In the old days, thieves used explosives to get into a safe. But these days for one kind of Brinks safe, all it takes is a USB stick with 100 lines of code.
The surprising findings will be described at the Def Con Hacking Conference early next month in Las Vegas and marks a year’s research by Daniel Petro and Oscar Salazar of security company Bishop Fox.
Some of Bishop Fox’s customers use Brinks’ CompuSafe Galileo, a modernized safe that makes cash management easier for businesses.
Employees can insert cash into the machine, which is counted. The CompuSafe generates reports for stores and can provide cash totals to banks, which can grant provisional credit for the deposits made before the cash is actually transported.
Brinks claims the CompuSafe helps stores eliminate deposit discrepancies, reduce theft and free staff from recounting and auditing cash.
But what the seasoned security investigators found shocked them. They uncovered a slew of vulnerabilities and design flaws that, in some cases, may be hard for Brinks to fix.
As of a couple of years ago, more than 14,000 CompuSafe Galileos were deployed across the U.S. All are still vulnerable to their attack, the researchers said.
They bought a Galileo CompuSafe on eBay. The most egregious problem they found is a fully functional USB port on the side of the safe. That allowed them to plug in a keyboard and a mouse, which worked.
“Nothing good comes from that,” Salazar said. It was a sign of more bad things to come. “Every step of the way, we were like, ‘This can’t be possible’,” Petro said.
The CompuSafe has a nine-inch touchscreen that runs an application that is used for entering authentication credentials. They found a way to escape that application—known as a kiosk-bypass attack—through a help menu, gaining access to the backend Windows XP embedded operating system.
At that point, it was game over for the safe. Petro and Salazar had administrator access to a Microsoft Access database file, which retains information on how much money the safe contains, user accounts on the system, when the door has been opened and other log files.
“By just editing that file, you can make the safe do anything you want,” Salazar said.
That includes popping open the safe’s doors, which they did.
Attackers could also perform much more sophisticated frauds using the database file that would be harder to detect, Salazar said.
The store inherently trusts the safe to report how much cash it has, Salazar said. If the machine has US$2,000 in it but the database is modified to only report $1,000, the bank and retailer would be none the wiser.
“You could very easily make the safe lie about the cash total it has,” he said. “It would be very difficult to track that theft down because the bank would receive exactly how much money it thinks it should be getting.”
The code for getting administrator access is surprisingly simple: it’s just 100 lines of macro code, which are instructions for a certain sequence of mouse and keyboard strokes that crack the CompuSafe and can be supplied using a USB stick.
Salazar said they’ve been in contact with Brinks’ technical team for more than a year about the problems.
Brinks hasn’t fixed them yet, in part because there appears to be somewhat complicated supply chain, Salazar said. Brinks designed the safe, but the software is actually made by another company called FireKing Security Group.
For legal reasons, they’re not going to release the full attack code at Def Con, but “after the presentation, it will be fairly apparent to anybody who has a little bit of time how you could write your own code,” Petro said.
They hope the disclosure will prompt fixes. “We’re going public to try to raise the awareness and hopefully get it fixed,” Salazar said.
But the fixes aren’t easy, and will likely require physical visits to safes, as the CompuSafe needs BIOS updates and other changes. Even then, it’s questionable whether the safes would be fully secure.
“At the end of the day, there is still an exposed USB port,” Petro said. “And it’s still running Windows XP.”
Brinks officials couldn’t be reached for comment.