Bitcoin ATM company Lamassu Industries announced that they have fixed a security vulnerability in their Bitcoin ATM machines after a team of white hat hackers took full control of the devices and exposed some flaws. In 2023, security researchers from IOActive attempted to take control of several ATMs provided by Lamassu. While trying to access the machines, the research team identified several security vulnerabilities they managed to exploit.
Company Team Responds Promptly
IOActive’s Chief Technology Officer Gunter Ollman stated in his remarks that through hacking, attackers could view and manipulate interactions with the compromised ATM. The security expert explained that hackers could use security vulnerabilities to steal Bitcoin from the user’s wallet through the ATM. Ollman continued with the following statements:
“A sufficiently prepared sophisticated attacker could alter the entire user experience of the ATM or replace it with another experience and direct the user to perform additional actions through social engineering.”
The executive also said that the attacker could deceive the user into entering their bank account information and entice them with offers such as free or discounted Bitcoin. However, Ollman assured the public that the impact would be limited to the user’s account balance:
“Ultimately, when a device is taken over up to the operating system level, the scope of the attack against the user is limited only by how much trust the user has in the device or its manufacturer.”
Details on the Security Vulnerability
IOActive’s hardware security director Gabriel Gonzalez explained that the security vulnerability allowed an attacker with physical access to the ATM to gain full control. Gonzalez noted that in addition to stealing Bitcoin, the vulnerability could also lead to the emptying of all the money in the ATM. Moreover, this flaw could display a higher amount of money deposited than the actual amount.
The executive added that ATMs, especially if left unattended at their location, could be susceptible to various hacking attacks. Although the vulnerability in the ATMs had a serious impact on users, the ATM provider made a fix through a security update before the vulnerability was publicly disclosed in 2024. The company informed ATM owners and called on them to update their Bitcoin ATM machines.
