Crypto News- Lamassu Industries, a prominent Bitcoin ATM provider, successfully addressed a significant security loophole in its BTC dispensing machines after a team of ethical hackers demonstrated their ability to take full control of the devices. The incident shed light on vulnerabilities that had gone unnoticed.
Bitcoin ATM Vulnerability Exposed: Hackers Could Have Gained ‘Total Control’
In 2023, a group of security researchers from IOActive embarked on a mission to test the resilience of Lamassu’s ATMs. During their efforts to infiltrate the machines, the research team unearthed various vulnerabilities that they skillfully exploited to gain control. Gunter Ollman, IOActive’s Chief Technology Officer, disclosed to Cointelegraph that the exploit enabled attackers to “view and manipulate interactions with the hijacked ATM.”
Ollman elaborated, stating that hackers could pilfer BTC from users’ wallets directly through the compromised ATMs. He emphasized that a sophisticated attacker, adequately prepared, could even overhaul the entire user experience of the ATM and employ social engineering tactics to coax users into performing additional actions, such as divulging their bank account details.
However, Ollman reassured the community that the impact would be confined to a user’s account balance. He remarked, “When a device can be compromised down to the operating system level, the scope of attack against the user is only limited to how trusting the user is in the device or manufacturer of the device they are using.”
Lamassu Industries Resolves Bitcoin ATM Security Gap After Ethical Hacker Test
Adding to the gravity of the situation, Gabriel Gonzalez, IOActive’s Director of Hardware Security, underscored that the vulnerability granted an attacker with physical access to the ATM “full control.” Gonzalez outlined potential risks, including not only the theft of Bitcoin but also the potential drainage of all cash stored within the ATM. Moreover, he noted that the vulnerability could deceive the note reader, displaying a higher deposit amount than the actual sum.
Gonzalez warned of multiple exploitation possibilities, particularly if the ATMs were left unattended in various locations.
Despite the potential severity of the flaw, Lamassu Industries swiftly implemented a security patch to remedy the issue before the vulnerability became public knowledge in 2024. The company promptly communicated the solution to ATM owners, urging them to update their Bitcoin ATM machines to ensure continued security for users.