Multiple vulnerabilities found in general 'Bitcoin ATM', both in hardware and software



A '

bitcoin ATM ' is an ATM that allows you to buy bitcoins using cash or a debit card, or sell your own bitcoins for cash. With the spread of encryption assets (virtual currency) it has increased the number of installed Bitcoin ATM , but the virtual currency exchange-traded and Kraken is a research institute of the Kraken Security Labs (Kraken Security Lab) is, 'in general We have discovered hardware and software vulnerabilities in the Bitcoin ATMs used. '

Kraken Security Labs Identifies Vulnerabilities In Commonly Used Bitcoin ATM --Kraken Blog
https://blog.kraken.com/post/11263/kraken-security-labs-identifies-vulnerabilities-in-commonly-used-bitcoin-atm/

The Kraken Security Lab conducts security investigations of various cryptocurrency-related hardware with the aim of raising user awareness of potential security flaws and at the same time alerting product manufacturers to resolve the issue. .. This time, the researchers obtained the actual machine of 'BATMTwo ', which is a widely used Bitcoin ATM, and analyzed both hardware and software. In addition to Bitcoin, BATM Two supports more than 40 virtual currency transactions including Ethereum and Litecoin, and is designed to be mounted on a wall or a dedicated stand.

Analysis revealed multiple vulnerabilities in BATMtwo. The Kraken Security Lab shows in the following movie how a malicious attacker can exploit a vulnerability in BATM Two.

Kraken Security Labs Bitcoin ATM Vulnerabilities Overview --YouTube


◆ Problems with QR code for management
This is the actual BATM Two.



The owner who received the BATMtwo is instructed to scan the 'administrative QR code' on the main unit to set up the ATM. Since the management QR code has the role of the password of the ATM itself, it is desirable that each ATM uses a different QR code ...



When I obtained a used BATM Two from multiple routes and examined it, it turned out that the default management QR code is common to multiple ATMs. Because changing the BATMTwo admin QR code must be done manually, a significant number of BATMTwo owners who neglected to make the change said they were using the default admin QR code common to other ATMs.・ Security Lab points out. If you access the ATM management menu using the management QR code, it will be possible to connect BATM Two to a harmful server, so the user's personal information and virtual currency wallet will be endangered.



◆ Hardware vulnerable to physical infringement
BATMTwo is also protected by a single lock, but the Kraken Security Lab is also concerned about the vulnerability when this lock is released.



The inside of BATMTwo looks like this. The embedded computer and the cash box are not separated, and you can easily access the internal structure by simply opening the door. There are no sensors or server-side alarms to detect and warn that the door has opened, which could put cash boxes, embedded computers, webcams, and fingerprint readers at risk.



◆ Insufficient protection of Android OS
According to the Kraken Security Lab, the Android OS on BATM Two also lacks many common security features. If you connect a Bluetooth keyboard to the USB port provided on the internal embedded computer ...



I have direct access to the full Android UI. Android supports 'kiosk mode' that limits the UI to only a single application, but it is not enabled in BATM Two. When a malicious user gains access to the ATM UI, it can perform malicious activities such as installing apps, copying files, and sending private keys to attackers.



◆ Computers that do not have the secure boot function enabled
BATMTwo does not take advantage

of the secure boot feature of the processor used in embedded computers. Therefore, connect the USB cable to the carrier board ...



If you press the power button directly, you can reprogram the computer. The device

boot loader is also unlocked, and you can get privileged access to the boot loader by connecting a serial adapter to the UART port.



◆ Back-end cross-site request forgery lack of protection
BATMTwo is managed using software called 'Crypto Application Server (CAS)', but the research team at Kraken Security Labs said that CAS is an attack that exploits a vulnerability in a web application, a

cross-site request. I found that the protection of Forgery was not implemented. This allows an attacker to generate an authenticated request to CAS.



Based on the results of this analysis, Kraken Security Lab recommends the following to Bitcoin ATM users and owners:

·user
1: Use Bitcoin ATMs only in trusted locations and stores.
2: Confirm that surveillance cameras are installed around the Bitcoin ATM and that it is unlikely that it has been infringed by stealing human eyes.

·owner
1: Change the management QR code from the initial setting.
2: Update the CAS server and follow the seller's best practices.
3: Install Bitcoin ATM in a safe place where surveillance cameras are installed.

in Software,   Hardware,   Video,   Security, Posted by log1h_ik