IOActive has conducted a comprehensive assessment of Bitcoin ATMs, specifically focusing on Lamassu’s Douro model. The security analysis uncovered a series of critical vulnerabilities (CVE-2024-0175, CVE-2024-0176, CVE-2024-0177) that, when exploited, grant attackers full control over the ATMs. In this scenario, IOActive assumed the role of an attacker with the same physical access as a regular customer, aiming to assess the machines’ security posture.
During the assessment, IOActive discovered that, immediately after booting up, there is a brief window where the user can interact with the Linux operating system’s window manager. This vulnerability allows the execution of terminal commands or other applications as a low-privilege user. Leveraging this, the researchers proceeded to perform privilege escalation by exploiting the software update mechanism. By creating a specific payload and triggering the update, IOActive achieved full control over the Bitcoin ATMs.
The ingenious exploitation continued as IOActive utilized the ATM’s QR code reading feature, executing a payload without the need for invasive physical access. The vulnerabilities pose a significant risk, as attackers can potentially compromise the integrity and security of Bitcoin ATMs, affecting both operators and users.
