Cybersecurity researchers have disclosed a set of critical vulnerabilities in Lamassu Douro Bitcoin ATMs that could have allowed attackers with nothing more than customer-level physical access to take full control of the machines and drain user wallets. The disclosure, published on January 23, 2024, by IOActive, underscores a persistent blind spot in the cryptocurrency ecosystem: the security of physical infrastructure.
The Exploit Mechanics
IOActive identified three distinct vulnerabilities tracked as CVE-2024-0175, CVE-2024-0176, and CVE-2024-0177. The attack chain begins with a remarkably simple observation: during the boot sequence, the Douro ATM briefly exposes the underlying operating system’s window manager. While this interaction window lasts only several seconds, it proves sufficient for an attacker to launch a terminal or installed application.
The researchers exploited the ATM’s built-in QR code reader to bypass the need for a physical keyboard. By crafting a malicious QR code containing their payload, they demonstrated that scanning it during the boot window could lead directly to a root shell. This was made possible by a vulnerability in the ATM’s software update mechanism, which allowed an attacker to supply a malicious file and trigger legitimate code execution processes.
Perhaps most alarming was the discovery that all Lamassu Douro devices shipped with an identical, weak root password that IOActive was able to crack within one minute. With Bitcoin trading at approximately $39,845 on the day of disclosure, the potential losses from compromised ATMs could have been substantial.
Affected Systems
The vulnerabilities affect the Lamassu Douro model, one of the most widely deployed Bitcoin ATM units globally. These machines are typically installed in public-facing locations such as convenience stores, gas stations, and shopping malls, precisely the environments where physical access by malicious actors is most difficult to prevent.
IOActive CTO Gunter Ollmann explained that an attacker who gains control of a vulnerable ATM can view and manipulate all user interactions. The theft would be limited to the user’s account balance during a single session, but a more sophisticated attacker could replace the entire user experience to socially engineer victims into revealing sensitive information such as online banking credentials.
The Mitigation Strategy
Lamassu Industries was notified of all three vulnerabilities in July 2023 and deployed fixes in October 2023, months before the public disclosure. The vendor hardened permissions for the update process, implemented a stronger root account passphrase, and blocked user access to the desktop environment during OS startup.
The coordinated disclosure process worked as intended. Lamassu had already patched the vulnerabilities before IOActive went public, meaning operators who kept their firmware updated were protected. However, the incident raises questions about how many Bitcoin ATM operators regularly install security updates.
Lessons Learned
This disclosure highlights several key security principles for the cryptocurrency hardware ecosystem. First, physical access remains a potent attack vector that cannot be ignored, even for devices designed for public use. Second, default credentials shared across all deployed units represent a systemic risk that vendors must eliminate at the manufacturing stage. Third, the QR code attack vector demonstrates that even seemingly benign input mechanisms can be weaponized by skilled researchers.
For the broader crypto community, the Lamassu case serves as a reminder that security must extend beyond digital protocols and smart contracts to encompass every physical touchpoint where users interact with cryptocurrency systems.
User Action Required
Bitcoin ATM operators running Lamassu Douro units should verify that their firmware has been updated to the October 2023 security patch or later. Users who have recently transacted at a Lamassu ATM should monitor their wallet activity and consider moving funds to a new address if they suspect any irregularities. As always, hardware wallet storage remains the most secure option for significant cryptocurrency holdings, with Bitcoin currently valued near $39,845 and Ethereum at $2,240.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research before making security decisions.
a malicious QR code during a 5-second boot window gives you root access. thats some movie-level hacking right there
the IOActive team also found that the ATM was running an outdated Linux kernel. layered vulnerabilities like an onion
everyone audits smart contracts to death but the ATM running an unpatched kernel gets a pass. physical security is the blind spot
outdated kernel plus no boot lockdown plus exposed window manager. three independent failures all needed to be present. classic swiss cheese model
three independent failures and not one caught in testing. says a lot about hardware security auditing in crypto
a 5 second window is generous for a prepared attacker. you can pre-encode the QR and just scan it the moment the window opens. the real failure is no keyboard input lockdown during boot
physical access attacks on ATMs are underrated. everyone focuses on smart contract bugs while the actual machine in front of you is running an unpatched OS