Chargen19
Basic
- Joined
- 02.10.20
- Messages
- 100
- Reaction score
- 121
- Points
- 43
Kraken Security Labs has identified several hardware and software vulnerabilities in a widely used cryptocurrency ATM: The General Bytes BATBATMTWO
Multiple attack vectors were detected through the default administrative QR code, the Android operating software, the ATM management system and even the hardware case of the machine.
A large number of ATMs are configured with the same administrator QR code by default, which allows anyone who has this QR code to approach the ATM and hack it, change the IP address of the management server and do anything with it.
In addition, most bitcoin ATMs have only one compartment, which is protected by a single tubular lock. Bypassing it provides direct access to all internal components of the device.
The device does not contain a local or server alarm that warns others that the internal components are open. At this stage, a potential attacker can hack a cash register, an embedded computer, a webcam and a fingerprint scanner.
Basically, bitcoin ATMs operate under the Android BATMtwo operating system, which also lacks many common security features
By connecting a USB keyboard to the BATM, you can get direct access to the full Android user interface, which allows anyone to install applications, copy files, or perform other malicious actions (for example, sending private keys to an attacker)
Android supports "kiosk mode", which blocks the user interface in one application, which may prevent a person from accessing other areas of the software, however, it has not been enabled on any ATM.
BATBATMTWO contains a built-in computer based on NXP i.MX6. The Kraken team found that BATMtwo does not use the secure CPU boot function and that it can be reprogrammed simply by connecting a USB cable to a port on the carrier board and turning on the computer by holding down the button.
In addition, the bootloader of the device is unlocked: simply connecting the serial adapter to the UART port on the device is enough to get privileged access to the bootloader.
BATBATM ATMs are managed using a "cryptographic application server" - management software that can be hosted by an operator or licensed as SaaS.
The Kraken team discovered that these servers do not implement any means of protection against cross-site request forgery, which allows an attacker to generate authenticated requests to the server. Which also opened up several attack vectors for researchers.
===============
ATMs with cryptocurrency turned out to be a simple alternative for people to buy digital assets. However, the safety of these machines remains in question.
Kraken Security Labs recommends using crypto ATMs located only in a secure location.
Multiple attack vectors were detected through the default administrative QR code, the Android operating software, the ATM management system and even the hardware case of the machine.
A large number of ATMs are configured with the same administrator QR code by default, which allows anyone who has this QR code to approach the ATM and hack it, change the IP address of the management server and do anything with it.
In addition, most bitcoin ATMs have only one compartment, which is protected by a single tubular lock. Bypassing it provides direct access to all internal components of the device.
The device does not contain a local or server alarm that warns others that the internal components are open. At this stage, a potential attacker can hack a cash register, an embedded computer, a webcam and a fingerprint scanner.
Basically, bitcoin ATMs operate under the Android BATMtwo operating system, which also lacks many common security features
By connecting a USB keyboard to the BATM, you can get direct access to the full Android user interface, which allows anyone to install applications, copy files, or perform other malicious actions (for example, sending private keys to an attacker)
Android supports "kiosk mode", which blocks the user interface in one application, which may prevent a person from accessing other areas of the software, however, it has not been enabled on any ATM.
BATBATMTWO contains a built-in computer based on NXP i.MX6. The Kraken team found that BATMtwo does not use the secure CPU boot function and that it can be reprogrammed simply by connecting a USB cable to a port on the carrier board and turning on the computer by holding down the button.
In addition, the bootloader of the device is unlocked: simply connecting the serial adapter to the UART port on the device is enough to get privileged access to the bootloader.
BATBATM ATMs are managed using a "cryptographic application server" - management software that can be hosted by an operator or licensed as SaaS.
The Kraken team discovered that these servers do not implement any means of protection against cross-site request forgery, which allows an attacker to generate authenticated requests to the server. Which also opened up several attack vectors for researchers.
===============
ATMs with cryptocurrency turned out to be a simple alternative for people to buy digital assets. However, the safety of these machines remains in question.
Kraken Security Labs recommends using crypto ATMs located only in a secure location.