DefCon Hackers Cracked Brink’s Safe in 60 Seconds

Gone in 60 seconds. Security researchers will demonstrate at DefCon on August 8 how they can crack a modern Brink’s safe in just a minute.

When it comes to security, a safe—the physical device in which money is deposited for safekeeping—is quite literally supposed to be safe.

defconYet, according to new research set to be demonstrated at the DefCon 23 conference in Las Vegas on Aug. 8, certain models of Brink’s CompuSafe digital safes can be exploited to enable an attacker to crack a safe within 60 seconds and steal whatever cash may be stored inside. The model in question is Brink’s CompuSafe Galileo, which is intended for use in retail stores as a cash management system.

Oscar Salazar, senior security associate at security firm Bishop Fox explained that money inserted into the CompuSafe is automatically deposited to the retail store’s bank account. Salazar, along with Dan Petro, security associate at Bishop Fox, can point to many vulnerabilities in the CompuSafe Galileo.

“One of the main vulnerabilities we are focusing on comes by way of a USB port that is on the exterior of the safe,” Salazar told eWEEK. “We have created a little tool that we can just plug into the safe, wait 60 seconds for the tool to do its work, and then the safe doors will open and you can take all the cash out.”

It might raise eyebrows that the operating system that powers CompuSafe Galileo is Windows XP, which Microsoft no longer supports. Salazar emphasized, however, that it’s not Windows XP that is the root cause of the CompuSafe vulnerabilities.

“Even if the CompuSafe were running Windows 10, it wouldn’t have changed the exploit that we will be demonstrating,” Salazar said.

The USB port on the CompuSafe Galileo is not physically secured with an additional key or access restriction, Salazar said. He explained that the CompuSafe is part of a retail point-of-sale system; so it is typically deployed in well-trafficked areas and not usually in some form of hardened secure location with limited physical access, such as a vault.

In the normal operation of the safe, the majority of operations are executed by way of a touch-screen on the safe. Once the money has been inserted into the safe, it is automatically deposited to the retailer’s bank, which means that it’s the bank’s money and a store manager cannot remove cash from the safe. Typically, to remove cash, there is a requirement for both the store manager and a Brink’s employee to be present.

“Part of what’s interesting about our hack is it bypasses everything and just gives us direct access without having a store manager or Brink’s employee present,” Salazar explained.

The tool that Salazar and Petro created basically emulates mouse and keyboard presses. Petro noted that the vulnerability isn’t something that a typical security scanner would catch, but is something that a software quality assurance team should notice.

“A large portion of the attack is about escaping out of the kiosk mode that is put in place on the safe, in order to prevent someone from accessing the backend system,” Petro explained.

Petro said that he and Salazar literally “smashed” on the keyboard to see what would happen when arbitrary keys were pressed together. Using that smashing technique, the researchers were able to figure out how to escape the kiosk mode.

An attacker would need to be physically present to actually collect the cash from a cracked safe, Salazar said. That said, he noted that the safes are fully networked and connected to the Internet; so it could be possible once a safe is compromised to manage a group of compromised safes and schedule when the safes should open for an attacker to pick up the cash. Salazar emphasized that Bishop Fox didn’t actually build or test any remote safe crack cash pickup technology, though in his opinion, that capability wouldn’t be all that hard to do.

“Once you’ve plugged in the USB to deliver the exploit, you could have just as easily written malware to the safe to perform remote transactions at a later point in time,” Petro explained.

Bishop Fox notified Brink’s of the vulnerability more than a year ago and has been working with its technical teams since that time, Salazar said. The vulnerability is still live, and so after a year, Bishop Fox decided it was time to publicly talk about the issue, he added.

Brink’s did not respond by press time to eWEEK’s request for comment on the presentation.

“Brink’s is one company involved in the design of the safe, but there are multiple vendors involved in the manufacture of the safe,” Salazar said. “So the issue isn’t so much that there is no acknowledgment that there is a problem; rather, the vendors have been pointing fingers about whose problem it is for over a year, without progress made on the actual resolution.”

A number of kiosk hardening techniques should be in place to lock down the safe, Salazar said.

While the DefCon research is specifically about the CompuSafe Galileo, security issues are common across Internet of things connected devices, he said. “Security is a pervasive issue for IoT devices. So here we have a device, a safe, that used to work just fine protecting valuables, but now it is being hooked up to a computer and it opens up an entire set of new problems.”