Bitcoin ATMs offer a convenient and friendly way for consumers to purchase cryptocurrencies. That ease of use can sometimes come at the expense of security.
Kraken Security Labs has uncovered multiple hardware and software vulnerabilities in a commonly used cryptocurrency ATM: The General Bytes BATMtwo (GBBATM2). Multiple attack vectors were found through the default administrative QR code, the Android operating software, the ATM management system and even the hardware case of the machine.
Our team found that a large number of ATMs are configured with the same default admin QR code, allowing anyone with this QR code to walk up to an ATM and compromise it. Our team also found a lack of secure boot mechanisms, as well as critical vulnerabilities in the ATM management system.
Kraken Security Labs has two goals when we uncover crypto hardware vulnerabilities: to create awareness for users around potential security flaws and alert the product manufacturers so they can remedy the issue. Kraken Security Labs reported the vulnerabilities to General Bytes on April 20, 2021, they released patches to their backend system (CAS) and alerted their customers, but full fixes for some of the issues may still require hardware revisions.
In the below video, we briefly demonstrate how malicious attackers can exploit vulnerabilities in the General Bytes BATMtwo cryptocurrency ATM.
By reading on, Kraken Security Labs outlines the exact nature of these security risks to help you better understand why you should exercise caution before using these machines.
Before you use a cryptocurrency ATM
- Only use cryptocurrency ATMs in locations and stores you trust.
- Make sure the ATM has perimeter protections, such as surveillance cameras, and that undetected access to the ATM is unlikely.
If you own or operate BATMs
- Change the default QR admin code if you didn’t do so during the initial setup.
- Update your CAS server and follow General Bytes’ best practices.
- Place ATMs in locations with security controls, like surveillance cameras.
One QR Code to Rule Them All
When an owner receives the GBBATM2, they are instructed to set up the ATM with an “Administration Key” QR-code that must be scanned on the ATM. The QR code containing a password must be set separately for each ATM in the backend system:
However, when reviewing the code behind the admin interface, we found that it contains a hash of a default factory setting administration key. We purchased multiple used ATMs from different sources and our investigation revealed that each had the same default key configuration.
This implies that a significant number of GBBATM2 owners were not changing the default admin QR code. At the time of our testing, there was no fleet management for the administration key, meaning each QR code must be changed manually.
Therefore, anyone could take over the ATM through the administration interface by simply changing the ATMs management server address.
The Hardware
No Compartmentalization and Tamper Detection
The GBBATM2 only has a single compartment that is protected by a single tubular lock. Bypassing it provides direct access to the full internals of the device. This also places significant additional trust in the person that replaces the cashbox, as it’s easy for them to backdoor the device.
The device contains no local or server-side alarm to alert others that the internal components are exposed. At this point, a would-be attacker could compromise the cash box, embedded computer, webcam and fingerprint reader.
The Software
Insufficient Lockdown of Android OS
The Android operating system of the BATMtwo lacks many common security features as well. We found that by attaching a USB keyboard to the BATM, gaining direct access to the full Android UI is possible – allowing anyone to install applications, copy files or conduct other malicious activities (such as sending private keys to the attacker). Android supports a “Kiosk Mode” that would lock the UI into a single application — which could prevent a person from accessing other areas of the software, however this was not enabled on the ATM.
No Firmware/Software Verification
The BATMtwo contains an NXP i.MX6-based embedded computer. Our team found that the BATMtwo does not make use of the secure-boot functionality of the processor, and that it can be reprogrammed simply by plugging a USB cable into a port on the carrier board and turning the computer on while holding down a button.
In addition, we found that the bootloader of the device is unlocked: Simply connecting a serial adapter to the UART port on the device is enough to gain privileged access to the bootloader.
It should be noted that the secure-boot process of a lot of i.MX6 processors is vulnerable to an attack, however newer processors with the vulnerability patched are on the market (though they might be lacking availability given the global chip-shortage).
No Cross-Site Request Forgery Protections in the ATM Backend
BATM ATMs are managed using a “Crypto Application Server” – a management software that can be hosted by the operator, or licensed as SaaS.
Our team found the CAS does not implement any Cross-Site Request Forgery protections, making it possible for an attacker to generate authenticated requests to the CAS. While most endpoints are somewhat protected by very difficult to guess IDs, we were able to identify multiple CSRF vectors that can successfully compromise the CAS.
Use Caution and Explore Alternatives
The BATM cryptocurrency ATMs prove to be an easy alternative for people to purchase digital assets. However, the security of these machines remains in question due to known exploits in both their hardware and software.
Kraken Security Labs recommends that you only use a BATMtwo at a location you trust.
Check out our online security guide to learn more about how to protect yourself when making crypto transactions.
