Gabriel Gonzalez, IOActive Director of Hardware Security, and Dani Martinez,
IOActive Senior Security Consultant, will be presenting at two different talks during this year’s RootedCON taking place March 6 – 8 in Madrid, Spain.
“Una de las primeras premisas fue mantener de forma rígida el principio de neutralidad que ha caracterizado cada una de sus ediciones. En Rooted CON pudieron, pueden y podrán hablar y presentar sus ideas los miembros de la comunidad de seguridad, estudiantes, profesionales, empresas, aficionados, fuerzas del estado, hackers y, por qué no, artistas y académicos.”
Gabriel’s Talk Focus:
The focus of this research was Lamassu’s Douro Bitcoin ATM, where we uncovered critical vulnerabilities (CVE-2024-0175, CVE-2024-0176, CVE-2024-0177) that let us take full control of the machine. Starting with just the same physical access as a regular user, we found that a small window during boot allowed access to the system’s terminal. From there, we used some clever tricks—like crafting a custom QR code to bypass the lack of a keyboard—to execute a payload and gain root access. In this talk, I’ll walk you through how we did it, what it means for ATM security, and how we can jackpot an ATM with just a QR code.
Dani Martinez Bio:
“Cybersecurity professional with 14 years of experience, currently working at the security firm IOActive as a Senior Security Consultant. Passionate about offensive security, he has extensive expertise in red teaming, security assessments, and intrusion simulations targeting critical infrastructures. Specialized in conducting corporate phishing campaigns, he combines advanced social engineering techniques with real-world attack simulations to identify both technical and human vulnerabilities. His work focuses on replicating realistic attack scenarios to help organizations strengthen their defenses.”