Bitcoin ATMs (BTC) and other cryptocurrencies began to be widely deployed in countries like the United States. There, gas stations, bars and malls already have these machines that allow the purchase and conversion of cryptocurrency into dollars. But a new study by Kraken researchers has identified a number of serious security holes that make these machines susceptible to hacker attacks.
Evaluated model represents 23% of all BTC boxes
According to howmanybitcoinatms.com, there are approximately 42,000 active bitcoin ATMs in the United States, an increase of 30% from the 28,000 registered in January 2021.
These machines allow users to buy cryptocurrencies with cash or a credit card, but not all units can withdraw a certain amount in BTC converted into dollars. Any of these processes involve confidential financial data of each user and their digital wallet.
There is also the inherent risk of decentralized networks such as bitcoin. Precisely because it is not managed by any organization, cryptocurrency users have greater freedom, but much more responsibilities. If there’s a problem involving a transaction or if a hacker breaks into your digital wallet, there’s no currency agency to help.
These ATMs were also created with a specific audience in mind, which are people who prefer to keep their money in cryptocurrencies instead of fiat currencies entrusted to traditional banks. Generally, this user profile also places great importance on the privacy of your transactions and financial freedom.
That said, the security issues encountered by Kraken digital asset exchange researchers are even more alarming. The report published last Wednesday (29) indicates that there are a number of software and hardware failures involving the General Bytes BATMtwo (GBBATM2) bitcoin ATM model.
The Coin ATM Radar monitoring site estimates that the manufacturer supplied nearly 23% of all cryptocurrency ATMs worldwide, with a dominance of 18.5% in the United States, compared to 65.4% in Europe. .
ATMs have “critical vulnerabilities”
Many GBBATM2 units were installed without changing the default administrator QR code, which serves as a password, meaning that anyone who obtains this code will be able to take control of the machines. Other issues Kraken encountered include a lack of secure boot mechanisms, meaning that a hacker could “trick” one of these ATMs into running malicious code and exploiting “critical vulnerabilities” in the machine’s management system.
The main problem would be related to the standard QR code, which, according to the researchers, is shared between units of the same model. When an owner receives a GBBATM2 box, he is instructed to configure the machine with a QR code equivalent to an “administrative key”. Thus, another QR code containing a password must be set separately for each ATM in the back-end system.
However, Kraken researchers found that the administrative key code could still be accessed when reviewing the system. They identified that machines keep this code in their factory settings when purchasing and analyzing multiple units of this model.
This means that anyone with knowledge of the vulnerability could take control of a GBBATM2 with default code “through the administration interface, simply by changing the ATM management server address,” the researchers said in the report.
GBBATM2 model has physical security flaws
There are also physical failures in the machine. The hardware and all other internal elements of the ATM are stored in a “single compartment that is protected by a single tubular lock”. Also, the GBBATM2 model does not track local or server alarms to let you know it has been opened.
According to the report, this is a broad security breach and particularly problematic because there are multiple physical keys to these locks, as someone has to open the machine to reset or remove the dollar bills. Thus, anyone in possession of this key could access and compromise internal components and peripherals such as a camera and fingerprint reader.
Finally, the Android-based system used by GBBATM2 boxes lack security protocols:
“We found that by connecting a USB keyboard to the ATM, it is possible to gain direct access to the full Android UI, allowing anyone to install apps, copy files or conduct other malicious activities (such as sending private keys).”
Kraken recommends that anyone using a bitcoin ATM transacts in trusted locations protected by surveillance cameras. The report said General Bytes has updated its backend since being informed of the vulnerabilities in April 2021 and operators are expected to install the latest versions of software, although some of the identified flaws can only be fixed with hardware updates.
With information: Gizmodo