Bitcoin ATM provider Lamassu Industries has addressed a significant vulnerability in its BitcoinATM machines after a team of ethical hackers demonstrated they could take full control of the devices, exposing flaws in their security.
In 2023, security researchers from IOActive attempted to compromise several ATMs manufactured by Lamassu. During their efforts to access the machines, the research team identified multiple vulnerabilities that they successfully exploited, gaining control of the ATMs.
IOActive's Chief Technology Officer, Gunter Ollman, explained that through the exploit, attackers could "view and manipulate interactions with the hijacked ATM." More concerning, they could steal Bitcoin from the user's wallet via the ATM using these vulnerabilities. Ollman further noted that attackers might deceive users into entering their bank account details by offering fake incentives like free or discounted Bitcoin. However, Ollman assured that the attack's impact would be limited to the user's account balance.
Gabriel Gonzalez, Director of Hardware Security at IOActive, emphasized that the vulnerability provided an attacker with physical access to the ATM "full control." This could not only result in the theft of Bitcoin but also the complete depletion of the ATM's cash reserves. Additionally, the vulnerability could deceive the note reader into displaying a higher deposited amount than the actual value.
Gonzalez highlighted that these ATMs could have been exploited in various ways, especially if they were left unattended in public locations.
Fortunately, Lamassu Industries had already released a security patch to address the vulnerability before it was publicly disclosed in 2024. The company promptly informed ATM owners and encouraged them to update their Bitcoin ATM machines to protect against potential attacks.
This incident underscores the importance of robust security measures for cryptocurrency ATMs, as they represent a critical interface between digital assets and physical currency for many users.