Bitcoin ATMs are becoming a popular fixture in major cities around the world. With the growth of bitcoin has come to the increased installations of automated teller machines where people can purchase bitcoin on the go. There are currently at least 26,000 bitcoin ATMs installed around the world. But the vast majority of these ATMs (over 80%) are located in the United States. This is due to the high rate of technological adoption in the country.
As Bitcoin ATMs have become a more accepted form of purchase, Kraken Security Labs took it upon itself to investigate the safety of these machines. Its investigation led to the discovery of some alarming vulnerabilities in some of the crypto ATMs currently deployed around the world. More specifically, the General Bytes bitcoin ATMs possess a security vulnerability that could be exploited by anyone with access to the admin code.
Kraken Security Labs discovered that the General Bytes BATMtwo (GBBATM2) ATM, which is one of the most widely used crypto ATMs, featured a number of attack vectors in its admin QR code. This code is given to ATM owners on purchase to set up their machines. The default administrative QR code is then scanned on the machine and a password is required to be set on each ATM via the backend system.
Through inspecting various used ATMs which the Kraken Security Labs teams had purchased, they discovered that none of these ATMs had had a password set up and thus still used the default administrative code sent with the ATMs. This would otherwise not pose a problem. But the lab discovered that the same admin QR code had been set for all of the bitcoin ATMs from General Bytes. This would enable anyone with access to the administrative QR key to compromise any ATM machine that did not have the default code changed to a unique password.
BTC price recovers above $47K | Source: BTCUSD on TradingView.com
Security Labs said that it had notified the General Bytes team of this vulnerability back in April when it had first uncovered it and multiple patches had been released for the backend system (CAS). But that full fixes were yet to be implemented as they would require “hardware revisions.”
In light of full fixes yet to be released to address these vulnerabilities, the Kraken Security Labs warned the public to be very careful when it comes to carrying out transactions on bitcoin ATMs. Users are advised to make sure that the machines they are using are trusted machines. Furthermore, users should be very conscious of their surroundings and look for ATMs with surveillance cameras where there was no undetected access to the ATMs.
In addition, investors are advised to avoid using these ATMs when possible due to these vulnerabilities. As the findings by Kraken Security Labs show that these machines can be exploited at both a hardware and a software level.
Featured image from Quartz, chart from TradingView.com