Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security Bitcoin The Almighty Buck

Hackers Drain Bitcoin ATMs of $1.5 Million By Exploiting 0-Day Bug (arstechnica.com) 112

Posted by BeauHD from the going-going-gone dept.
turp182 shares a report from Ars Technica: Hackers drained millions of dollars in digital coins from cryptocurrency ATMs by exploiting a zero-day vulnerability, leaving customers on the hook for losses that can't be reversed, the kiosk manufacturer has revealed. The heist targeted ATMs sold by General Bytes, a company with multiple locations throughout the world. These BATMs, short for bitcoin ATMs, can be set up in convenience stores and other businesses to allow people to exchange bitcoin for other currencies and vice versa. Customers connect the BATMs to a crypto application server (CAS) that they can manage or, until now, that General Bytes could manage for them. For reasons that aren't entirely clear, the BATMs offer an option that allows customers to upload videos from the terminal to the CAS using a mechanism known as the master server interface.

Over the weekend, General Bytes revealed that more than $1.5 million worth of bitcoin had been drained from CASes operated by the company and by customers. To pull off the heist, an unknown threat actor exploited a previously unknown vulnerability that allowed it to use this interface to upload and execute a malicious Java application. The actor then drained various hot wallets of about 56 BTC, worth roughly $1.5 million. General Bytes patched the vulnerability 15 hours after learning of it, but due to the way cryptocurrencies work, the losses were unrecoverable. [...] Once the malicious application executed on a server, the threat actor was able to (1) access the database, (2) read and decrypt encoded API keys needed to access funds in hot wallets and exchanges, (3) transfer funds from hot wallets to a wallet controlled by the threat actor, (4) download user names and password hashes and turn off 2FA, and (5) access terminal event logs and scan for instances where customers scanned private keys at the ATM. The sensitive data in step 5 had been logged by older versions of ATM software.

Going forward, this weekend's post said, General Bytes will no longer manage CASes on behalf of customers. That means terminal holders will have to manage the servers themselves. The company is also in the process of collecting data from customers to validate all losses related to the hack, performing an internal investigation, and cooperating with authorities in an attempt to identify the threat actor. General Bytes said the company has received "multiple security audits since 2021," and that none of them detected the vulnerability exploited. The company is now in the process of seeking further help in securing its BATMs.
This discussion has been archived. No new comments can be posted.

Hackers Drain Bitcoin ATMs of $1.5 Million By Exploiting 0-Day Bug More

Hackers Drain Bitcoin ATMs of $1.5 Million By Exploiting 0-Day Bug

Comments Filter:

  • What is the legitimate use case? (Score:5, Interesting)

    by Powercntrl ( 458442 ) on Wednesday March 22, 2023 @11:02PM (#63392487) Homepage

    I've seen a Bitcoin ATM at what remains of my local mall. There are no shops in the mall that accept cryptocurrency. What motivates someone to get a wild hair up their butt and immediately decide they need some Bitcoin while they're out sifting through the ruins of the retail apocalypse?

    If you really want to gamble in crypto you can easily do so from Coinbase or various other online exchanges on your smartphone. I'd really like to see the Venn diagram of folks who want to deal with crypto, don't own a smartphone, and have enough disposable income to dump into magic internet money without it ending in an eviction notice.

    • Re: What is the legitimate use case? (Score:5, Interesting)

      by NateFromMich ( 6359610 ) on Wednesday March 22, 2023 @11:33PM (#63392509)
      The whole point of these is not leaving a public trail of your ownership of Bitcoin. Coinbase is regulated exactly like a bank and wants a copy of your ID to setup an account.

    • Re: (Score:2)

      by Shaitan ( 22585 )

      Financial privacy. There are any number of reasons people might not want their normal purchases tracked and logged, these don't allow for large purchases that could be useful for any meaningful money laundering but they do allow someone to get small amounts and squirrel it away.

      Why would you want this? Privacy shouldn't really require justification but rather should be the default but some use cases include saving up to make your escape from an abusive spouse and the various paid under the table reasons. So

      • Paying cash or anonymously is also useful when you buy physical gold, jewelry or other expensive items. If a high end jeweler or gold merchant keeps a record of the sale, that database will make a very nice shopping list for burglars.

        Some gold merchants here specifically offer the option for cash transactions, where they will only verify your ID and leave a bare minimum handwritten record of the transaction (which they are legally required to do).

        • Re: (Score:2, Interesting)

          by Shaitan ( 22585 )

          Yes and speaking of gold. Another reason you might want to accumulate things like gold, jewelry and cryptocurrency is to have a backup fund in case of financial system crash, the government collapsing into tyranny/communism, a natural disaster crashing payment systems, etc.

          Some might find that paranoid but I doubt they are living in Ukraine right now and these things have happened in many places before and will certainly happen again.

          • Re:What is the legitimate use case? (Score:5, Interesting)

            by Jarik C-Bol ( 894741 ) on Thursday March 23, 2023 @07:34AM (#63392931)
            In this fantastic total collapse of society you envision, what makes you think the electric grid and communications network that crypto *absolutely depends on* would miraculously survive? The same disasters that obliterate ‘payment systems’ will destroy the infrastructure crypto relies on. Government collapsing generally takes services like electricity with it, and financial system collapse sees power and network companies go out of business along with everyone else.

            Crypto is an absolute joke as a ‘backup against disaster’.

            • Re: (Score:2)

              by Shaitan ( 22585 )

              "In this fantastic total collapse of society you envision"

              I don't think any of the scenarios I mentioned is a 'fantastic total collapse of society.' Unless the fall of Russia to communists, germany to socialists, the great depression, any number of warzones including Ukraine represent 'fantastic' rather than current and historical real world events in your mind. Greece faced a financial system collapse and turned to crypto not that far back.

              "The same disasters that obliterate ‘payment systems’ w

              • So you'll have preserved nothing by turning into something, survived a destruction cycle, and then successfully turned that something back into the nothing it originally was?

                I doubt the guy in the desert guarding his fuel supplies with some machine guns will take bitcoin.

                • Re: (Score:2)

                  by Shaitan ( 22585 )

                  "I doubt the guy in the desert guarding his fuel supplies with some machine guns will take bitcoin."

                  Maybe... maybe not. Bitcoin is already being used in many of these unstable places. When there is no authority or there are multiple powerful and conflicting parties each claiming they are the authority you still need currency. If say the global banking system falls like a series of dominos, none of the technical infrastructure collapses... just the banks. Do you know what will still work? Bitcoin. Bitcoin cu

                  • "Bitcoin currently represents about 1.5% of the total value of ALL CURRENCY globally. "

                    Does that mean anything? What percentage of all trade involving currency is conducted in bitcoin? That would be a useful question. If it's a currency, let's measure it's effectiveness as a currency.

              • And with your "local mesh network running off a few generators, a handful of miners and a few cell phones" how do you expect to actually USE your bitcoin?

                Go ahead and try it, and see where that lands you when nobody else has a working phone or network.

              • "Crypto does need infrastructure but not as much as you seem to imagine. All you need is a local mesh network running off a few generators, a handful of miners and a few cell phones and you've got Bitcoin up and running. A little bit of packet radio and you can even keep it all in sync with the global blockchain."

                And where do you think you are going to get the repair parts for all those things? Ok, you can run self sustained for a few months, then what?

                • Re: (Score:2)

                  by Shaitan ( 22585 )

                  "And where do you think you are going to get the repair parts for all those things?"

                  That answer is going to depend on what scenario we are actually in. The answer differs between 'run on the banks' and zombie apocalypse. ;)

                  "Ok, you can run self sustained for a few months"

                  I imagine quite a bit longer than that even if we are imagining some sort of global scenario. Solar cells will keep on chugging for at least another 20 years or so and so will ham radios. Phones don't need to last so long, the zombies won't

          • You won't need gold in that case.

            You will need a canteen, a comfortable backpack, comfortable hiking boots, whether appropriate clothing, a rifle, a pistol, ammo for both, friends you can trust with your life, and a dog.

            Gold won't do you a damn bit of good if civilization collapses.

            • Re: (Score:2)

              by Shaitan ( 22585 )

              I disagree. There are many kinds of collapse and gold/jewels served many people well when it came time to flee Russia and Nazi Germany.

              I lived in Miami through a number of hurricanes, those events shut down infrastructure including credit cards, atms and banks. It took weeks to get power restored. Cash and objects of obvious innate value mattered quite a bit for getting food. There were restaurants which had diesel generators and could keep their food cold. Those places were still operating if you could fin

              • But it's far easier to fake gold for the purpose of quickly pulling one over in a neophyte.

                • Re: (Score:2)

                  by Shaitan ( 22585 )

                  I wouldn't say it is easy to fake gold or dollars but both are fairly doable with today's technology. I have a half-dozen 1OZ gold mint bars in sealed packaging with ID's that will verify and that will pass a magnet and weight check on the shelf next to me. As for dollars I've heard something like 60% of it is fake outside the US.

                  • Oh, well if you've "heard" it, it absolutely must be true.

                    Meanwhile, those of us that actually travel outside the US know that's total horseshit, even in 3rd world poor countries where the unofficial currency is the US Dollar.

                    • Re: (Score:2)

                      by Shaitan ( 22585 )

                      Oh and how exactly is it that you 'know' it's total horseshit? Are you a bank and able to authenticate the currency?

                      Just working as a cashier in Miami for a few months was enough for me to see dozens of bills make it through real Americans who handle cash all day and are familiar with the published security features, every week there were bills being rejected by the bank. Many were older 20's but plenty of bills had newer features like UV ink and strips. Sometimes the fakes were real bills that had been was

            • Re: (Score:2)

              by laxguy ( 1179231 )

              weather*

          • Yeah, because gold will be worth more than bullets in a total collapse of society, right? And nobody with bullets would ever take your shit in that same scenario, right?

            These fantastical doomsday scenarios to justify buying not-particularly-rare shiny metal are laughably stupid.

          • If a government collapses that low, there will be no system in place to verify that a gold coin is actually real. At the lowest levels, the only real currencies are something that have a function to themselves. Ammo comes to mind, as factory ammo can, for most intents and purposes, can be considered fungible.

            Cryptocurrency would be inaccessible. If there isn't power available, how will people throw and verify Blockchain transactions? Jewelry can be of varying purities, and oftentimes, one might be getti

        • If a high end jeweler or gold merchant keeps a record of the sale, that database will make a very nice shopping list for burglars.

          Merchants don't get name or address data with card-present sales.

          All bets are off for card-not-present since they often want billing details with the card number as a form of MFA. So don't hit the "add to cart" button on a $50k diamond ring and you're fine.

      • Financial privacy. There are any number of reasons people might not want their normal purchases tracked and logged

        You know how many CCTV cameras are in Shopping Malls, right?

        (And that's assuming there isn't one built into the "ATM")

      • Yes, I can see how the typical bartered wife is using bitcoin at a public atm in the mall to save up to leave her abusive husband.

        That's obviously the common use case for bitcoin. Not hard core criminal activity.

        • Re: (Score:2)

          by Shaitan ( 22585 )

          Yes, it is. Do you like novels or something and need to imagine some common place hard core criminal activity using Bitcoin? The only popularized criminal activity I'm aware of has been decided softcore like people buying their weed online, escorts, cybercrime type stuff. Not that anything would stop hard core criminal activity using crypto as money... it is money, so you can use it to pay for all the things you can pay for.

    • Go to mall
      Buy Bitcoin from ATM for cash*
      Order illicit substance online
      Pay with Bitcoin
      Get illicit substance in mail

      * if ATM does not accept cash, purchase prepaid card from convenience store for cash

    • I had the same thought when I saw a bitcoin ATM at a local grocery store.

      "Hmm, what's on my shopping list? Tomatoes, green onions, eggs,, bread oh and bitcoin."

  • I've done audits and they are often worthless (Score:5, Interesting)

    by FeelGood314 ( 2516288 ) on Wednesday March 22, 2023 @11:17PM (#63392497)
    Most companies do audits only to show that they are secure. Of all the audits I've ever done only a stuff toy company actually cared that they were secure. Every other company only cared that they had a piece of paper saying they met some standard or that they were doing "best industry practices". In fact when I went beyond the minimal scope and found issues it was generally detrimental to me or my employer.

    It is depressing how bad security is in general. If you want to see if your company doesn't care about security check their password policies, if they want a capital, a number and a symbol then they don't care. If they hire the lowest cost auditor they don't care. If their idea of a security audit is to pay someone who knows nothing of their system one or two hundred thousand to hack at the system to see if they can compromise it, they don't care. If their internal security assurance is to have a team search for vulnerabilities, patch the ones that are found and then declare it secure, they are both clueless and don't care.

    For the record the only company I audited, where I went out of scope, found a flaw and was thanked for it was Schlumberger.

    • Re: I've done audits and they are often worthless (Score:5, Insightful)

      by Kelxin ( 3417093 ) on Thursday March 23, 2023 @12:38AM (#63392547)
      The only way companies will start to care is when insurance companies won't cover hacking / viruses / employee electronic neglect. For now, the insurance is cheaper than the prevention. This needs to change.
      • Nothing in TFS indicates who is going to be liable for these losses. Is it the end-users of the ATMs? Is it the gas stations/convenience stores that have them installed. Is it the ATM company (whose abysmal security lead to this). If these were real ATMs there are procedures to deal with fraud. But it seems that, in this case, if you used one of those machines years ago you are now a victim without recourse. Despite what you say, many/most companies don't have losses from security lapses completely in

        • Nothing in TFS indicates who is going to be liable for these losses. Is it the end-users of the ATMs? Is it the gas stations/convenience stores that have them installed. Is it the ATM company (whose abysmal security lead to this).

          I read the article a few days ago.... it says that the operators/leasees of the ATMs are stuck with the losses -it was their property that was stolen. Individual users were not affected. No word on whether insurance will cover the losses. Expect lawsuits against the manufactures/leasers of the machines on the basis of it being their security failure which allowed the theft.

    • Re:I've done audits and they are often worthless (Score:4, Insightful)

      by Comrade Ogilvy ( 1719488 ) on Thursday March 23, 2023 @12:58AM (#63392561)

      Caring can only really happen at the C-suite level, because getting security right can only be accomplished as part of a coherent company strategy. The executives will happily spend a couple hundred K on consultants so they can pretend to be competent in front of the board, but pity the director who dares care and slows his projects down for the sake of security.

    • So what does good look like it fixing vulnerabilities and regularly engaging pen testers isnâ(TM)t enough?

      • How to do a good audit (Score:4, Interesting)

        by FeelGood314 ( 2516288 ) on Thursday March 23, 2023 @09:34AM (#63393145)
        A good audit starts with a proper definition of what you are auditing, device under test (DUT)
        What is it that your DUT has that needs protecting - Does it control a hydro dam or light bulb? Does it monitor and report values that some other entity relies on? Does it grant access to something or contain secrets?
        What is the cost of loss of the things being protected?
        Who are the possible adversaries?
        What are the adversaries' levels of motivation?
        What are the adversaries' tools, attack windows and time lines?

        Make a list of possible attacks. Keep it simple, general but it has to be exhaustive.

        Next make a list of your mitigations against the attacks. Every attack must be mitigated and there can be no mitigations that do not map back to an attack.

        Prove that the mitigations really do work.

        Lastly, validate that the mitigations are correctly implemented.

        Most companies only do the last step and because they never thought out their mitigations proving that they work is impossible so all they do is randomly hack at them. However, far worse is the fact that even if most companies mitigations are implemented correctly the fact that they likely aren't mitigating all the possible attacks leaves them vulnerable.

        If you are interested in getting a valuable audit done, I would suggest doing it yourself and follow the Common Criteria formal model.
        • Basically - threat model, only implement mitigations relevant to attack, actually test mitigations for effectivness, and then make sure they're implemented. Simple enough. Thanks!

    • Re: (Score:2)

      by Shaitan ( 22585 )

      You've essentially just declared any company that does vulnerability scanning/patching, pen testing and has password complexity policies doesn't care about security. That is an interesting declaration since in my experience those are minimal security measures which aren't precluded by taking additional security measures.

      Is this just your way of declaring nobody cares?

      • Re: (Score:3)

        by HiThere ( 15173 )

        While your point is valid, I read is statement as saying that if that was the entire (or nearly so) of the security policy they didn't care. And I think that's correct.

        • Re: (Score:2)

          by Shaitan ( 22585 )

          If we interpret it that way (and you may well be right) then I would still disagree. That can still represent an organization being run by someone who is trying to do all the things you are supposed to do if you care.

          We aren't talking about security experts here, we are talking about executives who are following the advice they are getting from experts. And I think we should be realistic, security isn't generally a companies business but rather a very expensive overhead item and it only becomes apparent how

      • Well, at least when it comes to password security, complexity requirements are a distraction. All you need is long pass-phrases. Requiring weird characters undermines pass-phrases to an extent just by making it harder to develop good, memorable pass-phrases. At best, it likely leads to an initial capital, a terminating period, and a number in the middle. For similarly long pass-phrases, those rules remove entropy. At worst, you end up with password length limits like 10-15 characters (I've actually seen thi

        • > Well, at least when it comes to password security, complexity requirements are a distraction.

          Thank you for saying it. People have no idea how hard that simple truth is to explain to executives and even security teams.

          I'd go one step further and say that passwords really have little to no role in security. They really aren't a very good model, and asymmetric-public-key physical security token with an attempt-limited local pin is far better (especially native entered high entropy phrase driven kinds).

          95%

        • Well, at least you will die, and no one will have to ever look at your stupid fucking face again.

  • This behavior is by design. (Score:5, Insightful)

    by xQx ( 5744 ) on Thursday March 23, 2023 @12:12AM (#63392531)

    Let's be clear here, when General Bytes refers to "their customers" they mean the ATM owners, not the people who used the ATM.

    But the whole point of crypto is that you are your own bank. If you've gone into business running a network of unregulated ATM's using a new technology that allows you to be a bank, you probably should study the internal workings of traditional banks so you can protect your assets the same way a real bank does.

    Clearly there's a moral hazard at play here - General Bytes didn't have their money on the line, only their reputation. They weren't doing security audits to find security holes, they were doing security audits so when this came to pass (as it did) they could say to their ATM Operators who lost everything "we did what we could". The reality is they could've done more, and they probably would've if they hadn't transferred the risk of economic loss from them to their customers.

    This point is driven home by their decision to revoke management of customer ATM's. An honest company would force all ATM's to be managed by them, backed by an insurance agreement that their management means responsibility for the security of funds under their management - and they'd employ a security team to keep those assets secure. Them saying "We're revoking our management product" is most likely because their lawyers said their 'all care, no responsibility' management offering actually makes them legally responsible is a very clear display that their product is inherently insecure.

    And if the vendor isn't willing to take the risk, no properly educated and informed customer ever would.

    Looking at the amount of work that was involved to liberate this company (or their "customers" who were clearly running these ATM's to make a profit), $1.5 million should be the finders fee; not the criminal takings. They'd have to be disappointed with that risk-adjusted return on investment. .... But the irreversibility of this transfer of wealth from people who did a poor job of securing their asset to those who did an excellent job of 'liberating' that asset, is a feature of cryptocurrency, not a bug.

    • Them saying "We're revoking our management product" is most likely because their lawyers said their 'all care, no responsibility' management offering actually makes them legally responsible is a very clear display that their product is inherently insecure.

      And if the vendor isn't willing to take the risk, no properly educated and informed customer ever would.

      This tells me that the company is done. They don't want to take the risk that their product creates, and no customer would have the capability to take on that risk.

    • Any company that isn't willing to host their own software doesn't have very good software and doesn't want to. When Microsoft started hosting Exchange it was a disaster. Just as bad as self-hosted Exchange servers. Now Office365 is reliable. General Bytes has gone the opposite direction because they know the software isn't any good and they have no inclination to fix it.

  • but I'm all laughed out.

  • Trust a secure authority. OOPS!
    Be your own bank. OOPS!
    Scam stupid people. OOPS!

  • Were they audited according to PCI-DSS? Is this the case of "we followed all applicable security standards exactly as written with no exceptions, but still got hacked" or more like "we skimped on security and got hacked"?

    • Re: (Score:2)

      by Shaitan ( 22585 )

      They take cards so they had to be. It isn't an optional thing.

      But let's be honest. PCI is a joke... it is a great deal of effort but at the end of the day any violation, gap, or inconsistency with standards just requires a justification write-up. Most of the measures which are there do much to make operations cumbersome and little to secure systems.

  • Good luck trading your bitcoin for 27K real dollars...

  • Ahahahahahahahahahahahahahahaha—

    inhales

    ... hahahahahahahahahahahahahahaha.

  • Mind boggling, how could they pass any audit if their ATM can disable 2FA on customer account?
  • According to QA, they were told it's a 0-day feature.

  • Security failures (Score:4, Insightful)

    by NotEmmanuelGoldstein ( 6423622 ) on Thursday March 23, 2023 @04:35AM (#63392687)
    Let's review what the software allowed:
    • to upload videos, presumably allowing a bank to use the interface as a file server
    • to execute a malicious Java application, likely meaning uploaded files have execute permissions
    • to turn off 2FA, presumably without a password check
    • to log private keys, so this error was corrected but old log files weren't sanitized or deleted

    This software passed a security audit? There's always stories of auditors turning a blind eye to gross violations of the rules: Nowadays, it seems to be an entire industry.

    • Audits. They audit as per customer requirements.

      My last company seriously wanted to be secure. We did everything possible with multiple security companies 4x a year to find and fix everything. Even so a major potential customer still found a trivial hole in the most recent version which had been fully audited and tested.

      Embarrassing as all Hell but they still signed up because of how we responded. I did make excuses or bullshit them. I acknowledged, got CTO involved, he pulled the right engineering tea

    • to upload videos, presumably allowing a bank to use the interface as a file server

      But whatever for? Do developers look at a server, wonder why certsin ports are open and figure, "What the hell. Might as well let everyone and their dog run around loose on our production server."

    • Audits operate by examining the intended use of the software. They (generally) do almost nothing to examine an unintended use, like one exposed by a 0-day flaw.

      Audits are a bare minimum. Like requiring a passenger ship to have enough life preservers for everyone on board. It does nothing to avoid capsizing and it does nothing to avoid shark attacks while you're in the water.

  • It has been 0 days since the last cypto fuckup.

  • To pull off the heist, an unknown threat actor exploited a previously unknown vulnerability that allowed it to use this interface to upload and execute a malicious Java application.

    Log4Shell strikes again on another vendor that couldn't be bothered to update their software.

  • From the start of Crypto / Bitcoin, it was highly touted as being secure, better than the banking system, credit cards, etc. Time again and again busted, hacked, not safe.... lololol

    • Re: (Score:2)

      by Shaitan ( 22585 )

      Some stooges atms were hacked not Bitcoin. Bitcoin remains the most valuable target on the planet and nobody has hacked it. The only known exploit is the intentional 51% rule which was a design choice.

      • It doesn't matter if the underlying block chain technology is secure when everything built on it is crap and bitcoin itself is crap, too.

        • Re: (Score:2)

          by Shaitan ( 22585 )

          That is a bit like saying it doesn't matter if the AR-15 is reliable if all the people using are bitches. While technically true it still isn't a slam against the AR-15... no matter how much you obviously wish it was.

          The block chain is just one component of Bitcoin and Bitcoin has no known vulnerabilities to date. I don't know of any comparably desirable target that is a fully open design and implementation on the internet which can make that claim unless it is shiny and new. Bitcoin has been standing in pu

      • Re: (Score:2)

        by laxguy ( 1179231 )

        Bitcoin remains the most valuable target on the plane

        hahahahahahahahahahahahaha

        • Re: (Score:2)

          by Pascoea ( 968200 )
          I think THE most valuable target is a bit of a stretch, but the sentiment is accurate. What else of high value (you can't argue that it's not high value.) can you remotely steal from incompetent companies with relative legal impunity?
      • Bottom line is Bitcoin is gone !!!!

    • If I keep $1000USD in physical money in a box with a lid that can be pried open by a toddler, and it gets stolen, I don't claim the money was insecure. It's sort of pendatic, but not really. It's mostly what has grown up around the coins that is insecure.

      Don't get me wrong... I think crypto is just fucking stupid from one end to the other... but you may be misplacing your complaint.

  • losses that can't be reversed is code for you're going to have to sue us on the grounds of incompetence, and if you get there first you might get something.

  • Seems people continue to learn the hard way that there are severe downsides to unregulated banking.

    Obligatory TextsFromSuperheroes:

    https://textsfromsuperheroes.c... [textsfromsuperheroes.com]

Slashdot Top Deals

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Close