Vulnerable: Kraken reveals many US Bitcoin ATMs still use default admin QR codes

Published at: Sept. 30, 2021

Kraken Security Labs has said that a “large number” of Bitcoin (BTC) ATMs are vulnerable to hacking, as the administrators never changed the default admin QR code.

In a Wednesday blog post, Kraken posted research from its Security Labs team, which found that there are “multiple hardware and software vulnerabilities” in the General Bytes BATMTwo ATM range.

“Multiple attack vectors were found through the default administrative QR code, the Android operating software, the ATM management system and even the hardware case of the machine,” the post read.

Kraken’s security team stated that if a hacker gets their hands on the administrative code, they can essentially “walk up to an ATM and compromise it,” while also highlighting issues with the BATMTwo’s lack of secure boot mechanisms, as well as “critical vulnerabilities” in the ATM’s management system. However, General Bytes has reportedly already alerted ATM owners to the vulnerabilities:

“Kraken Security Labs reported the vulnerabilities to General Bytes on April 20, 2021, they released patches to their backend system (CAS) and alerted their customers, but full fixes for some of the issues may still require hardware revisions.”

The team also found that it was able to gain full access to the Android operating system behind the BATMTwo ATM by simply attaching a USB keyboard to the machine and warned that “anyone” could “install applications, copy files or conduct other malicious activities.”

General Bytes is headquartered in the Czech Republic and, according to Coin ATM Radar, there are currently 6,391 General Bytes ATMs installed worldwide, which represents 22.7% of the global market. However, those figures also account for BATMThree machines that weren’t reported on by Kraken.

The majority of the BATM ATMs are located in the United States and Canada, with a combined figure tallying in at around 5,300, while Europe has around 824 ATMs installed.

Kraken is calling on BATMTwo owners and operators to change the default QR admin code, update the CAS server, and place the ATMs in visible locations for security cameras.

Related: El Salvador ranks third in global Bitcoin ATM installations, data finds

Bitcoin ATM scams

While reports of hacked Bitcoin ATMs appear to be minimal, there is a history of crafty individuals building scams around crypto ATMs.

In March 2019, the Toronto Police issued a public statement calling on the community to locate four men suspected of carrying out a series of “double-spending” transactions that fetched $150,000 worth of funds over a 10-day window. Double-spending consists of canceling transactions before the ATM has had a chance to confirm but keeping the dispensed cash.

The Oakland Press reported on June 22 of this year that two women from Berkeley were scammed out of a combined $15,000 after fraudsters posed as public safety officers and federal employees. The scammers reportedly told the victims that they had outstanding warrants and tax violations and ordered them to pay fines via local Bitcoin ATMs in the area.

And Malwarebytes posted research in August that uncovered a trend of gas station Bitcoin ATM scams in which threat actors would post fake jobs listings to dupe applicants into money laundering.

Tags
Atm
Related Posts
Livecoin exchange goes offline after Bitcoin price reportedly exceeds $320K
Livecoin, a lesser-known Russian cryptocurrency exchange, has abruptly halted operations in the aftermath of an alleged hacker attack on Christmas day. According to Livecoin’s main page, the exchange has suffered a “carefully planned attack” causing the platform to lose control of all of its servers, backend and nodes. The exchange urged its customers to stop using its services including deposits, trading and API. “We were not able to stop our service in time. Our news channels were compromised as well. At the moment, we partially control frontend, and so we’re able to place this announcement," Livecoin’s main page reads. Livecoin …
Bitcoin / Dec. 25, 2020
Coin Bureau Youtube channel hacked despite 2FA protection
Coin Bureau, a popular information portal for cryptocurrency developments with over 600,000 followers on Twitter, experienced a security breach on its Youtube channel on Monday. Hackers allegedly uploaded a video with links to scam fiat/cryptocurrency addresses soliciting a token sale before being taken down by Youtube. According to Coin Bureau staff, they were baffled by the incident as its accounts were "secured with ultra-strong passwords and Google security keys." So our YouTube channel was just hacked. Have absolutely no idea how this happened. All accounts are secured with ultra strong passwords and Google security keys. @YouTubeCreators this is a serious …
Technology / Jan. 24, 2022
British Army’s social media accounts hacked by crypto scammers
The British Army’s official Twitter, Facebook and YouTube accounts were breached on Sunday for almost four hours, with scammers promoting rip-off nonfungible token (NFT) collections and cryptocurrency scams. Just after 2:00 pm EST on Sunday, the United Kingdom Ministry of Defence (MOD) Press Office tweeted it was aware the Army’s social media accounts were compromised and had begun an investigation. Nearly four hours later, close to 5:45 pm EST, the Office provided an update that the account breaches were resolved. The British Army's official Twitter account also apologized for the posts, saying it would conduct an investigation and “learn from …
Defi / July 4, 2022
Here's how to quickly spot a deepfake crypto scam — cybersecurity execs
Crypto investors have been urged to keep their eyes peeled for "deepfake" crypto scams to come, with the digital-doppelganger technology continuing to advance, making it harder for viewers to separate fact from fiction. David Schwed, the COO of blockchain security firm Halborn told Cointelegraph that the crypto industry is more “susceptible” to deepfakes than ever because “time is of the essence in making decisions” which results in less time to verify the veracity of a video. Deepfakes use deep learning artificial intelligence (AI) to create highly realistic digital content by manipulating and altering original media, such as swapping faces in …
Blockchain / Jan. 13, 2023
Top 7 cybersecurity jobs in high demand
In today’s digital age, cybersecurity has become a critical aspect of almost every business. Cyber threats are increasing daily, and businesses must take proactive measures to protect their networks and data. As a result, the demand for cybersecurity professionals has skyrocketed. Little Friday humour #meme #cybersecurity @hackurityio pic.twitter.com/MArEpCh03k — Harold De Vries (@devries_harold) February 17, 2023 In this article, we will discuss the top seven cybersecurity jobs that are in high demand. Cybersecurity analyst A cybersecurity analyst is responsible for identifying and mitigating cyber threats to an organization’s network and data. They examine system logs and network traffic to find …
Technology / Feb. 26, 2023