Lamassu Industries has patched a security vulnerability in their Bitcoin ATM machines after a team of white hat hackers took full control of the devices, exposing several flaws. In 2023, security researchers from IOActive attempted to compromise several ATMs provided by Lamassu, identifying multiple security weaknesses while trying to access the machines.
IOActive’s CTO, Gunter Ollman, revealed that attackers could view and manipulate interactions with the compromised ATM, potentially stealing Bitcoin from users’ wallets. He warned that sophisticated attackers could alter or replace the entire user experience of the ATM and use social engineering to prompt additional actions from users.
Ollman assured the public that the impact of such attacks would be limited to the user’s account balance. He suggested that attackers could also trick users into entering banking details by offering free or discounted Bitcoin.
Gabriel Gonzalez, IOActive’s hardware security director, explained that the security flaw could allow an attacker with physical access to the ATM to gain full control, potentially leading to the theft of Bitcoin and the emptying of all cash in the machine. The flaw could also display a higher deposited amount than the actual sum.
Despite the serious potential impact on users, the ATM provider implemented a security update to fix the vulnerability before it was publicly disclosed in 2024. The company informed ATM owners and urged them to update their Bitcoin ATM machines.