In a blog post, Kraken revealed some software and hardware security issues with a commonly used model of Bitcoin ATMs. The exchange wrote:
Kraken Security Labs has uncovered multiple hardware and software vulnerabilities in a commonly used cryptocurrency ATM: The General Bytes BATMtwo (GBBATM2). Multiple attack vectors were found through the default administrative QR code, the Android operating software, the ATM management system and even the hardware case of the machine.
Owners must set ATM passwords separately for each machine
When someone gets an ATM, they have to set it up with an “Administration Key” QR-code. This code has to be scanned on the ATM. The code with password must be set for each machine separately in the backend system. Upon reviewing the code, Kraken found that it contained a simple hash of a default factory setting. They bought several used ATMs from different vendors and found each had the same default key configuration.
Anyone can take the ATM over
Apparently, many GBBATM2 are not changing the default QR code. Each code has to be changed manually because upon testing by Kraken, no fleet management for the administration key existed. This means anyone can change the ATM management server address and take the ATM over through the administration interface. Anyone with the default code can compromise an ATM. Kraken also detected crucial weaknesses in the ATM management system and lack of secure boot mechanisms.
While manufacturer General Bytes has released patches for the backend system, Kraken believes hardware revisions may be needed as well.
Tips before using a cryptocurrency ATM
Kraken also provides tips for using crypto ATMs, such as making sure the ATM has cameras and other perimeter protection. You should only use machines in trusted locations. Those who own or operate BATMs must always change the default QR admin code, follow the manufacturer’s best practices, and update their CAS server. ATMs must always be placed in locations with security controls.
According to data of Coin ATM Radar, General Bytes is the second-biggest BATM manufacturer with just under 23% of the global market. By the middle of this year, the number of crypto ATMs installed around the world had grown by more than 70% to 24,030. This was up 120% from the whole 2020, according to data from Coin ATM Radar. 75 countries have crypto ATMS. In July 2021, more than 21,000 of them were in the U.S.
