Owning a Bitcoin ATM
by Antonio Requena, Gabriel Gonzalez and Sergio Ruiz.
Nowadays, Bitcoin
and cryptocurrencies might look lees popular than they did just a few years
ago. However, it is still quite common to find Bitcoin ATMs in numerous
locations.
IOActive
had access to few of these machines, specifically to Lamassu’s Douro ATM (https://lamassu.is). This provided us with the opportunity to assess the security of these
devices – more specifically, to attempt to achieve full control over them.
 |
| Figure 1. Lamassu Douro Bitcoin ATM |
In this post,
we’ll explain all the steps we followed to identify a series of vulnerabilities
(CVE-2024-0175, CVE-2024-0176 and CVE-2024-0177) that allows full control over
these ATMs. For this exercise, we are assuming the role of an attacker with the
same physical access to the device that a regular customer might have.
Don’t Touch
Me
After
booting up, the screen displays the the UI for the kiosk’s primary application.
However, during boot, for a few seconds the user can interact with the Linux
operative system’s window manager, as illustrated in Figure 2.
 |
| Figure 2. Accessing Applications during boot |
During this
time, it was possible to pop up a terminal window or run any other installed
application as a low-privilege user.
Look at
the Camera!
In order to
obtain full control over the device, the next step was to perform a privilege
escalation. To achieve this, we exploited the software update mechanism by
creating a file named /tmp/extract/package/updatescript.js with the following payload:
cp =
require(“child_process”)
cp.exec(“cp /bin/sh
/tmp/shuid; chmod +sx /tmp/shuid”)
Next, we
created a file named done.txt in the /tmp/extract folder. This would trigger the watchdog process, which runs as root in
the reviewed machines, to execute the JavaScript payload.
How did we
create these files? Well, that’s an interesting question, as although we gained
access to the graphical interface and the terminal, there was no keyboard
plugged in. While we did have physical access to the devices, so that opening
them and plugging in a keyboard would be too easy, the goal was to gain control
without invasive physical access, therefore we explored a different approach.
The ATM
supports a feature that enables it to read QR codes, and the binary located at /usr/bin/zbarcam could be executed using the touch
controls, so we only had to use a custom QR code containing our payload. Once
the payload was read, a root shell was popped.
The
following video illustrates the paths we followed to exploit the vulnerability.
gained root access, we could reasonably think that the job was done. However,
we looked to the /etc/shadow file, where we were able to crack the root password in less than one
minute – and the same password was valid for all of the devices.
Timeline
followed responsible disclosure procedures which included the following:
- 11th July 2023 – Initial contact to report the vulnerabilities.
- 9th October 2023 – The vendor confirmed the issues
were fixed. - 25th October 2023 – The vendor asked us to delay publishing
details about the vulnerabilities. - 22nd November 2023 – The vendor contacted us and published
an advisory mentioning the issues were fixed. - 18th January 2024 – CVEs have been published by the
corresponding CNA.
security bulletin was released by Lamassu regarding their remediation of the
security issues found by IOActive: