How to Hack a Brinks Security Safe in 60 Seconds
Brinks security handles the logistics used to store, transport and extract cash from over 14,000 locations. The security company even provides digital safes for retail locations to make large cash deposits. The CompuSafe Service is marketed as a means of reducing loss, increasing productivity, and reducing the accounting burden for an organization. High-level Hackers part of the Bishop Fox security consulting service plan to demonstrate how easy it is to hack the devices at an upcoming DefCon presentation.
Oscar Salazar is a senior security associate with the firm. Research into CompuSafe shows that money deposited into a CompuSafe automatically credits a vendor’s digital bank account – similar to ATM deposits. The firm’s security associates point out that multiple exploits exist, though they will be demonstrating a USB flaw at DefCon.
“One of the main vulnerabilities we are focusing on comes by way of a USB port that is on the exterior of the safe,” Salazar told eWEEK. “We have created a little tool that we can just plug into the safe, wait 60 seconds for the tool to do its work, and then the safe doors will open and you can take all the cash out.”
The CompuSafe Galileo model targeted by the organization is not physically secure – the USB ports are left wide open. Though normal operations take place on a touch screen the underlying operating system is actually Windows XP, which Microsoft no longer supports. During normal operation to remove money from the safe requires the store manager and a Brinks security employee. Regardless, Salazar confirms that even if the machines were running Windows 10 they would still be susceptible to the same exploit.
The hack works by emulating keyboard presses and mouse clicks. The USB drive inserted into the machine escapes out of the kiosk mode and gives attackers access to the back end system. Salazar said the he and another researcher literally smashed their hands on the keyboard just to see what would happen with arbitrary key combos. Tracing through the results of the smashing technique enabled them to figure out how to escape from kiosk mode and own the Brinks security safe.