Widely Used Bitcoin ATMs Have Major Security Flaws, Researchers Warn

A m,an using a General Bytes cryptocurrency ATM in Palma de Mallorca, Spain in August 2021.

A man using a General Bytes cryptocurrency ATM in Palma de Mallorca, Spain in August 2021.
Photo: Carlos Alvarez (Getty Images)

Many of the Bitcoin ATMs that have popped up everywhere from gas stations and smoke shops to bars and malls across the U.S. have major security vulnerabilities that render them susceptible to hackers, according to a new report by security researchers with crypto exchange Kraken.

The website howmanybitcoinatms.com estimates there are over 42,000 active Bitcoin ATMs across the U.S., a massive surge from January 2021, when Reuters reported the site listed 28,000. Such ATMs allow users to buy cryptocurrency with cash or credit (though not always the reverse) and process sensitive financial data. Unlike when dealing with regular ATMs operated by banks, the distributed nature of cryptocurrency networks and a lack of regulations mean customers are likely to have less recourse if something goes disastrously wrong. Moreover, target markets for the devices include people who keep money in cryptocurrency rather than banks and people who don’t want their transfers to attract attention, whether for legitimate purposes or otherwise. Many are also located in dicey locations like liquor stores. Thus Bitcoin ATMs have been juicy targets for malware and scams in the past.

Kraken discovered a number of software and hardware flaws with the General Bytes BATMtwo (GBBATM2) model of ATMs. Coin ATM Radar estimates the manufacturer has provided nearly 23% of all crypto ATMs worldwide; in the U.S., that percentage is 18.5%, while in Europe, it is 65.4%.

For example, owners have installed many GBBATM2 units without changing the default admin QR code that serves as a password, meaning that anyone who obtains that code could possibly take control of it. Other issues Kraken wrote it found included a lack of secure boot mechanisms, meaning a hacker could trick a GBBATM2 into running malicious code, and “critical vulnerabilities in the ATM management system.”

The QR code issue is particularly serious, Kraken’s researchers wrote, because it found that the default code is shared across units. This is a bit like buying a new computer and forgetting to change the password to something…