https://blog.kraken.com/post/11263/kraken-security-labs-identifies-vulnerabilities-in-commonly-used-bitcoin-atm/ * Twitter * Facebook Search kraken exchange Kraken Blog News and market reports from Kraken Digital Asset Exchange Menu Skip to content * Home * About * Visit Kraken.com * Engineering * Kraken Intelligence * Security Labs Kraken Security Labs Identifies Vulnerabilities In Commonly Used Bitcoin ATM * by KrakenFX * Posted on September 29, 2021September 29, 2021 [KSL-Bitcoin-ATM] Bitcoin ATMs offer a convenient and friendly way for consumers to purchase cryptocurrencies. That ease of use can sometimes come at the expense of security. Kraken Security Labs has uncovered multiple hardware and software vulnerabilities in a commonly used cryptocurrency ATM: The General Bytes BATMtwo (GBBATM2). Multiple attack vectors were found through the default administrative QR code, the Android operating software, the ATM management system and even the hardware case of the machine. Our team found that a large number of ATMs are configured with the same default admin QR code, allowing anyone with this QR code to walk up to an ATM and compromise it. Our team also found a lack of secure boot mechanisms, as well as critical vulnerabilities in the ATM management system. Kraken Security Labs has two goals when we uncover crypto hardware vulnerabilities: to create awareness for users around potential security flaws and alert the product manufacturers so they can remedy the issue. Kraken Security Labs reported the vulnerabilities to General Bytes on April 20, 2021, they released patches to their backend system (CAS) and alerted their customers, but full fixes for some of the issues may still require hardware revisions. In the below video, we briefly demonstrate how malicious attackers can exploit vulnerabilities in the General Bytes BATMtwo cryptocurrency ATM. By reading on, Kraken Security Labs outlines the exact nature of these security risks to help you better understand why you should exercise caution before using these machines. Before you use a cryptocurrency ATM 1. Only use cryptocurrency ATMs in locations and stores you trust. 2. Make sure the ATM has perimeter protections, such as surveillance cameras, and that undetected access to the ATM is unlikely. If you own or operate BATMs 1. Change the default QR admin code if you didn't do so during the initial setup. 2. Update your CAS server and follow General Bytes' best practices. 3. Place ATMs in locations with security controls, like surveillance cameras. One QR Code to Rule Them All [1-1024x576]Scanning a QR code is all it takes to take over a lot of BATMs. When an owner receives the GBBATM2, they are instructed to set up the ATM with an "Administration Key" QR-code that must be scanned on the ATM. The QR code containing a password must be set separately for each ATM in the backend system: [2-1024x362] However, when reviewing the code behind the admin interface, we found that it contains a hash of a default factory setting administration key. We purchased multiple used ATMs from different sources and our investigation revealed that each had the same default key configuration. This implies that a significant number of GBBATM2 owners were not changing the default admin QR code. At the time of our testing, there was no fleet management for the administration key, meaning each QR code must be changed manually. [3-1024x136] Therefore, anyone could take over the ATM through the administration interface by simply changing the ATMs management server address. [4-1024x575] The Hardware No Compartmentalization and Tamper Detection The GBBATM2 only has a single compartment that is protected by a single tubular lock. Bypassing it provides direct access to the full internals of the device. This also places significant additional trust in the person that replaces the cashbox, as it's easy for them to backdoor the device. The device contains no local or server-side alarm to alert others that the internal components are exposed. At this point, a would-be attacker could compromise the cash box, embedded computer, webcam and fingerprint reader. [5-1024x683]Inside a crypto ATM: Off-the-shelf components such as a Microsoft webcam, the bill acceptor, and the custom carrier board. The Software Insufficient Lockdown of Android OS The Android operating system of the BATMtwo lacks many common security features as well. We found that by attaching a USB keyboard to the BATM, gaining direct access to the full Android UI is possible - allowing anyone to install applications, copy files or conduct other malicious activities (such as sending private keys to the attacker). Android supports a "Kiosk Mode" that would lock the UI into a single application -- which could prevent a person from accessing other areas of the software, however this was not enabled on the ATM. [6-1024x683]A keyboard and USB drive are all that is needed to gain root access to the ATM once it's opened. No Firmware/Software Verification [7-1024x622]The embedded computer in the BATMtwo: A Variscite i.MX6 SoM with a custom carrier board. The BATMtwo contains an NXP i.MX6-based embedded computer. Our team found that the BATMtwo does not make use of the secure-boot functionality of the processor, and that it can be reprogrammed simply by plugging a USB cable into a port on the carrier board and turning the computer on while holding down a button. In addition, we found that the bootloader of the device is unlocked: Simply connecting a serial adapter to the UART port on the device is enough to gain privileged access to the bootloader. It should be noted that the secure-boot process of a lot of i.MX6 processors is vulnerable to an attack, however newer processors with the vulnerability patched are on the market (though they might be lacking availability given the global chip-shortage). No Cross-Site Request Forgery Protections in the ATM Backend BATM ATMs are managed using a "Crypto Application Server" - a management software that can be hosted by the operator, or licensed as SaaS. Our team found the CAS does not implement any Cross-Site Request Forgery protections, making it possible for an attacker to generate authenticated requests to the CAS. While most endpoints are somewhat protected by very difficult to guess IDs, we were able to identify multiple CSRF vectors that can successfully compromise the CAS. [8-1024x513] Use Caution and Explore Alternatives The BATM cryptocurrency ATMs prove to be an easy alternative for people to purchase digital assets. However, the security of these machines remains in question due to known exploits in both their hardware and software. Kraken Security Labs recommends that you only use a BATMtwo at a location you trust. Check out our online security guide to learn more about how to protect yourself when making crypto transactions. Share this: * Twitter * Facebook * Like this: Like Loading... Posted in Security Labs Post navigation Prev Kraken Daily Market Report for September 27 2021 Next Kraken Daily Market Report for September 28 2021 Subscribe to Blog via Email Enter your email address to subscribe to this blog and receive notifications of new posts by email. Email Address [ ] Subscribe Categories * Education (11) + Crypto 101 (4) + Crypto Security Guide (5) * Engineering (3) * Kraken Futures (4) * Kraken Intelligence (48) * Security Labs (16) * | Kraken News (284) + Announcements (169) + Products (78) + Security (17) * | Market Reports (1,501) + Daily Market Reports (1,464) + Weekly Market Reports (37) Translate [Close and accept] Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use. To find out more, including how to control cookies, see here: Cookie Policy Pages * About * Archive RSS Feeds * All Topics * | Kraken News * | Market Reports Social * View krakenfx's profile on Facebook * View @krakenfx's profile on Twitter About Kraken is the world's largest global digital asset exchange based on euro volume and liquidity. Globally, Kraken's client base trades more than 90 digital assets and 7 different fiat currencies, including EUR, USD, CAD, GBP, JPY, CHF and AUD. Kraken was founded in 2011 and was the first U.S. crypto firm to receive a state-chartered banking license, as well as one of the first exchanges to offer spot trading with margin, regulated derivatives and index services. Kraken is trusted by more than 7 million traders, institutions and authorities around the world and offers professional, round the clock online support. Kraken is backed by investors including Tribe Capital, Hummingbird Ventures, Blockchain Capital and Digital Currency Group, among others. For more information about Kraken, please visit www.kraken.com. * [(An Hao Zi Chan An Hao Zi Chan nooQu Yin niGuan suruZhong Yao Shi Xiang )] #An Hao Zi Chan haBen Bang Tong Huo You haWai Guo Tong Huo toYi narimasu. #An Hao Zi Chan noJia Ge haBian Dong surutame, Sun Shi gaSheng ziruChang He gaarimasu. #Mi Mi Jian woShi tsutaChang He , Bao You suruAn Hao Zi Chan woLi Yong su rukotogadekizu, Jia Zhi gaShi waremasu. #An Hao Zi Chan ha, Yi Zhuan Ji Lu noShi Zu mino Po Zhan Deng niyori, Jia Zhi gaShi wareruChang He gaarimasu. #An Hao Zi Chan haDui Jia noBian Ji woShou keruZhe noTong Yi gaaruChang He niXian riDui Jia noBian Ji notameniShi Yong surukotoga dekimasu. Search for: [ ] Search x Loading Comments... You must be logged in to post a comment. %d bloggers like this: