[2021-09-30] Kraken Security Labs Identifies Vulnerabilities In Bitcoin ATMs

[DaveF]

https://blog.kraken.com/post/11263/kraken-security-labs-identifies-vulnerabilities-in-commonly-used-bitcoin-atm/

Kraken Security Labs has uncovered multiple hardware and software vulnerabilities in a commonly used cryptocurrency ATM: The General Bytes BATMtwo (GBBATM2). Multiple attack vectors were found through the default administrative QR code, the Android operating software, the ATM management system and even the hardware case of the machine.

But here is the fun part

Kraken Security Labs reported the vulnerabilities to General Bytes on April 20, 2021, they released patches to their backend system (CAS) and alerted their customers, but full fixes for some of the issues may still require hardware revisions. 

So I want to start a betting pool, how long will these old machines that need hardware updates be sitting out in the field being used?
Yes, I know this is not just a BATM thing, there have been dozens of ATM hacks over the years and vulnerable ATMs are still out there.
But, in the end it's the users who pay the price for operators not caring and manufacturers not doing their job in checking security.

-Dave

[NeuroticFish]

So I want to start a betting pool, how long will these old machines that need hardware updates be sitting out in the field being used?
Yes, I know this is not just a BATM thing, there have been dozens of ATM hacks over the years and vulnerable ATMs are still out there.
But, in the end it's the users who pay the price for operators not caring and manufacturers not doing their job in checking security.

I don't expect all those ATM operators are skilled enough for that.
I expect that some are also lazy enough to not act.
All those machines will run until they'll become commercially inefficient and the fees won't cover the hacks. I expect it'll take quite a while...

People still use ATMs despite the high fees because it's about anonymity in many (most) cases. Hence they cover for those hacks too.

[SFR10]

how long will these old machines that need hardware updates be sitting out in the field being used?

Probably forever ^{[thanks to GeneralBytes for not mentioning anything about it on their Telegram channel]} or until someone exploits the hardware vulnerability in question.
^{- It's worth noting that it took GeneralBytes four months to inform its operators about the "admin key" problem:}

• Dear operators,
  We have received reports that many of you still use the default administration key that you received from factory.
  If you do so, please change it immediately. CAS also contains functionality to change administration key on machines in bulk. If you find yourself having issue to find this functionality please contact our support. Thank you.

Having said those, it appears that they could easily fix the "tamper detection" part with some sort of wireless tamper sensor ^{[e.g. something like this]}.

[DaveF]

Having said those, it appears that they could easily fix the "tamper detection" part with some sort of wireless tamper sensor ^{[e.g. something like this]}.

For most ATMs (not BATM) the tamper protection is also part of the hardware so if you break into the ATM, it is supposed to lock down hard, send an alert AND on the bigger & better ones die-packs the money.

Almost none of them do it well or even properly, but at least they recognize the fact that it can and will happen.
From what I have seen from BATMs physical security is an afterthought.

-Dave