Three vulnerabilities in the Lamassu Douro bitcoin ATMs could allow an attacker with physical access to take over devices and steal user assets, cybersecurity firm IOActive reports.
Due to the identified security defects, which are tracked as CVE-2024-0175, CVE-2024-0176, and CVE-2024-0177, an attack could be executed using the same level of physical access that a regular customer would have.
The first issue, IOActive explains, is that, during boot, the Douro ATM would allow the user to interact with the underlying operating system’s window manager.
While the interaction window was of only several seconds, IOActive’s researchers discovered that it was long enough to allow a user to run installed applications or launch a terminal window.
To use this low-level access to take over the machine, however, an attacker would need to input commands, which would normally be impossible without connecting a keyboard.
However, the ATM supports reading QR codes, and the researchers exploited this feature by crafting a malicious code containing their payload. Once read, the payload would lead to root shell, as exemplified in the video below.
The attack, IOActive explains, was possible due to a vulnerability in the ATM’s software update mechanism that could allow an attacker to supply their own malicious file and trigger legitimate processes for code execution.
IOActive also discovered that the ATMs were using a weak root password that they were able to crack within a minute. Furthermore, the password was used on all devices.
Responding to a SecurityWeek inquiry, IOActive CTO Gunter Ollmann pointed out that an attacker able to take control of one of the vulnerable ATMs could steal a user’s assets.
“Since an adversary can effectively view and manipulate any interactions with the hijacked ATM, the attacker could interactively manipulate and steal from the user’s account or wallet – but the theft would be limited to the user’s account balance. A sophisticated attacker, with sufficient preparation could modify or replace the entire user experience of the ATM and (socially) engineer the user into performing additional actions, such as prompting the user to enter their online banking account details by encouraging them with free or discounted bitcoin to be transferred to their wallet,” Ollmann said.
“Ultimately, when a device can be compromised down to the operating system level, the scope of attack against the user is only limited to how trusting the user has been with the device or manufacturer of the device they are using,” he added.
All three issues were reported to Lamassu in July 2023. The vendor fixed the bugs in October by hardening permissions for the update process, implementing a stronger passphrase for the root account, and preventing users from accessing the desktop environment during OS start.
Related: New ATM Malware ‘FiXS’ Emerges