Bitcoin ATMs in the US continue to use default admin QR codes

Kraken has recommended owners and operators of BATMTwo ATMs update their ATMs’ admin QR codes to avert any assaults.

According to Kraken Security Labs, a “significant proportion” of Bitcoin ATMs are vulnerable to hacking since their administrators have never altered the default administrator QR code.

Kraken said in a Sept. 29 blog post that its Security Labs team discovered “several hardware and software vulnerabilities” in the General Bytes BATMTwo ATM family.

“Numerous attack paths were discovered via the machine’s default administrative QR code, the Android operating system, the ATM management system, and even the machine’s physical case,” the post stated.

According to Kraken’s security team, if a hacker obtains administrator code, they may effectively “go up to an ATM and compromise it,” while also highlighting flaws with the BATMtwo’s lack of secure boot procedures and “major vulnerabilities” in the ATM’s management system. General Bytes, on the other hand, has purportedly already notified ATM owners of the vulnerabilities:

“Kraken Security Labs reported the vulnerabilities to General Bytes on April 20, 2021, they released patches to their backend system (CAS) and alerted their customers, but full fixes for some of the issues may still require hardware revisions.”

Additionally, the researchers discovered that by just connecting a USB keyboard to the machine, it was possible to acquire full access to the Android operating system running the BATMTwo ATM, and warned that “anyone” might “install software, copy files, or conduct other nefarious operations.”

General Bytes is headquartered in the Czech Republic, and Coin ATM Radar reports that there are currently 6391 General Bytes ATMs installed globally, representing 22.7 percent of the market. However, those figures include BATMThree machines that Kraken did not report on.

The bulk of BATM ATMs are located in the United States and Canada, with a combined total of over 5300, while Europe has approximately 824 ATMs.

Kraken is requesting that BATMTwo owners and operators modify the default QR admin code, update the CAS server, and position the ATMs in areas visible to security cameras.

Scams with Bitcoin ATMs

While there are few stories of Bitcoin ATMs being hacked, there is a history of cunning individuals concocting frauds around crypto ATMs.

In March 2019, the Toronto Police Department released a public statement requesting assistance in locating four males suspected of carrying out a series of “double-spending” transactions totaling $150,000 over a 10-day period. Double spending occurs when transactions are canceled before the ATM has a chance to confirm them but the dispensed currency is retained.

According to the Oakland Press, two women from Berkley were duped out of a total of $15,000 by scammers posing as public safety officers and government employees on June 22 of this year. According to reports, the scammers informed the victims that they owed money for outstanding warrants and tax offenses and compelled them to pay fines via local Bitcoin ATMs.

Additionally, Malwarebytes published research in August exposing a trend of gas station Bitcoin ATM scams in which threat actors created phony employment postings to lure candidates into money laundering.

Also Read: Ethereum Will Eventually Overtake Bitcoin According To The Co-Founder Of Polygon.