Researchers: We can crack a smart safe in less than 60 seconds

28 Jul 2015 | Author: | No comments yet »

Brinks has a safe that runs Windows XP and hackers say they can crack it in 60 seconds.

That’s according to researcher Dan Petro and senior security associate Oscar Salazar from information security consulting firm Bishop Fox. A pair of cybersecurity researchers said they plan to bring a Brink’s armored vehicle on stage and hack into its vault at an upcoming security conference. The pair promises to demonstrate how an attacker can break into the smart safe next week at the Def Con security conference, one of the largest hacker conventions held in Las Vegas, Nevada. “It used to take an hour to break into something like this,” Salazar told Passcode ahead of the planned demonstration. “[Now] it takes under a minute.” The safe the researchers claim they can hack is a CompuSafe Galileo made by Brink’s, Inc., a globally recognized safe seller based in the US.

But today’s thieves don’t have to expose themselves to the extra security at banks, and risk getting caught, thanks to a new hack that would let someone swipe a stash of money before it’s ever deposited. Oscar Salazar and Dan Petro, security associates at Bishop Fox, told they’ve created a tool capable of manipulating CompuSafe Galileo, the Brink’s cash management system intended for use at corporate retailers. The hack has the makings of the perfect crime, because a thief could also erase any evidence that the theft occurred simply by altering data in a back-end database where the smartsafe logs how much money is inside and who accessed it.

The CompuSafe generates reports for stores and can provide cash totals to banks, which can grant provisional credit for the deposits made before the cash is actually transported. CompuSafe then prevents the safe from being opened again unless both a store manager and Brinks security employee verify their presence on a touch screen. But there’s no additional key or any kind of access restriction to provide another layer of physical security on the USB port, said Salazar and Petro. Generally installed at a counter with a business’s point-of-sale system, the smart safes have a digital touchscreen and Internet connectivity and run on an embedded version of Windows XP.

Information about the deposit is generated on a receipt from an external-facing printer, and a record of the deposit is also sent daily to Brinks via the Internet, where the deposit gets credited to a customer’s account even before a driver arrives to pick it up. The best detail of the researchers’ story is that they literally smashed on the keyboard to discover what happened when arbitrary keys were pressed together.

But the safes have an external USB port on the side of the touchscreens that allows service technicians to troubleshoot and obtain a backup of the database. This, unfortunately, creates an easy entrypoint for thieves to take complete, administrative control of the devices. “Once you’re able to plug into that USB port, you’re able to access lots of things that you shouldn’t normally be able to access,” Petro told WIRED. “There is a full operating system…that you’re able to…fully take over…and make [the safe] do whatever you want it to do.” The researchers created a malicious script that, once inserted into a safe on a USB stick, lets a thief automatically open the safe doors by emulating certain mouse and keyboard actions and bypassing standard application controls. “You plug in this little gizmo, wait about 60 seconds, and the door just pops open,” says Petro. They found a way to escape that application—known as a kiosk-bypass attack—through a help menu, gaining access to the backend Windows XP embedded operating system. They could, Petro and Salazar said, conceivably change the logs to appear as if there was never any money in the safe in the first place – or even frame someone for stealing by altering the amount of cash reported.

When a Brinks messenger arrives to collect the cash and take it to a secure facility, the safe requires two sets of credentials to open—the driver’s and the store manager’s. “But we essentially bypassed all of that,” says Salazar. Because the safe logs information in the database each time money is deposited or the door is opened, data in the database is considered trustworthy by both banks and Brinks. They could also put in place other extra security measures to keep potential attackers away – such as security cameras, lock checks, or even a bigger safe. For legal reasons, they’re not going to release the full attack code at Def Con, but “after the presentation, it will be fairly apparent to anybody who has a little bit of time how you could write your own code,” Petro said. Salazar says the problem with the safes is a familiar one that happens to a lot of old-school devices that have recently been modernized with digital capabilities as part of the so-called Internet of Things. “Brinks has been around for an extremely long amount of time,” says Salazar. “Making these safes smart…has actually drastically reduced the security of something that was fairly safe to begin with.

Here you can write a commentary on the recording "Researchers: We can crack a smart safe in less than 60 seconds".

* Required fields
Our partners
Follow us
Contact us
Our contacts

ICQ: 423360519

About this site