Many of the Bitcoin ATMs that have popped up everywhere from gas stations and smoke shops to bars and malls across the U.S. have major security vulnerabilities that render them susceptible to hackers, according to a new report by security researchers with crypto exchange Kraken.
The website howmanybitcoinatms.com estimates there are over 42,000 active Bitcoin ATMs across the U.S., a massive surge from January 2021, when Reuters reported the site listed 28,000. Such ATMs allow users to buy cryptocurrency with cash or credit (though not always the reverse) and process sensitive financial data. Unlike when dealing with regular ATMs operated by banks, the distributed nature of cryptocurrency networks and a lack of regulations mean customers are likely to have less recourse if something goes disastrously wrong. Moreover, target markets for the devices include people who keep money in cryptocurrency rather than banks and people who don’t want their transfers to attract attention, whether for legitimate purposes or otherwise. Many are also located in dicey locations like liquor stores. Thus Bitcoin ATMs have been juicy targets for malware and scams in the past.
Kraken discovered a number of software and hardware flaws with the General Bytes BATMtwo (GBBATM2) model of ATMs. Coin ATM Radar estimates the manufacturer has provided nearly 23% of all crypto ATMs worldwide; in the U.S., that percentage is 18.5%, while in Europe, it is 65.4%.
For example, owners have installed many GBBATM2 units without changing the default admin QR code that serves as a password, meaning that anyone who obtains that code could possibly take control of it. Other issues Kraken wrote it found included a lack of secure boot mechanisms, meaning a hacker could trick a GBBATM2 into running malicious code, and “critical vulnerabilities in the ATM management system.”
The QR code issue is particularly serious, Kraken’s researchers wrote, because it found that the default code is shared across units. This is a bit like buying a new computer and forgetting to change the password to something other than “admin”:
When an owner receives the GBBATM2, they are instructed to set up the ATM with an “Administration Key” QR-code that must be scanned on the ATM. The QR code containing a password must be set separately for each ATM in the backend system.
However, when reviewing the code behind the admin interface, we found that it contains a hash of a default factory setting administration key. We purchased multiple used ATMs from different sources and our investigation revealed that each had the same default key configuration.
Kraken found there was no “fleet management” for admin QR codes, meaning that each and every unit has to have those critical passwords updated manually. This means anyone with knowledge of the vulnerability could take control of a GBBATM2 with the default code “through the administration interface by simply changing the ATM’s management server address,” the researchers wrote.
Kraken’s report also noted that the internals of the unit are housed in a “single compartment that is protected by a single tubular lock,” while the GBBATM2 has no local or server-side alarms to notify anyone it has been opened. This is insecure in general, but it’s particularly bad as owners likely aren’t the only ones with keys, because someone has to change the cashbox. According to the report, anyone with the key could compromise internal components such as the cashbox or computer, or peripherals like the fingerprint reader and camera.
The Android OS running on the GBBATM2 also lacks basic security features, Kraken wrote, such as locking down the full Android UI:
We found that by attaching a USB keyboard to the BATM, gaining direct access to the full Android UI is possible – allowing anyone to install applications, copy files or conduct other malicious activities (such as sending private keys to the attacker). Android supports a “Kiosk Mode” that would lock the UI into a single application — which could prevent a person from accessing other areas of the software, however this was not enabled on the ATM.
Other serious flaws included a failure to enable the secure-boot functionality or lock the bootloader. In the first case, Kraken wrote, this means privileged code could be run by a malicious party simply by plugging a USB cable into a system board and rebooting while holding a button, while in the second, the attacker would just need to plug a serial cable into a UART port. The firm also found the Crypto Application Server (CAS) that runs the ATMs also does not have a Cross-Site Request Forgery system in place, meaning attackers could potentially forge authenticated requests.
Kraken recommends that anyone using a Bitcoin ATM should carry out cryptocurrency transactions in trustworthy locations that are protected by surveillance cameras. For operators, they are practically begging you to change the default QR code and install those cameras in the first place. The report said that General Bytes has updated their backend since being informed of the vulnerabilities in April 2021 and operators should install the newest versions of the CAS, though some of the identified flaws may only be fixable with hardware upgrades.
And remember, if someone manages to steal your cryptocurrency, it’s probably gone forever.