Vulnerabilities in Lamassu Douro Crypto ATMs Could Be Exploited for Theft
Security analysts at IOActive have discovered three vulnerabilities in Lamassu Douro cryptocurrency ATMs. These issues allow an attacker with physical access to the device to gain full control over the ATM and steal users’ funds. The vulnerabilities have been assigned the identifiers CVE-2024-0175, CVE-2024-0176, and CVE-2024-0177. Researchers emphasize that an attack can be carried out with the same level of physical access as a regular customer.
Details of the Vulnerabilities
The first issue, as explained by IOActive, is that during boot-up, the machine allows users to interact with the base operating system’s window manager. Although this interaction window lasts only a few seconds, it is enough for a user to launch installed applications or open a terminal window.
To exploit this low-level access, an attacker would typically need to enter commands, which is usually impossible without connecting a keyboard. However, Lamassu Douro devices support QR code scanning, and researchers took advantage of this by creating a malicious payload encoded in a QR code. Once the QR code was scanned, the payload granted root shell access, as demonstrated in their video.
The attack also leverages a vulnerability in the ATM’s software update mechanism, which allows a malicious file to be provided to the device and executed using legitimate processes.
Additionally, IOActive specialists found that the crypto ATMs used a weak root password, which they were able to crack in under a minute. Worse still, this password was the same across all machines.
Potential Impact
These combined issues allow an attacker to steal users’ funds. According to the experts:
“Since an attacker can view and manipulate any operation on a compromised ATM, they can interactively steal money from users’ accounts or wallets, though the theft is limited to the user’s account balance. A more skilled attacker could change or completely replace all ATM settings, and use social engineering to trick users into taking additional actions (for example, persuading them to reveal online banking details by promising a reward in the form of free cryptocurrency for transferring funds to a specific wallet). Ultimately, if the device can be compromised at the OS level, the scale of the attack is limited only by how much the user trusts the device and its manufacturer.”
Vendor Response
Researchers notified Lamassu engineers about all three vulnerabilities back in July 2023. The manufacturer fixed the issues in October by tightening permissions required for device updates, using a stronger root account passphrase, and preventing users from accessing the desktop environment during OS startup.