Hackers exploit zero day bug to steal from General Bytes Bitcoin ATMs

[Darker45]

General Bytes, the second largest Bitcoin ATM manufacturer in the world, has fallen victim to hackers. The hackers took advantage of a vulnerability which made them gain access to its server. The hackers, then, added themselves as default admins. As a result, the hackers were able to change certain settings of the server which directed all funds going into the ATMs to end up in their wallet address. General Bytes has 8,827 Bitcoin ATMs under its name.

No figures were released yet as to the amount stolen and ATMs compromised. For now, server updates are urgently required. Until then, clients are advised to refrain from using General Bytes ATMs.

In general, and for the purpose of discussion, Bitcoin ATMs are not really a safe and best way to buy or sell Bitcoin. Not only are you doing the transaction in open public, you are also most likely imposed with a high premium, and you are also exposing yourself to a number of both hardware and software vulnerabilities. Bitcoin ATMs could have a number of attack points that should make you consider safety over convenience.

Sources:

1. https://cointelegraph.com/news/hackers-exploit-zero-day-bug-to-steal-from-general-bytes-bitcoin-atms
2. https://www.coindesk.com/learn/what-you-need-to-know-before-buying-bitcoin-at-an-atm/
3. https://blog.kraken.com/post/11263/kraken-security-labs-identifies-vulnerabilities-in-commonly-used-bitcoin-atm/

[1714846490]

1714846490

[1714846490]

1714846490

[1714846490]

1714846490

[NotATether]

Wasn't their platform audited before they started business? ATM software in particular are more in need of it than others since their client versions often stay put.

[Poker Player]

I don't quite understand how these kinds of hacks happen. Probably because the Bitcoins are held in a web wallet instead of a hardware wallet, I understand.  I imagine this automates the process instead of someone having to physically handle the hardware wallet to send Bitcoins when someone pays with cash to buy Bitcoin or create a payment address when someone wants to sell.

Surely they would have taken security measures, but not enough in light of this.

[mk4]

I don't quite understand how these kinds of hacks happen. Probably because the Bitcoins are held in a web wallet instead of a hardware wallet, I understand.  I imagine this automates the process instead of someone having to physically handle the hardware wallet to send Bitcoins when someone pays with cash to buy Bitcoin or create a payment address when someone wants to sell.

Yea, having an operator to manually confirm transactions would probably defeat the purpose of having a self-serving ATM machine.

Breaches happen all the time, but unfortunately in my non-expert opinion it seems like the exploit was amateur-ish. (Correct me if I'm wrong)

"The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user."

[NeuroticFish]

I don't quite understand how these kinds of hacks happen. Probably because the Bitcoins are held in a web wallet instead of a hardware wallet, I understand.

Since some people sell BTC and others buy BTC from those ATMs, I expect they have a hot wallet and they also work with exchange(s), hence, for optimizing the things, they may also have funds at exchanges. So a cold storage or hardware wallet would make sense for their profit and for other funds not needed daily. The rest would stay in hot wallets and the process would be automated.
(As mk4 also said) If they would keep the "hot" funds in HW, human intervention would be needed every time somebody buys BTC from them; not OK.

So I'd say the hot wallet is gone, basically like we see on any exchange's hack.

[passwordnow]

In general, and for the purpose of discussion, Bitcoin ATMs are not really a safe and best way to buy or sell Bitcoin.

Every system has its vulnerabilities and that's why patches and updates are very important. This isn't just for these bitcoin ATMs but for every company that has systems that are part of their operations. That's why IMO, no system is safe until they're up to date and the devs are focusing on its security and have it checked from time to time. The same goes with hacks and scams that happen in exchanges from a third party, this is the same as that IMO.

[Z-tight]

Hi there Darker45, i feel you probably did not see it, but DdmrDdmr already created this similar topic about the hack in this board yesterday, that is the link beneath:
https://bitcointalk.org/index.php?topic=5410704.msg60795600#msg60795600

[franky1]

General Bytes, the second largest Bitcoin ATM manufacturer in the world, has fallen victim to hackers. The hackers took advantage of a vulnerability which made them gain access to its server. The hackers, then, added themselves as default admins. As a result, the hackers were able to change certain settings of the server which directed all funds going into the ATMs to end up in their wallet address. General Bytes has 8,827 Bitcoin ATMs under its name.

no ATM should be using its own ATM/GM server creating private keys to give customers btc.
all ATM's should request customers create their own addresses and display to the ATM the public address only..

i say this because the story of this topic is saying how many CUSTOMERS have lost btc. which should never be the case. instead it should be GM showing a loss or the local ATM owner having the loss.

any funds on keys which the ATM operators created are not customer funds. the customers had not yet withdrawn funds from keys made by the ATM to put onto keys only the customer has. thus its the old story of ("not your key not your coin")

and so its not yet customer liable of loss but the ATM operators loss.

any coin custodian service which operates by giving a customer a key the service created should be treated as the service made a financial loss. not the customer. whereby the customer should still get the oppertunity to get coins when a fix is sorted or the business has to deal with customer suits to claim their funds. which means the business has to ensure their security is tighter to ensure the business does not lose money/goes bankrupt

[BIT-BENDER]

Saw this already made by Another member, the mastering of Bitcoin ATMs hasn't yet been completed and Hackers knows this , I can only imagine how many trials is going on from Hackers just to infiltrate Bitcoin ATMS across the world this leads me to wonder right now after this incidence.
# who takes the blames
# what happens to the customers funds.
# would there be refunds
# what measures would be taking to prevent this from happening in future.

Personally I haven't used a Bitcoin Atm and with all this news I doubt if I would.

[stompix]

No figures were released yet as to the amount stolen and ATMs compromised. For now, server updates are urgently required. Until then, clients are advised to refrain from using General Bytes ATMs.

They will have to release those numbers one day or another as this will probably become more than a simple robbery case, and this will be pretty interesting from another point of view, we could finally get some number on the turnover of those ATMs that are popping up like mushrooms (at least in the US).

https://blog.kraken.com/post/11263/kraken-security-labs-identifies-vulnerabilities-in-commonly-used-bitcoin-atm/

POSTED ON SEPTEMBER 29, 2021

Kraken Security Labs has uncovered multiple hardware and software vulnerabilities in a commonly used cryptocurrency ATM: The General Bytes BATMtwo (GBBATM2). Multiple attack vectors were found through the default administrative QR code, the Android operating software, the ATM management system and even the hardware case of the machine.
Our team found that a large number of ATMs are configured with the same default admin QR code, allowing anyone with this QR code to walk up to an ATM and compromise it. Our team also found a lack of secure boot mechanisms, as well as critical vulnerabilities in the ATM management system.

So they knew for one year they have a ton of vulnerabilities, wonder how many more would be found on a real audit

[Darker45]

Wasn't their platform audited before they started business? ATM software in particular are more in need of it than others since their client versions often stay put.

Before they started business, I'm not sure, although I wondered why General Bytes mentioned of a number of audits conducted since 2020 when it has been in operation years before that. Accordingly, however, "General Bytes products regularly undergo security audits at a minimum once a year."^[1] Whether once a year at a minimum is enough, apparently not. Moreover, despite several audits conducted over the years, this vulnerability wasn't detected. Which makes me curious how serious or comprehensive their security audits are.

[1] https://www.generalbytes.com/en/news/kraken-findings

I don't quite understand how these kinds of hacks happen. Probably because the Bitcoins are held in a web wallet instead of a hardware wallet, I understand.  I imagine this automates the process instead of someone having to physically handle the hardware wallet to send Bitcoins when someone pays with cash to buy Bitcoin or create a payment address when someone wants to sell.

It's certainly impractical to manually operate ATMs. Anyway, it seems that in this particular hack, it's the deposited coins that are targeted. So it's probably the sellers and not the buyers that are falling victim.

~snip~

This is probably the case. Losses will probably be on the operator's end rather than on the end users' or the manufacturer's.

Saw this already made by Another member, the mastering of Bitcoin ATMs hasn't yet been completed and Hackers knows this , I can only imagine how many trials is going on from Hackers just to infiltrate Bitcoin ATMS across the world this leads me to wonder right now after this incidence.
# who takes the blames
# what happens to the customers funds.
# would there be refunds
# what measures would be taking to prevent this from happening in future.

Everything would be clear as soon as the dust settles down. However, it seems General Bytes is more liable to the operators and the operators to the end users, so we'll see whether there will be refund and where it will be coming from.

Hi there Darker45, i feel you probably did not see it, but DdmrDdmr already created this similar topic about the hack in this board yesterday, that is the link beneath:
https://bitcointalk.org/index.php?topic=5410704.msg60795600#msg60795600

Thanks for the heads up! Will be locking this thread now as this is apparently a duplicate. Again, many thanks!

~snip~

~snip~

A similar thread was opened earlier by DdmrDdmr on this same topic. https://bitcointalk.org/index.php?topic=5410704.msg60795600#msg60795600