Bitcoin ATM provider Lamassu Industries fixed a vulnerability in its Bitcoin (BTC) ATM machines after a team of ethical hackers took full control of the devices, highlighting some of its flaws.
In 2023, security researchers from IOActive attempted to hijack several ATMs issued by Lamassu. As they worked to access the machines, the research team identified several vulnerabilities that they managed to exploit to gain access to the ATMs.
IOActive’s chief technology officer, Gunter Ollman, told Cointelegraph that through the exploit, attackers could “view and manipulate interactions with the hijacked ATM.” The security professional explained that hackers could steal BTC from the user’s wallet through the ATM using the vulnerabilities. Ollman explained:
“A sophisticated attacker, with sufficient preparation, could modify or replace the entire user experience of the ATM and socially engineer the user into performing additional actions.”
The executive said the attacker could also trick the user into entering their bank account details, luring them with offers such as free or discounted Bitcoin. However, Ollman also assured the community that the effect would be limited to a user’s account balance.
“Ultimately, when a device can be compromised down to the operating system level, the scope of attack against the user is only limited to how trusting the user is in the device or manufacturer of the device they are using,” he added.
Meanwhile, Gabriel Gonzalez, the director of hardware security at IOActive, added that that the vulnerability allows an attacker with physical access to the ATM to have “full control.” Gonzalez explained that apart from stealing Bitcoin, the vulnerability could also lead to all the money in the ATM being drained. It could also “fool the note reader” into displaying a higher amount of money being deposited instead of the actual amount.
Related: Net Bitcoin ATMs record an increase after 4 months of global downtrend
The executive also added that the ATMs could have been exploited in several ways, especially if they are left unattended wherever they are located.
While the flaw in the ATMs could have had a severe effect on its users, the ATM provider already deployed a fix through a security patch before the vulnerability was disclosed to the public in 2024. The company informed ATM owners and urged them to update their Bitcoin ATM machines.
Magazine: Real AI use cases in crypto, No. 3: Smart contract audits & cybersecurity