According to IOActive chief technology officer (CTO) Gunter Ollman, through the vulnerabilities of Bitcoin ATMs, attackers could gain unrestricted access to steal users’ Bitcoin through the ATM.
In 2023, security researchers from IOActive attempted to seize control of several ATMs issued by Lamassu. While trying to penetrate the ATMs, the research team identified several vulnerabilities they effectively exploited.
According to IOActive’s chief technology officer, Gunter Ollman, the exploit, told Cointelegraph, enabled attackers to “view and manipulate interactions with the hijacked ATM.” The security expert explained that hackers could steal Bitcoin from the user’s wallet by exploiting the ATM’s vulnerabilities. Ollman elaborated:
“A sophisticated attacker, with sufficient preparation, could modify or replace the entire user experience of the ATM and socially engineer the user into performing additional actions.”
Additionally, the executive asserted that the assailant might be able to deceive the user by requesting their bank account information in return for complimentary or discounted Bitcoin. In addition, Ollman reassured the community that the effect on an individual’s account balance would be minimal.
“In the end, when an operating system compromise of a device restricts the attack surface to the user’s level of trust in the device or its manufacturer,” he explained further.
Additionally, the director of hardware security at IOActive, Gabriel Gonzalez, stated that an assailant with physical access to the ATM could gain “complete control” over the vulnerability.
Gonzalez further expounded that the vulnerability not only might enable the pilferage of Bitcoin but also potentially deplete the entire fund balance in the ATM. Moreover, it can mislead the note reader by exhibiting an imprecise depiction of the deposited funds, thereby inflating the quantity.
The executive further stated that the ATMs, mainly when left unattended in their designated locations, could have been subject to various forms of exploitation.
Despite the potentially lethal consequences that the ATM’s defect could have imposed on its users, the ATM provider had already executed a security upgrade before the public disclosure of the vulnerability in 2024. The organization formally notified Bitcoin ATM proprietors, advising them to update their machines immediately.