We value Kraken’s effort to introduce more security into the bitcoin ecosystem by reviewing other essential Bitcoin infrastructure products. Kraken and GENERAL BYTES share a common goal of providing safe products to everyone in the field. GENERAL BYTES products regularly undergo security audits at a minimum once a year. The last concluded security audit on the BATM product line was in September 2021.
Default administration key vulnerability
Having the same default administration key for all manufactured machines enables ATM operators to streamline their deployments into the field and minimizes the risk of getting admin keys shuffled in the customer’s warehouse. We currently don’t plan to issue a unique default administration key for each machine. On August 20th, 2021, we warned ATM operators via the GENERAL BYTES telegram channel to change it immediately if they were using the default administration QR code. Based on Kraken’s recommendation, we also implemented a bulk function that enables operators to change the administration keys on all of their machines at once to remove the risk of operators not changing the admin key due to the higher number of clicks needed.
We want to stress that changing the server’s IP address at the ATM requires the user to have a physical key. Having only an admin QR key is not enough, despite Kraken’s assertion to the contrary. This has been a fundamental security implementation since day one.
The BATMTwo Classic model that Kraken used for testing is indeed lacking compartmentalization. The BATMTwo Classic is our cheapest product which is a compromise between security and value. Other GB products such as BATMTwo Pro, BATMFour, and BATMThree do have compartmentalization.
Based on the photos provided by Kraken, the machine used for testing was manufactured somewhere in the year 2015. BATMTwo Classic models manufactured in 2020 and later have a door opening detection and an optional 3rd party alarm connection. For 2022 models, we plan to add additional tamper detection features to the computer cases.
Insufficient Lockdown of Android OS
We could not verify Kraken’s claim that one can access the Android OS UI by connecting a keyboard to the machine. Kraken didn’t disclose this information to us before publishing their blog post, and we are waiting for Kraken to provide us with details. According to our knowledge, this issue was resolved in January 2021, at least three months before Kraken contacted GENERAL BYTES. It is unclear why Kraken was not auditing the ATM with the latest software but instead used a November 2020 version. We are also not aware of how one could copy private keys from the machine by using a keyboard or installing another application. It is also not clear what private keys Kraken had in mind. We will update this article once we have more information on this issue, and we will also review the kiosk mode Kraken recommended for future versions.
No Firmware/Software Verification
Machines manufactured up to October 2021 do not use secure-boot and contain NXP i.MX6 with silicon that has CVE-2017-7932 vulnerability. We immediately contacted the supplier and were surprised that NXP is still selling vulnerable silicons. Our supplier promised that chips delivered to us from early 2022 onwards would be silicon that doesn’t contain this issue. Please note that we have to order chips used in our machines eight months before delivery.
Applications running on the operating system are signed and verified by Android OS. Android OS also facilitates cross-application memory/storage isolation. We do have firmware using secure-boot ready for customers that would like to update their machines. However, the chips that don’t contain the vulnerability to overcome secure-boot will be available in 2022.
No Cross-Site Request Forgery Protections in the ATM Backend
We immediately implemented CSRF protection after receiving Kraken’s report; however, we have seen no proof that an attacker could cause any damage to a CAS user due to encrypted IDs used by the CAS UI.
We have extended our regular security audits to cover hardware and operating system levels.
- If you share physical keys with a 3rd party, please purchase products with separated compartments such as the GB BATMTwo Pro, GB BATMThree, or GB BATMFour.
- Don’t use the default administration keys.
- Use two-factor authentication for access to CAS.
- Use IP address safelisting (whitelisting) for ATMs.
- Permit CAS users permission only to tasks that they need to perform. (Least privilege principle)
- Don’t run other 3rd party services on an ATM server (CAS).
- Use firewalls extensively on the server-side.
- Use emails that provide 2FA authentication, such as Google Mail.
- Protect your websites with Cloudflare or similar services.
- Use hardware wallets such as Trezor.
- Place your ATMs inside safe locations with CCTV.