Kraken’s Security Lab Reveals Weak Points in BTC ATMs

This news article has been updated with General Bytes' response and their findings following Kraken's vulnerability report.


Kraken Security Labs, Kraken’s security arm, recently released a report regarding General Bytes BATMtwo Bitcoin ATMs. The group alleges several security vulnerabilities with the machines, including both hardware and software issues. Shortly afterward, General Bytes responded to the report, confirming some of Kraken’s findings while objecting to others.

Vulnerabilities Identified By Kraken

Kraken released its security report in a blog post on September 29th, claiming vulnerabilities across numerous aspects of BATM2 machines.

Firstly, the department claims that multiple ATMs used a default “Administration Key” QR code. It confirmed this upon purchasing multiple used ATMs from different sources. Apparently, this meant that anyone with the code could “take over” an ATM by changing its server management address.

Regarding BATM2 hardware, Kraken also found that the machines only contained one internal compartment. This allows access to all internals of the device behind only a single lock. This places added trust in those regularly replacing the cash boxes, as they may compromise internal hardware mechanisms.

As for software issues, the department claimed that its Android operating system “lacks many common security features.” Allegedly, a hacker could gain access to the entire Android UI simply by connecting a USB keyboard to the machine. In this way, they could execute numerous malicious acts, including app installation and theft of private keys.

Kraken Security Labs states that its mission is to expose security flaws. Also, it aims to protect users while alerting manufacturers to correct such issues. Therefore, they informed General Bytes of these issues in April 2021, many of which they have resolved since.

General Bytes’ Response

The ATM manufacturer responded to Kraken the following day, confirming that the department had contacted them in April. While General Bytes agreed with some of Kraken’s criticisms, they claim that others were either mistaken or outdated.

For example, General Bytes defends its use of a default administration key across multiple machines.

Having the same default administration key for all manufactured machines enables ATM operators to streamline their deployments into the field and minimizes the risk of getting admin keys shuffled in the customer’s warehouse. We currently don’t plan to issue a unique default administration key for each machine.

They also clarify that changing a machine’s server address is not possible with only the QR code. The process has required an additional physical key since launch.

Furthermore, the manufacturer states that they cannot access the Android OS UI using a USB keyboard. Allegedly, they resolved this issue as early as January 2021. Also, Kraken appears to have audited its November 2020 software.

Bitcoin live price
price change

General Bytes respects Kraken’s attempts to boost security across the Bitcoin infrastructure space. The company last underwent a security audit in September.

Stay up to date with our latest articles