Blog
Analysis: Hackers Exploit Zero-Day to Siphon $1.5 Million From Bitcoin ATMs
Anxiety about the security of hot wallets grows as General Bytes customers are hit by a zero-day flaw in the company’s Bitcoin ATMs.
By John E. Dunn
It’s fair to say that crypto has an image problem. What it didn’t need was a Bitcoin ATM (BATM) hack to generate even more bad publicity.
Unfortunately, that’s exactly what happened on March 17-18, according to General Bytes, one of the best-known makers of BATMs on the market. Hackers exploited a zero-day flaw in a video interface that’s part of the General Bytes CAS server platform to steal 56 Bitcoins (worth $1.5 million) and a small volume of Ethereum from customers running the BATMs.
The attacker first identified BATMs running vulnerable CAS servers and the General Bytes Cloud service by scanning the IP address space of recommended service provider DigitalOcean on ports 7777 or 443.
The attacker uploaded a Java application that created a new default admin user to execute the compromise. This gave the attacker:
- Access the database.
- The ability to read and decrypt API keys.
- Access and send funds from ‘hot’ (online) wallets.
- The ability to download usernames, password hashes, turn off 2FA authentication.
- Access to logs, including where customers had scanned their private key at a BATM.
It’s not clear how many customers have been affected by the attack, but presumably General Bytes will be liable for some or all of the missing funds. However, given the unregulated space that cryptocurrency is, even that is uncertain.
How has the company responded?
General Bytes released a patch within 15 hours, instructions on how customers can assess whether their BATM was breached, plus mitigations to secure the terminal.
According to one map , there appear to be around 10,000 General Bytes BATMs worldwide, predominantly in the U.S. Meanwhile, the company said it is closing its cloud service, which means all customers will have to manage their BATMs as standalone devices.
General Bytes BATMs were hit by a separate zero-day flaw last August that resulted in undisclosed losses. This week the company said that it has conducted “multiple” security audits since 2021, none of which turned up the latest vulnerability which has been present since version 20210401.
An On-Going Challenge
Concern about the vulnerability of BATMs has been growing for some time. In 2021, researchers uncovered a nest of security issues in one of General Bytes’ BATMs, the BATMtwo (GBBATM2):
“Our team found that a large number of ATMs are configured with the same default admin QR code, allowing anyone with this QR code to walk up to an ATM and compromise it. Our team also found a lack of secure boot mechanisms, as well as critical vulnerabilities in the ATM management system,” said Kraken Security Labs at the time.
The bigger issue in play here is how it can ever be possible to secure hot wallets. This is a fundamental issue with BATMs, which require an online connection for real-time transactions to take place.