Vulnerabilities found in DeFi protocols and other crypto-platforms are a recurring phenomenon within the industry. However, Kraken Security Labs has found that a “large number” of Bitcoin ATMs are vulnerable to being exploited due to the default admin QR code still being in use.
The “multiple hardware and software vulnerabilities” were found in the General Bytes BATMTwo ATM range, Kraken revealed these findings in a blog post, one highlighting research conducted by its Security Lab. It further elaborated,
“Multiple attack vectors were found through the default administrative QR code, the Android operating software, the ATM management system and even the hardware case of the machine.”
According to the security team, “anyone” that gains access to the default admin QR code can “walk up to an ATM and compromise it.” Moreover, it also highlighted issues with the BATMTwo ATM’s lack of secure boot mechanisms, along with “critical vulnerabilities in the ATM management system.”
That’s not all, however, as the team also found that it could gain complete access to the ATM’s Android operating system by simply plugging in a USB keyboard to the machine. This raises an alarm since it would allow anyone to “install applications, copy files or conduct other malicious activities.”
Kraken has requested both operators and owners of the BATMTwo ATMs to change the default QR admin codes. The exchange has also requested updating the CAS server and placing the ATMs’ location under the cover of security cameras.
General Bytes has reportedly alerted ATM owners to these vulnerabilities already.
“Kraken Security Labs reported the vulnerabilities to General Bytes on April 20, 2021, they released patches to their backend system (CAS) and alerted their customers, but full fixes for some of the issues may still require hardware revisions.”
The Czech Republic-based General Bytes is the world’s second-largest BTC ATM provider. It has around 6,390 Bitcoin ATMs installed worldwide, representing 22.7% of the global market. While most of these are in the USA and Canada, which amount to around 5300 in total, around 824 ATMs are also installed in Europe.
Cryptocurrency ATMs have been growing in popularity worldwide, with a total of 28,142 installed globally by various companies. While most of these are installed in North America and Europe, South-East Asia is slowly catching up with the trend.
Nevertheless, hacks related to crypto-ATMs are usually hard to come by. Even so, some individuals in the past have used them for their notorious plans by carrying out double-spending transactions, for instance.