DefCon Hackers Tell How They Cracked Brink's Safe in 60 Seconds

By Sean Michael Kerner  |  Posted 2015-07-27 Print this article Print
hacker safe crack

Gone in 60 seconds. Security researchers will demonstrate at an Aug. 8 DefCon presentation how they can crack a modern Brink's safe in just a minute.

When it comes to security, a safe—the physical device in which money is deposited for safekeeping—is quite literally supposed to be safe.

Yet, according to new research set to be demonstrated at the DefCon 23 conference in Las Vegas on Aug. 8, certain models of Brink's CompuSafe digital safes can be exploited to enable an attacker to crack a safe within 60 seconds and steal whatever cash may be stored inside. The model in question is Brink's CompuSafe Galileo, which is intended for use in retail stores as a cash management system.

Oscar Salazar, senior security associate at security firm Bishop Fox explained that money inserted into the CompuSafe is automatically deposited to the retail store's bank account. Salazar, along with Dan Petro, security associate at Bishop Fox, can point to many vulnerabilities in the CompuSafe Galileo.

"One of the main vulnerabilities we are focusing on comes by way of a USB port that is on the exterior of the safe," Salazar told eWEEK. "We have created a little tool that we can just plug into the safe, wait 60 seconds for the tool to do its work, and then the safe doors will open and you can take all the cash out."

It might raise eyebrows that the operating system that powers CompuSafe Galileo is Windows XP, which Microsoft no longer supports. Salazar emphasized, however, that it's not Windows XP that is the root cause of the CompuSafe vulnerabilities.

"Even if the CompuSafe were running Windows 10, it wouldn't have changed the exploit that we will be demonstrating," Salazar said.

The USB port on the CompuSafe Galileo is not physically secured with an additional key or access restriction, Salazar said. He explained that the CompuSafe is part of a retail point-of-sale system; so it is typically deployed in well-trafficked areas and not usually in some form of hardened secure location with limited physical access, such as a vault.

In the normal operation of the safe, the majority of operations are executed by way of a touch-screen on the safe. Once the money has been inserted into the safe, it is automatically deposited to the retailer's bank, which means that it's the bank's money and a store manager cannot remove cash from the safe. Typically, to remove cash, there is a requirement for both the store manager and a Brink's employee to be present.

"Part of what's interesting about our hack is it bypasses everything and just gives us direct access without having a store manager or Brink's employee present," Salazar explained.

The tool that Salazar and Petro created basically emulates mouse and keyboard presses. Petro noted that the vulnerability isn't something that a typical security scanner would catch, but is something that a software quality assurance team should notice.

"A large portion of the attack is about escaping out of the kiosk mode that is put in place on the safe, in order to prevent someone from accessing the backend system," Petro explained.

Petro said that he and Salazar literally "smashed" on the keyboard to see what would happen when arbitrary keys were pressed together. Using that smashing technique, the researchers were able to figure out how to escape the kiosk mode.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel