DefCon Hackers Tell How They Cracked Brink's Safe in 60 Seconds
An attacker would need to be physically present to actually collect the cash from a cracked safe, Salazar said. That said, he noted that the safes are fully networked and connected to the Internet; so it could be possible once a safe is compromised to manage a group of compromised safes and schedule when the safes should open for an attacker to pick up the cash. Salazar emphasized that Bishop Fox didn't actually build or test any remote safe crack cash pickup technology, though in his opinion, that capability wouldn't be all that hard to do.
"Once you've plugged in the USB to deliver the exploit, you could have just as easily written malware to the safe to perform remote transactions at a later point in time," Petro explained.
Bishop Fox notified Brink's of the vulnerability more than a year ago and has been working with its technical teams since that time, Salazar said. The vulnerability is still live, and so after a year, Bishop Fox decided it was time to publicly talk about the issue, he added.
Brink's did not respond by press time to eWEEK's request for comment on the presentation.
"Brink's is one company involved in the design of the safe, but there are multiple vendors involved in the manufacture of the safe," Salazar said. "So the issue isn't so much that there is no acknowledgment that there is a problem; rather, the vendors have been pointing fingers about whose problem it is for over a year, without progress made on the actual resolution."
A number of kiosk hardening techniques should be in place to lock down the safe, Salazar said.
While the DefCon research is specifically about the CompuSafe Galileo, security issues are common across Internet of things connected devices, he said. "Security is a pervasive issue for IoT devices. So here we have a device, a safe, that used to work just fine protecting valuables, but now it is being hooked up to a computer and it opens up an entire set of new problems."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.