Kraken Security Labs has said that a “large number” of Bitcoin ATMs are vulnerable to hacking because the administrators never changed the default Admin QR code.
In a blog post on September 29th, Kraken published an investigation by its Security Labs team that revealed that there are “multiple hardware and software vulnerabilities” in the area of General Bytes BATMTwo ATM.
“Several attack vectors were found through the standard administrative QR code, the Android operating system software, the ATM management system and even the machine’s hardware enclosure,” the post said.
The Kraken security team stated that if a hacker gets their hands on the management code, they can essentially “go to an ATM and compromise it,” while also having problems with the BATMtwo’s lack of secure boot mechanisms and “critical vulnerabilities.” “Highlights. in the ATM management system. However, General Bytes has reportedly made ATM owners aware of the vulnerabilities:
“Kraken Security Labs reported the vulnerabilities to General Bytes on April 20, 2021, released patches for their backend system (CAS), and notified their customers, but full fixes for some of the issues may still require hardware revisions.”
The team also found that by simply plugging a USB keyboard into the machine they could get full access to the Android operating system behind the BATMTwo ATM, and warned that “anyone” could “install applications, copy files, or do other malicious things Activities “. ”
General Bytes is headquartered in the Czech Republic and, according to Coin ATM Radar, there are currently 6391 General Bytes ATMs installed worldwide, which is 22.7% of the world market. However, those numbers also relate to BATMThree machines, which Kraken did not report on.
The majority of BATM ATMs are located in the US and Canada, around 5,300 combined, while there are around 824 ATMs installed in Europe.
Kraken urges the owners and operators of BATMTwo to change the default QR admin code, update the CAS server and place the ATMs in places that are visible for security cameras.
Related: El Salvador ranks third in Bitcoin ATM installations worldwide, data discoveries
Bitcoin ATM scams
While reports of Bitcoin ATMs hacked seem minimal, there is a story of crafty individuals building scams around crypto ATMs.
In March 2019, Toronto Police issued a public statement calling on the community to track down four men suspected of engaging in a series of “double-spending” transactions that took money over a 10-day period raised $ 150,000. Double spend consists of voiding transactions before the ATM has had a chance to confirm but keep the money spent.
The Oakland Press reported in June. 22 that year, two Berkley women were defrauded of a combined $ 15,000 after scammers posed as public safety officers and federal servants. The scammers reportedly told victims they had pending arrest warrants and tax violations, and asked them to pay fines through local bitcoin ATMs in the area.
And Malwarebytes published an investigation in August that uncovered a trend in Bitcoin ATM fraud at gas stations, with threat actors posting fake job advertisements to mislead applicants into money laundering.