Kraken Security Labs said a “large number” of Bitcoin (BTC) ATMs are vulnerable to hacking because administrators have not changed the administrator’s default QR code.
In a blog post on Wednesday, Kraken published a study by his Security Labs team that found that the General Bytes BATMTwo ATM series had “more hardware and software vulnerabilities.”
“Several attack vectors were detected using a standard administrative QR code, Android software, ATM management system, and even the device’s hardware block,” the company said.
The Kraken security team said that if the hacker obtained the administrative code, they could, in effect, “go to the ATM and beat it,” highlighting the problems of BATMTwo’s lack of secure launch mechanisms, as well as the ATM’s “critical vulnerabilities.” control system. However, General Bates has already warned ATMs of vulnerabilities:
“Kraken Security Labs reported security vulnerabilities to General Bytes on April 20, 2021, released server system (CAS) updates and alerted its customers, but some issues may require hardware replacement to be completely resolved.”
The team also discovered that it could fully access the Android operating system behind the BATMTwo ATM simply by connecting a USB keyboard to a computer, and warned that “anyone” could “install apps, copy files, or perform other malicious activities”.
General Bytes is headquartered in the Czech Republic, and according to the Coin ATM radar, there are currently 6,391 General Bytes ATMs installed worldwide, representing 22.7% of the global market. However, these numbers also apply to BATMTree machines, which Kraken has not reported.
Most of the ATMs are located in the USA and Canada, and there are only about 5,300, while there are about 824 ATMs in Europe.
Kraken is asking two BATMT owners and operators to change the default admin QR code, update the CAS server, and place ATMs in visible security camera locations.
On the topic: Data shows that El Salvador has the third largest number of Bitcoin ATMs in the world
Bitcoin ATM scam
While reports of Bitcoin ATM hacking seem scant, there is a story of cunning people engaging in crypto-related scams.
In March 2019, Toronto police issued a public statement urging the community to find four men suspected of a series of “double consumption” transactions that raised $150,000 over ten days. The double cost consists of canceling the transaction before the ATM has time to confirm, but keeping the cash.
On June 22 of this year, the Oakland Press reported that two Berkeley women were defrauded of a total of $15,000 after the fraudsters impersonated public security officers and federal employees. The scammers allegedly told victims they had unpaid court orders and tax violations and ordered them to pay fines through local Bitcoin ATMs in the area.
And in August, Malwarebytes published a study that highlighted the trend of Bitcoin ATM scams at gas stations, in which attackers published fake job listings to deceive job seekers for the purpose of money laundering.