Kraken Security Labs has said that “a large number” of Bitcoin ATMs are vulnerable to hacking because administrators never change the default admin QR code.
In a blog post on September 29th, Kraken published an investigation by its Security Labs team that shows that there are “multiple hardware and software vulnerabilities” in the area of General Bytes BATMTwo ATM.
“Many attack vectors have been found through standard admin QR codes, Android operating system software, ATM management systems and even the machine’s hardware shell,” the post said.
The Kraken security team claims that if a hacker can get the admin code, they can essentially “go to an ATM and compromise it,” suggesting problems with BATMtwo’s lack of a secure boot mechanism and “serious vulnerabilities “refers. in the ATM management system. However, General Bytes reported that ATM owners were warned of the vulnerabilities:
“Kraken Security Labs reported the vulnerabilities to General Bytes on April 20, 2021, released patches for the backend system (CAS) and notified their customers, but the full fixes for some issues may still require hardware changes.”
The team also discovered that by simply plugging a USB keyboard into the machine they could get full access to the Android operating system behind the BATMTwo ATM, and warned that “everyone” could install apps, copy files, or engage in other malicious activity could. “
General Bytes is headquartered in the Czech Republic and, according to Coin ATM Radar, there are currently 6391 General Bytes ATMs installed worldwide, which is 22.7% of the world market. However, these numbers also relate to the BATMThree machines not reported by Kraken.
Most of the BATM ATMs are located in the United States and Canada with a total of around 5,300, while there are around 824 ATMs installed in Europe.
Kraken urges the owners and operators of BATMTwo to change the default QR admin code, update the CAS server, and place ATMs in visible locations for security cameras.
Related: Data shows that El Salvador ranks third in Bitcoin ATM installations worldwide
Bitcoin ATM fraud
Although there have been few reports of Bitcoin ATMs being hacked, there is still a story of crafty individuals carrying out scams around crypto ATMs.
In March 2019, the Toronto Police Department issued a public statement calling on the community to track down 4 men suspected of having engaged in a series of “double-spending” transactions that resulted in a monetary amount within 10 days of $ 150,000. Double spend transactions will be voided before the ATM has a chance to confirm but keep the money spread out.
The Oakland Press reported in June. That year, two Berkley women were defrauded for a total of $ 15,000 after scammers posed as public safety and federal employees. The scammers told victims they wanted arrest warrants and tax violations and asked them to pay the fines through local bitcoin ATMs in the area.
And Malwarebytes published an investigation in August that uncovered a trend in Bitcoin ATM fraud at gas stations, where people threatened to post fake job advertisements to lure applicants into money laundering.