Zero-Day Spells Doom For Bitcoin ATMs

Bitcoin ATMs have experienced an intense bout of cash drain after a zero-day bug was exploited to steal up to $1.5 million in digital currency. The ATMs, located in different convenience stores, function along the lines of normal banking ATMs except your dealings are in the crypto space.

As Ars Technica notes, a specific feature of the affected Bitcoin ATMs is the ability to upload videos. It is said that these videos are used for (maybe security cameras), but the master server interface that supports video uploads is where things went wrong.

According to General Bytes’ statement about the March 18 incident:

“The GENERAL BYTES Cloud service and other standalone servers run by operators suffered security breaches. We noticed the first signs of a break-in on Friday night, right after midnight on Saturday, 18 March (UTC+1).

We notified customers to shut down their CAS servers as soon as possible. The attacker could upload his java application remotely via the master service interface used by terminals to upload videos and run it using BATM user privileges. As a result, the attacker could send funds from hot wallets, and at least 56 Bitcoins were stolen before we could release the patch. The patch was released within 15 hours.”

To utilize the exploit, the attacker uploaded a custom-made application to the ATM application server used by the administration interface. In a nod to the evergreen security rip for users “Don’t allow things to autorun if you don’t need them to”, the application server lets applications start by default.

With that in place, the hacker managed to perform these activities:

• Ability to access the database.
• Ability to keenly read and decrypt API keys to access funds in hot wallets and exchanges.
• Send funds from the hot wallets.
• Download user names and their password hashes, and then turn off 2FA.
• Ability to access terminal event logs that can include private keys at the ATM.

56 bitcoins are now worth more than $1.5 million. It is not possible that all the stolen coins belonged to one person, but this is scant consolation for anybody affected. For now, General Bytes has said that it is collecting information on all affected users to ‘validate losses’.

It is not known whether anybody can recover their stolen funds, but losing money in any crypto scenario is a risky business since they are designed to be unable to roll back fraudulent transactions.

Notably, the affected firm has a call to any security firms and people who feel they can help in making the product safer.