January 23, 2024 at 01:48PM
Three vulnerabilities in Lamassu Douro bitcoin ATMs allowed attackers with physical access to take over and steal user assets, as reported by IOActive. The vulnerabilities, tracked as CVE-2024-0175, CVE-2024-0176, and CVE-2024-0177, enabled attackers to execute an attack with the same level of access as regular customers. Lamassu fixed the bugs in October 2023.
Based on the meeting notes, the following are the key takeaways:
– Three vulnerabilities in the Lamassu Douro bitcoin ATMs were reported by cybersecurity firm IOActive, allowing an attacker with physical access to take over devices and steal user assets.
– The identified security defects are tracked as CVE-2024-0175, CVE-2024-0176, and CVE-2024-0177, enabling an attacker to execute an attack using the same level of physical access that a regular customer would have.
– The first issue is related to access to the underlying operating system’s window manager during boot, enabling a user to run installed applications or launch a terminal window within a short interaction window.
– IOActive’s researchers exploited the ATM’s support for reading QR codes to craft a malicious code containing their payload, allowing them to execute a root shell by inputting commands, leading to a potential machine takeover.
– The vulnerabilities also included a weakness in the ATM’s software update mechanism, which could allow an attacker to supply a malicious file and trigger legitimate processes for code execution, as well as the use of a weak root password that was common across all devices.
– IOActive’s CTO highlighted that an attacker gaining control of a vulnerable ATM could manipulate and steal from the user’s account or wallet, potentially even socially engineering the user into performing additional actions such as entering online banking details.
– Lamassu was made aware of the vulnerabilities in July 2023 and subsequently fixed the bugs in October by implementing security measures such as hardening permissions for the update process, implementing a stronger passphrase for the root account, and preventing users from accessing the desktop environment during OS start.
These takeaways provide an overview of the critical vulnerabilities discovered by IOActive and the actions taken by Lamassu to address them. If you need further analysis or additional information, feel free to ask.