Brinks safe can be hacked with just a USB stick

Researchers popped open a safe with 100 lines of macro code

The doors on a CompuSafe Galileo from Brinks can be opened using 100 lines of code inserted using the safe's USB port, security researchers say.

The doors on a CompuSafe Galileo from Brinks can be opened using 100 lines of code inserted using the safe's USB port, security researchers say.

In the old days, thieves used explosives to get into a safe. But these days for one kind of Brinks safe, all it takes is a USB stick with 100 lines of code.

The surprising findings will be described at the Def Con Hacking Conference early next month in Las Vegas and marks a year's research by Daniel Petro and Oscar Salazar of security company Bishop Fox.

Some of Bishop Fox's customers use Brinks' CompuSafe Galileo, a modernized safe that makes cash management easier for businesses.

Employees can insert cash into the machine, which is counted. The CompuSafe generates reports for stores and can provide cash totals to banks, which can grant provisional credit for the deposits made before the cash is actually transported.

Brinks claims the CompuSafe helps stores eliminate deposit discrepancies, reduce theft and free staff from recounting and auditing cash.

But what the seasoned security investigators found shocked them. They uncovered a slew of vulnerabilities and design flaws that, in some cases, may be hard for Brinks to fix.

As of a couple of years ago, more than 14,000 CompuSafe Galileos were deployed across the U.S. All are still vulnerable to their attack, the researchers said.

They bought a Galileo CompuSafe on eBay. The most egregious problem they found is a fully functional USB port on the side of the safe. That allowed them to plug in a keyboard and a mouse, which worked.

"Nothing good comes from that," Salazar said. It was a sign of more bad things to come. "Every step of the way, we were like, 'This can't be possible'," Petro said.

The CompuSafe has a nine-inch touchscreen that runs an application that is used for entering authentication credentials. They found a way to escape that application -- known as a kiosk-bypass attack -- through a help menu, gaining access to the backend Windows XP embedded operating system.

At that point, it was game over for the safe. Petro and Salazar had administrator access to a Microsoft Access database file, which retains information on how much money the safe contains, user accounts on the system, when the door has been opened and other log files.

"By just editing that file, you can make the safe do anything you want," Salazar said.

That includes popping open the safe's doors, which they did.

Attackers could also perform much more sophisticated frauds using the database file that would be harder to detect, Salazar said.

The store inherently trusts the safe to report how much cash it has, Salazar said. If the machine has US$2,000 in it but the database is modified to only report $1,000, the bank and retailer would be none the wiser.

"You could very easily make the safe lie about the cash total it has," he said. "It would be very difficult to track that theft down because the bank would receive exactly how much money it thinks it should be getting."

The code for getting administrator access is surprisingly simple: it's just 100 lines of macro code, which are instructions for a certain sequence of mouse and keyboard strokes that crack the CompuSafe and can be supplied using a USB stick.

Salazar said they've been in contact with Brinks' technical team for more than a year about the problems.

Brinks hasn't fixed them yet, in part because there appears to be somewhat complicated supply chain, Salazar said. Brinks designed the safe, but the software is actually made by another company called FireKing Security Group.

For legal reasons, they're not going to release the full attack code at Def Con, but "after the presentation, it will be fairly apparent to anybody who has a little bit of time how you could write your own code," Petro said.

They hope the disclosure will prompt fixes. "We're going public to try to raise the awareness and hopefully get it fixed," Salazar said.

But the fixes aren't easy, and will likely require physical visits to safes, as the CompuSafe needs BIOS updates and other changes. Even then, it's questionable whether the safes would be fully secure.

"At the end of the day, there is still an exposed USB port," Petro said. "And it's still running Windows XP."

Brinks officials couldn't be reached for comment.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the PC World newsletter!

Error: Please check your email address.

Tags BrinksBishop Foxsecurity

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?