Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Vulnerabilities in Lamassu Bitcoin ATMs Can Allow Hackers to Drain Wallets

Hackers could exploit Lamassu Douro ATM vulnerabilities to take over devices, steal bitcoin from users.

Three vulnerabilities in the Lamassu Douro bitcoin ATMs could allow an attacker with physical access to take over devices and steal user assets, cybersecurity firm IOActive reports.

Due to the identified security defects, which are tracked as CVE-2024-0175, CVE-2024-0176, and CVE-2024-0177, an attack could be executed using the same level of physical access that a regular customer would have.

The first issue, IOActive explains, is that, during boot, the Douro ATM would allow the user to interact with the underlying operating system’s window manager.

While the interaction window was of only several seconds, IOActive’s researchers discovered that it was long enough to allow a user to run installed applications or launch a terminal window.

To use this low-level access to take over the machine, however, an attacker would need to input commands, which would normally be impossible without connecting a keyboard.

However, the ATM supports reading QR codes, and the researchers exploited this feature by crafting a malicious code containing their payload. Once read, the payload would lead to root shell, as exemplified in the video below.

Advertisement. Scroll to continue reading.

The attack, IOActive explains, was possible due to a vulnerability in the ATM’s software update mechanism that could allow an attacker to supply their own malicious file and trigger legitimate processes for code execution.

IOActive also discovered that the ATMs were using a weak root password that they were able to crack within a minute. Furthermore, the password was used on all devices.

Responding to a SecurityWeek inquiry, IOActive CTO Gunter Ollmann pointed out that an attacker able to take control of one of the vulnerable ATMs could steal a user’s assets. 

“Since an adversary can effectively view and manipulate any interactions with the hijacked ATM, the attacker could interactively manipulate and steal from the user’s account or wallet – but the theft would be limited to the user’s account balance. A sophisticated attacker, with sufficient preparation could modify or replace the entire user experience of the ATM and (socially) engineer the user into performing additional actions, such as prompting the user to enter their online banking account details by encouraging them with free or discounted bitcoin to be transferred to their wallet,” Ollmann said.

“Ultimately, when a device can be compromised down to the operating system level, the scope of attack against the user is only limited to how trusting the user has been with the device or manufacturer of the device they are using,” he added. 

All three issues were reported to Lamassu in July 2023. The vendor fixed the bugs in October by hardening permissions for the update process, implementing a stronger passphrase for the root account, and preventing users from accessing the desktop environment during OS start. 

Related: Iagona ScrutisWeb Vulnerabilities Could Expose ATMs to Remote Hacking

Related: Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes

Related: New ATM Malware ‘FiXS’ Emerges

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

Mark Carter has been appointed Chief Information Security Officer at Socure.

Spektrum Labs has named Mark Cravotta Chief Operating Officer.

More People On The Move

Expert Insights

Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.