Bitcon ATM Hack: Total Control Vulnerability

Bitcoin ATM provider Lamassu Industries has addressed a vulnerability in its ATMs after a group of ethical hackers successfully took control of the machines, exposing weaknesses in their security. In 2023, researchers from IOActive attempted to hack into several Lamassu ATMs, uncovering multiple vulnerabilities that they were able to exploit. According to IOActive’s chief technology officer, Gunter Ollman, attackers who gained access to the ATMs through these vulnerabilities could manipulate and view interactions with the machines, potentially stealing bitcoin from users’ wallets. Ollman also highlighted that attackers could trick users into divulging their bank account details by offering them free or discounted bitcoin.

Ollman reassured the community that the impact of these attacks would be limited to users’ account balances. He emphasized that the extent of the damage depends on how much trust users have in the device or the device’s manufacturer. Gabriel Gonzalez, director of hardware security at IOActive, revealed that the vulnerability also gave attackers with physical access to the ATMs full control over the machines. This not only allowed them to steal bitcoin but potentially drain all the money from the ATM. The vulnerability enabled attackers to deceive the ATM’s note reader, showing a higher amount of money being deposited than the actual amount.

Gonzalez warned that the ATMs could have been exploited in multiple ways, particularly if left unattended. Lamassu Industries promptly deployed a security patch to address the vulnerability before it was made public in 2024. The company alerted ATM owners about the fix and urged them to update their Bitcoin ATM machines to ensure their continued security.