Brinks safe can be hacked with just a USB stick

Researchers popped open a safe with 100 lines of macro code

The doors on a CompuSafe Galileo from Brinks can be opened using 100 lines of code inserted using the safe's USB port, security researchers say.

The doors on a CompuSafe Galileo from Brinks can be opened using 100 lines of code inserted using the safe's USB port, security researchers say.

In the old days, thieves used explosives to get into a safe. But these days for one kind of Brinks safe, all it takes is a USB stick with 100 lines of code.

The surprising findings will be described at the Def Con Hacking Conference early next month in Las Vegas and marks a year's research by Daniel Petro and Oscar Salazar of security company Bishop Fox.

Some of Bishop Fox's customers use Brinks' CompuSafe Galileo, a modernized safe that makes cash management easier for businesses.

Employees can insert cash into the machine, which is counted. The CompuSafe generates reports for stores and can provide cash totals to banks, which can grant provisional credit for the deposits made before the cash is actually transported.

Brinks claims the CompuSafe helps stores eliminate deposit discrepancies, reduce theft and free staff from recounting and auditing cash.

But what the seasoned security investigators found shocked them. They uncovered a slew of vulnerabilities and design flaws that, in some cases, may be hard for Brinks to fix.

As of a couple of years ago, more than 14,000 CompuSafe Galileos were deployed across the U.S. All are still vulnerable to their attack, the researchers said.

They bought a Galileo CompuSafe on eBay. The most egregious problem they found is a fully functional USB port on the side of the safe. That allowed them to plug in a keyboard and a mouse, which worked.

"Nothing good comes from that," Salazar said. It was a sign of more bad things to come. "Every step of the way, we were like, 'This can't be possible'," Petro said.

The CompuSafe has a nine-inch touchscreen that runs an application that is used for entering authentication credentials. They found a way to escape that application -- known as a kiosk-bypass attack -- through a help menu, gaining access to the backend Windows XP embedded operating system.

At that point, it was game over for the safe. Petro and Salazar had administrator access to a Microsoft Access database file, which retains information on how much money the safe contains, user accounts on the system, when the door has been opened and other log files.

"By just editing that file, you can make the safe do anything you want," Salazar said.

That includes popping open the safe's doors, which they did.

Attackers could also perform much more sophisticated frauds using the database file that would be harder to detect, Salazar said.

The store inherently trusts the safe to report how much cash it has, Salazar said. If the machine has US$2,000 in it but the database is modified to only report $1,000, the bank and retailer would be none the wiser.

"You could very easily make the safe lie about the cash total it has," he said. "It would be very difficult to track that theft down because the bank would receive exactly how much money it thinks it should be getting."

The code for getting administrator access is surprisingly simple: it's just 100 lines of macro code, which are instructions for a certain sequence of mouse and keyboard strokes that crack the CompuSafe and can be supplied using a USB stick.

Salazar said they've been in contact with Brinks' technical team for more than a year about the problems.

Brinks hasn't fixed them yet, in part because there appears to be somewhat complicated supply chain, Salazar said. Brinks designed the safe, but the software is actually made by another company called FireKing Security Group.

For legal reasons, they're not going to release the full attack code at Def Con, but "after the presentation, it will be fairly apparent to anybody who has a little bit of time how you could write your own code," Petro said.

They hope the disclosure will prompt fixes. "We're going public to try to raise the awareness and hopefully get it fixed," Salazar said.

But the fixes aren't easy, and will likely require physical visits to safes, as the CompuSafe needs BIOS updates and other changes. Even then, it's questionable whether the safes would be fully secure.

"At the end of the day, there is still an exposed USB port," Petro said. "And it's still running Windows XP."

Brinks officials couldn't be reached for comment.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the PC World newsletter!

Error: Please check your email address.

Tags BrinksBishop Foxsecurity

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?