[HN Gopher] Kraken Security Labs Identifies Vulnerabilities in C...
___________________________________________________________________
Kraken Security Labs Identifies Vulnerabilities in Commonly Used
Bitcoin ATM
Author : 2bluesc
Score : 70 points
Date : 2021-09-29 14:34 UTC (8 hours ago)
(HTM) web link (blog.kraken.com)
(TXT) w3m dump (blog.kraken.com)
| easymovet wrote:
| Why is HN Bitcoin news biased toward FUD?
| gpcr1949 wrote:
| Interestingly, my location has some monero ATMs that take cash,
| and the 10% or so fee (and apparently - various vulnerabilities)
| seems well worth it for what is by all measures a quite low
| effort hands-off way to get money that is quite anonymous, at
| least for most low key purposes, such as small recreational drug
| orders etc.
| vmception wrote:
| and do what? the article lacks any inspiration, like it says you
| can get into the admin panel, but what does the admin panel let
| you do? can you change a subtle address to get some of the
| bitcoin fees for yourself? raise the fees to 100%?
|
| the article then mentions some stuff like access to the
| bootloader, which of course means you could flash a more capable
| admin panel into that lets you do way more like take everyone's
| bitcoin
|
| but what about the default admin panel?
| gizdan wrote:
| I mean all of that tells me that you could do whatever you
| really want. Never mind the admin panel, even if it won't let
| you change the wallet, overwriting the firmware would certainly
| allow you to change the wallet where Bitcoins go.
| vmception wrote:
| yeah I know, I already covered that
|
| > the article then mentions some stuff like access to the
| bootloader, which of course means you could flash a more
| capable admin panel into that lets you do way more like take
| everyone's bitcoin
|
| I was just wondering why they would spend so much time
| talking about the lower effort stuff, if it doesn't do
| anything. I'm sure it does something bad, but I can't go over
| to my convenience store and say "someone might change the
| convenience fee to a slightly higher percentage!" to get them
| to do anything, if thats the extent of the attack surface for
| just the admin panel if its already surveilled, so its useful
| to be able to say exactly why
|
| I can imagine social engineering would allow a fake
| technician to come and service the machine though, with a hat
| and a voluntary personal mask mandate not being conspicuous
| right now. It would look so much more official to have a
| bunch of cables and computer doing a firmware flash lol.
| anonu wrote:
| > Commonly Used Bitcoin ATM
|
| Really? How common are Bitcoin ATMs? And if they are
| geographically common, how often are people using them beyond the
| novelty factor?
| carrja99 wrote:
| I live in Missouri and witnessed an elderly woman withdraw cash
| from one at the mall some time ago. Was really floored by that
| one!
| latchkey wrote:
| Coinstar has one in many major super markets in the US.
|
| https://www.coinstar.com/bitcoin
|
| You notice these in other countries quite a bit. Makes it super
| easy to buy crypto with local currency. Makes it easier to
| travel with more than 10k cash... no declarations at the
| airport, no risk of being robbed of cash.
|
| Makes it easier for locals to send and receive money from
| abroad.
| xur17 wrote:
| Fees weren't great, but I used one of these for cash on an
| international trip when I forgot my atm card.
| wcoenen wrote:
| "Commonly used" is not referring to the number, or usage, of
| Bitcoin ATMs out there. It is referring to the fact that a
| large fraction of the existing Bitcoin ATMs are "General Bytes
| BATMtwo (GBBATM2)" machines.
| Geee wrote:
| There are quite many. https://coinatmradar.com
| ravenstine wrote:
| There's a bunch of them where I live (I'm in LA area though),
| including the 7-Eleven right down the street from my house. I
| used it when I was first trying to learn about Bitcoin but
| haven't used it for a practical reason yet; financially, it
| makes more sense to use Local Coin Swap if you don't need
| physical cash.
| xanaxagoras wrote:
| It's the easiest way to stack sats without forking over your
| government ID.
| ProjectArcturis wrote:
| There's one near my office and I often see people who are
| probably drug dealers feed stacks of hundred dollar bills into
| it.
| NavinF wrote:
| They're commonly found at hackerspaces.
| madars wrote:
| It would be interesting to compare this with other low-hanging
| fruit attack vectors. If you already have physical access, what
| velocity controls are there in place to prevent me from just
| repeatedly running cash through the ATM to clear out the entire
| wallet? vmception is right that long game attacks are way more
| interesting.
| reedjosh wrote:
| > running cash through the ATM to clear out the entire wallet?
|
| Just guessing, but the machine probably scans the serial
| numbers on bills.
| thebean11 wrote:
| That doesn't help too much does it? Since you aren't
| permanently losing the money using a few 10s of thousands in
| cash isn't such a big deal.
| reedjosh wrote:
| True, but at least you would need unique bills to run
| through, and law enforcement can then track those bills.
| KirillPanov wrote:
| Law enforcement can laugh at you when asked to track
| those bills...
| scoofy wrote:
| This has always been my #1 reason I'll never get into crypto. My
| bank has insurance, my physical assets aren't accessible to
| people on the internet. I likely won't lose my entire life
| savings simply because I either forget my password or I use one,
| single, vulnerable device, ever. (Yes, I fully realize you
| crypto-millionaires took a small risk and won big, and kudos to
| you)
|
| The benefit of institutions is that they are able to plan for
| failure within their system. Yes, this comes with some costs
| attached, but the costs associated with decentralized and nearly
| unregulateable commodity markets have not even begun to surface.
| thebean11 wrote:
| If you can lose your currency by forgetting a password or using
| the wrong device then you set things up incorrectly IMO. There
| are good ways of doing things where your keys stay on a device,
| or are only exposed to an offline machine with no network or
| persistent storage.
|
| Obviously it gets a little more technical, that's why services
| that manage the keys for you are so popular.
| sleepybrett wrote:
| This is probably good for bitcoin.
___________________________________________________________________
(page generated 2021-09-29 23:01 UTC)