Kraken Security uncovers Bitcoin ATM security vulnerabilities

Bitcoin ATMs are becoming a more common sight across the U.S., as many convenience stores and gas stations have begun deploying them. In fact, Circle K has recently been deploying Bitcoin ATMs at a greater pace. At the same time, there are also security concerns with Bitcoin ATMs, as malicious agents can take them over and steal critical information.

Kraken Security Labs recently uncovered a number of vulnerabilities with the General Bytes BATMtwo model, according to a blog post from the lab.

First, the lab identified a QR code vulnerability. Many of the ATMs have the same default admin code, which would allow anyone to access the administrative side of the ATM by using the QR code and gain access to both cryptocurrency assets and personal information of users.

In addition, Kraken found a hardware vulnerability through the ATM's key. Anyone who has a key to the cash box of the ATM will be able to access the ATM's computer as well. In other ATMs, these two parts require separate keys, according to a video from Kraken Security Labs. There is also no tamper detection on the ATM.

From here, a criminal could backdoor the software on the computer and gain direct access to the Android OS and steal data from the device and replace the original ATM software with malicious software. On Kraken's case, they simply replaced the original ATM software with the game Doom.

Also, on the backend system, Kraken found that criminals can create malicious organizations directly on the crypto application server without knowing any credentials.

Krane reported all of these vulnerabilities directly to BATM so they could correct these issues. It recommends that ATM owners change the default QR admin code, update CAS server to follow best practices and utilize security controls such as surveillance cameras.

To see Kraken's security analysis in full, you can watch the YouTube video below.