Brinks safe can be hacked with just a USB stick

Researchers popped open a safe with 100 lines of macro code

The doors on a CompuSafe Galileo from Brinks can be opened using 100 lines of code inserted using the safe's USB port, security researchers say.

The doors on a CompuSafe Galileo from Brinks can be opened using 100 lines of code inserted using the safe's USB port, security researchers say.

In the old days, thieves used explosives to get into a safe. But these days for one kind of Brinks safe, all it takes is a USB stick with 100 lines of code.

The surprising findings will be described at the Def Con Hacking Conference early next month in Las Vegas and marks a year's research by Daniel Petro and Oscar Salazar of security company Bishop Fox.

Some of Bishop Fox's customers use Brinks' CompuSafe Galileo, a modernized safe that makes cash management easier for businesses.

Employees can insert cash into the machine, which is counted. The CompuSafe generates reports for stores and can provide cash totals to banks, which can grant provisional credit for the deposits made before the cash is actually transported.

Brinks claims the CompuSafe helps stores eliminate deposit discrepancies, reduce theft and free staff from recounting and auditing cash.

But what the seasoned security investigators found shocked them. They uncovered a slew of vulnerabilities and design flaws that, in some cases, may be hard for Brinks to fix.

As of a couple of years ago, more than 14,000 CompuSafe Galileos were deployed across the U.S. All are still vulnerable to their attack, the researchers said.

They bought a Galileo CompuSafe on eBay. The most egregious problem they found is a fully functional USB port on the side of the safe. That allowed them to plug in a keyboard and a mouse, which worked.

"Nothing good comes from that," Salazar said. It was a sign of more bad things to come. "Every step of the way, we were like, 'This can't be possible'," Petro said.

The CompuSafe has a nine-inch touchscreen that runs an application that is used for entering authentication credentials. They found a way to escape that application -- known as a kiosk-bypass attack -- through a help menu, gaining access to the backend Windows XP embedded operating system.

At that point, it was game over for the safe. Petro and Salazar had administrator access to a Microsoft Access database file, which retains information on how much money the safe contains, user accounts on the system, when the door has been opened and other log files.

"By just editing that file, you can make the safe do anything you want," Salazar said.

That includes popping open the safe's doors, which they did.

Attackers could also perform much more sophisticated frauds using the database file that would be harder to detect, Salazar said.

The store inherently trusts the safe to report how much cash it has, Salazar said. If the machine has US$2,000 in it but the database is modified to only report $1,000, the bank and retailer would be none the wiser.

"You could very easily make the safe lie about the cash total it has," he said. "It would be very difficult to track that theft down because the bank would receive exactly how much money it thinks it should be getting."

The code for getting administrator access is surprisingly simple: it's just 100 lines of macro code, which are instructions for a certain sequence of mouse and keyboard strokes that crack the CompuSafe and can be supplied using a USB stick.

Salazar said they've been in contact with Brinks' technical team for more than a year about the problems.

Brinks hasn't fixed them yet, in part because there appears to be somewhat complicated supply chain, Salazar said. Brinks designed the safe, but the software is actually made by another company called FireKing Security Group.

For legal reasons, they're not going to release the full attack code at Def Con, but "after the presentation, it will be fairly apparent to anybody who has a little bit of time how you could write your own code," Petro said.

They hope the disclosure will prompt fixes. "We're going public to try to raise the awareness and hopefully get it fixed," Salazar said.

But the fixes aren't easy, and will likely require physical visits to safes, as the CompuSafe needs BIOS updates and other changes. Even then, it's questionable whether the safes would be fully secure.

"At the end of the day, there is still an exposed USB port," Petro said. "And it's still running Windows XP."

Brinks officials couldn't be reached for comment.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags BrinksBishop Foxsecurity

More about BrinkseBayGalileoMicrosoftTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place