A recent report from Kraken Security Labs reports that a “large number” of Bitcoin ATMs are vulnerable to hacking. They say it is because the admin have never changed the default admin QR code.
The ATMS in question are those in the General Bytes BATMTwo ATM range, which the report says have “multiple hardware and software vulnerabilities.” The Kraken blog post added, “Multiple attack vectors were found through the default administrative QR code, the Android operating software, the ATM management system and even the hardware case of the machine.”
All a wannabe hacker needs to do, according to Kraken, is find the administrative QR code, then they can approach any of the ATMs and compromise it. The blog also looks at BATMtwo’s lack of secure boot mechanisms, as well as “critical vulnerabilities” in the ATM’s management system.
The Kraken team also discovered that they were able to gain full access to the Android operating system behind the BATMTwo ATM by simply attaching a USB keyboard to the machine, and warned that “anyone” could “install applications, copy files or conduct other malicious activities.”
To be fair to General Bytes, they have reportedly already alerted ATM owners to the vulnerabilities, due to the fact that Kraken alerted them about the vulnerabilities back in April 2021. In a statement General Bytes said, “Kraken Security Labs reported the vulnerabilities to General Bytes on April 20, 2021, they released patches to their backend system (CAS) and alerted their customers, but full fixes for some of the issues may still require hardware revisions.”
General Bytes ATMs have 6391 ATMs installed worldwide. The majority are in the USA and Canada (5,300), with Europe only having 824 of their machines. The Czech-based company has around 22.7% of the crypto ATM market, which is significant.
As we know there are people in this world who will try any type of scam, and Bitcoin ATMs have featured previously. In Toronto, the police alerted the public to a series of “double-spending” transactions at crypto ATMs in the city that fetched $150,000 worth of funds over a 10-day period. This is a scam where the perpetrator cancels a transaction before the ATM can confirm it, but as the machine has already dispensed the money anyway, the scammer gets to keep it.
As with any ATM, users need to be ever vigilant, because the more crypto ATMs there are, the harder they will work on trying to rob them, and in ways we haven’t even seen yet.