Kraken Reveals Vulnerabilities in ‘Commonly Used’ Bitcoin ATMs
Kraken’s Security Labs, the cybersecurity arm of crypto exchange Kraken, has identified several vulnerabilities in the commonly used General Bytes BATMtwo Bitcoin ATM.
“Our team found that a large number of ATMs are configured with the same default admin QR code, allowing anyone with this QR code to walk up to an ATM and compromise it,” the Kraken Security Labs team wrote in a blog post disclosing the vulnerabilities.
“Our team also found a lack of secure boot mechanisms, as well as critical vulnerabilities in the ATM management system,” Kraken added.
Kraken’s discoveries have both hardware and software ramifications for the General Bytes machines.
According to Kraken, the General Bytes BATMtwo ATM only has one single compartment protected by a lock.
Bitcoin ATMs are a convenient way to purchase crypto – but are they safe?
Kraken Security Labs discovered flaws in one major ATM fleet. Learn more: https://t.co/sYmYY1PUMx pic.twitter.com/xwMmWcgmSY
— Kraken Exchange (@krakenfx) September 29, 2021
“Bypassing it provides direct access to the full internals of the device,” Kraken said, adding that an attacker could “compromise the cash box, embedded computer, webcam and fingerprint reader.”
When it comes to software, Kraken found that “many common security features were lacking.”
By attaching a USB keyboard to the BATMtwo, it was possible to gain full access to the user interface. This, in theory, would allow would-be-attackers to install applications, copy files, or even have the device send private keys to the attacker.
Kraken provided a series of remedies for both users and owners or operators of Bitcoin ATMs.
Should you wish to use a Bitcoin ATM, Kraken advises that you only use those which are in stores you trust, and ensure that it has “perimeter protections” like surveillance cameras.
For owners and operators of General Bytes’ Bitcoin ATMs, Kraken suggests changing the default QR admin code, placing it in a location where there are security controls, and following General Bytes’ “best practices.”
30 September 2021 09:48