A vulnerability in the interface that General Bytes bitcoin ATMs use to upload videos was found and exploited by thieves, leading to the theft of at least $1.5 million in crypto from user accounts.
General Bytes has over 15,000 of these bitcoin ATMs in circulation in over 100 countries, recognizable by their yellow face plates or touch screens with a “Bitcoin ATM” logo across the bottom. The final amount of stolen crypto is still being tallied as investigations continue, but about 56 BTC has been confirmed taken from 15 operators in total.
Upload interface flaw allows attackers to steal private keys from bitcoin ATMs
Bitcoin ATMs replicate some of the functionality of traditional bank ATMs, allowing users to “withdraw” funds by selling some of their crypto on the spot via an exchange at whatever the current market rate is. It is less clear why these bitcoin ATMs might have a video upload function, but it is possibly due to some sort of planned marketing feature.
Whatever the case, the attackers were able to exploit this feature to upload malicious JavaScript code. The attackers targeted bitcoin ATMs running on Digital Ocean, the cloud hosting provider that General Bytes recommends to ATM buyers (standalone management is also an option). They were able to intercept the API private keys that secure “hot” crypto wallets online, in turn gaining the ability to disable two-factor authentication, change exchange passwords and raid accounts for their funds.
A statement from General Bytes appeared to pass the buck for the crypto theft to individual owners of bitcoin ATMs that were exploited, saying that the ATM servers are meant to be behind a firewall and VPN to be protected from attacks and that only operators that were not using a VPN were impacted. General Bytes instructed all ATM owners to only connect the kiosks to the internet via a VPN, and also said that it is issuing a security fix.
The company also said that it was still investigating the incident and did not have final numbers in terms of crypto theft amounts, but that at least 56 BTC was stolen (about $1.5 million) from the total of at least 15 operators that were hit. However, other forms of crypto were also stolen in the attacks, so this tally is extremely likely to increase before this incident is wrapped up.
Jason Kent, Hacker in Residence for Cequence Security, notes that theft of API keys is a more general trend and has become a focal point for hackers: “As you can see, APIs have once again played a part in a massive successful attack. Why? Well, if one has an API Key for a coin trading platform, especially a privileged one like an ATM service would use, the attacker now owns the system. The overall target for this breach was to get control of the wallets and move coins. The pivot from attacking to withdrawing occurred once they had the API Keys they needed. As Kerckhoff teaches, the most important thing is how the key is handled, everything within a secure crypto system can be known – except the key. Persistent keys, even if encrypted, should be avoided. API Keys often persist far too long and grant far too many privileges.”
Crypto weaknesses emerge in new and untested technologies
Whether it is decentralized finance or bitcoin ATMs, the biggest vulnerabilities in the crypto space seem to be emerging in relatively new technologies that have not yet been proven stable. Platforms and services often learn their lessons by suffering thefts of multiple millions of dollars.
In this case, the lesson General Bytes seems to be taking is that bitcoin ATMs cannot be properly secured via cloud services. It has since issued a statement saying that it is shuttering this option, requiring ATM owners going forward to set up standalone management to connect their kiosks to the internet. The company says that it will provide technical support to ATM owners who will need to migrate their servers, including setting up firewalls and VPNs.
This is also not the first serious security incident in recent history for General Bytes, or the first to involve bitcoin ATMs being exploited by a zero-day. In August 2022 an attacker compromised the company’s Crypto Application Server (CAS) and created an admin account that in turn routed transactions at two-way ATMs to their own wallet.
Manufactured in Prague, the General Bytes bitcoin ATMs support over 60 types of crypto. One feature that they do not have, and that is not yet supported by the industry at large, is the ability to interface with more secure “cold” wallets. The closest compromise is the use of a “paper wallet,” supported by some ATM types, which allows users to generate a QR code from their own wallet which can then be scanned at an ATM. Paper wallets create their own security hazard, however, are private keys are generally printed on one side.
This particular incident seems as if it would have been readily avoided by having a system in place to ensure that uploads through the video system were in fact videos before being accepted; crypto consumers are likely left wondering if other bitcoin ATM brands also have this sort of “feature” hidden in them. It also raises questions about the overall value of these machines, given that they generally cost the user anywhere from 7% to a whopping 20% in transaction fees.
Nick Percoco, Chief Security Officer of Kraken, notes that bitcoin ATMs are not the only option for funds access: “Incidents like this reinforce the importance of promptly addressing attack vectors. Kraken Security Labs identified several hardware, software and backend vulnerabilities in General Bytes ATMs as early as 2021. We hope those impacted are not deterred from continuing their journey in the crypto ecosystem. For those continuing to access Bitcoin via retail outlets, we recommend transacting via trusted vendors. There are trusted alternatives to ATMs worth considering, such as digital asset trading platforms, that also provide secure access points to the crypto asset class.”
