some of the flaws identified can only be fixed with hardware upgrades.
And remember, if anyone manages to steal your cryptocurrency, it’s probably gone forever.