Brother
Professional
- Messages
- 2,590
- Reaction score
- 526
- Points
- 113
IOActive analysts have discovered three vulnerabilities in Lamassu Douro cryptocurrency ATMs. These issues allow an attacker with physical access to the device to gain full control of the ATM and steal user funds.
The vulnerabilities have been identified as CVE-2024-0175, CVE-2024-0176 and CVE-2024-0177, and the researchers emphasize that an attack on devices can be carried out with the same level of physical access as a regular client.
The first problem, as IOActive explains, is that at boot time the machine allows the user to interact with the underlying OS's window manager. Although the interaction time is only a few seconds, it is enough for the user to launch installed applications or open a terminal window.
It is noted that to use such low-level access, the attacker needs to enter commands, which is usually impossible without connecting a keyboard. However, Lamassu Douro devices support reading QR codes, and researchers took advantage of this opportunity by creating malicious code with a payload. After reading the QR code, the payload led to the root shell, as shown in the video below.
Experts explain that the attack is based on a vulnerability in the ATM software update mechanism, which allows the device to be provided with a malicious file and use legitimate processes to execute the code.
In addition, IOActive specialists discovered that the crypto ATMs used a weak root password, which they were able to crack in a minute. Even worse, this password turned out to be the same for all machines.
As a result, all these problems allow an attacker to steal user funds.
“Because an attacker can view and manipulate any transactions on a captured ATM, they can interactively steal money from users' accounts or wallets, but the theft will be limited to the person's account balance. A more experienced attacker, with sufficient training, will be able to change or completely replace all ATM settings, as well as use social engineering and force the user to perform additional actions (for example, encouraging him to disclose account details in the Internet bank), promising an incentive in the form of free cryptocurrency for the transfer to a specific wallet, experts say. “Ultimately, if a device can be hacked down to the OS level, the scope of the attack on the user is limited only by how much the user trusts the device and its manufacturer.”
Researchers notified Lamassu engineers of all three vulnerabilities back in July 2023. The manufacturer fixed the bugs in October by tightening the permissions required to update a device, using a stronger passphrase for the root account, and preventing users from accessing the desktop environment during OS startup.
• Video:
The vulnerabilities have been identified as CVE-2024-0175, CVE-2024-0176 and CVE-2024-0177, and the researchers emphasize that an attack on devices can be carried out with the same level of physical access as a regular client.
The first problem, as IOActive explains, is that at boot time the machine allows the user to interact with the underlying OS's window manager. Although the interaction time is only a few seconds, it is enough for the user to launch installed applications or open a terminal window.
It is noted that to use such low-level access, the attacker needs to enter commands, which is usually impossible without connecting a keyboard. However, Lamassu Douro devices support reading QR codes, and researchers took advantage of this opportunity by creating malicious code with a payload. After reading the QR code, the payload led to the root shell, as shown in the video below.
Experts explain that the attack is based on a vulnerability in the ATM software update mechanism, which allows the device to be provided with a malicious file and use legitimate processes to execute the code.
In addition, IOActive specialists discovered that the crypto ATMs used a weak root password, which they were able to crack in a minute. Even worse, this password turned out to be the same for all machines.
As a result, all these problems allow an attacker to steal user funds.
“Because an attacker can view and manipulate any transactions on a captured ATM, they can interactively steal money from users' accounts or wallets, but the theft will be limited to the person's account balance. A more experienced attacker, with sufficient training, will be able to change or completely replace all ATM settings, as well as use social engineering and force the user to perform additional actions (for example, encouraging him to disclose account details in the Internet bank), promising an incentive in the form of free cryptocurrency for the transfer to a specific wallet, experts say. “Ultimately, if a device can be hacked down to the OS level, the scope of the attack on the user is limited only by how much the user trusts the device and its manufacturer.”
Researchers notified Lamassu engineers of all three vulnerabilities back in July 2023. The manufacturer fixed the bugs in October by tightening the permissions required to update a device, using a stronger passphrase for the root account, and preventing users from accessing the desktop environment during OS startup.
• Video:
