Connect with us

Hi, what are you looking for?



Vulnerabilities in Lamassu Bitcoin ATMs Can Allow Hackers to Drain Wallets

Hackers could exploit Lamassu Douro ATM vulnerabilities to take over devices, steal bitcoin from users.

Three vulnerabilities in the Lamassu Douro bitcoin ATMs could allow an attacker with physical access to take over devices and steal user assets, cybersecurity firm IOActive reports.

Due to the identified security defects, which are tracked as CVE-2024-0175, CVE-2024-0176, and CVE-2024-0177, an attack could be executed using the same level of physical access that a regular customer would have.

The first issue, IOActive explains, is that, during boot, the Douro ATM would allow the user to interact with the underlying operating system’s window manager.

While the interaction window was of only several seconds, IOActive’s researchers discovered that it was long enough to allow a user to run installed applications or launch a terminal window.

To use this low-level access to take over the machine, however, an attacker would need to input commands, which would normally be impossible without connecting a keyboard.

However, the ATM supports reading QR codes, and the researchers exploited this feature by crafting a malicious code containing their payload. Once read, the payload would lead to root shell, as exemplified in the video below.

The attack, IOActive explains, was possible due to a vulnerability in the ATM’s software update mechanism that could allow an attacker to supply their own malicious file and trigger legitimate processes for code execution.

IOActive also discovered that the ATMs were using a weak root password that they were able to crack within a minute. Furthermore, the password was used on all devices.

Advertisement. Scroll to continue reading.

Responding to a SecurityWeek inquiry, IOActive CTO Gunter Ollmann pointed out that an attacker able to take control of one of the vulnerable ATMs could steal a user’s assets. 

“Since an adversary can effectively view and manipulate any interactions with the hijacked ATM, the attacker could interactively manipulate and steal from the user’s account or wallet – but the theft would be limited to the user’s account balance. A sophisticated attacker, with sufficient preparation could modify or replace the entire user experience of the ATM and (socially) engineer the user into performing additional actions, such as prompting the user to enter their online banking account details by encouraging them with free or discounted bitcoin to be transferred to their wallet,” Ollmann said.

“Ultimately, when a device can be compromised down to the operating system level, the scope of attack against the user is only limited to how trusting the user has been with the device or manufacturer of the device they are using,” he added. 

All three issues were reported to Lamassu in July 2023. The vendor fixed the bugs in October by hardening permissions for the update process, implementing a stronger passphrase for the root account, and preventing users from accessing the desktop environment during OS start. 

Related: Iagona ScrutisWeb Vulnerabilities Could Expose ATMs to Remote Hacking

Related: Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes

Related: New ATM Malware ‘FiXS’ Emerges

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.