Researcher hacks Brinks ultrasafe ‘Safe’ using USB and 100 lines of code



Brink’s safe called CompuSafe Galileo can be hacked using 100 lines of macro code delivered through a USB stick

Researchers from security company, Bishop Fox have managed to hack the ultra modern Brink’s ’ CompuSafe Galileo using just an USB device and 100 lines of code. The two researchers from Bishop Fox, Daniel Petro and Oscar Salazar will be demonstrating their Proof of Concept at the DefCon 2015 which will start in the first week of August 2015 in Las Vegas.
Brinks’ CompuSafe Galileo is a highly sophisticated and modernized safe that is marketed by Brinks as a easy cash management option.  Brinks claims the CompuSafe helps stores eliminate deposit discrepancies, reduce theft and free staff from recounting and auditing cash. However Petro and Salazar took a special liking to this particular safe and started testing it for vulnerabilities. After a year of research, the duo uncovered a slew of vulnerabilities and design flaws that could easily be exploited by cyber criminals.
The researchers said that all off the 14000 CompuSafe Galileos sold by Brinks in the United States are vulnerable to this attack.
Petro and Salazar said that that work of finding the vulnerability in the Safe was made easier by the fact that the CompuSafe Galileo has a functional USB port on the one of its sides. That allowed them to plug in a keyboard and a mouse, which worked.
“Nothing good comes from that,” Salazar said. It was a sign of more bad things to come. “Every step of the way, we were like, ‘This can’t be possible’,” Petro said.
Once they used the USB port as a input device they were able to bypass the CompuSafe’s authentication screen using a method known as a kiosk-bypass attack. They made use of the 9inch display on the Compusafe and using the application’s help menu, gained access to the backend Windows XP embedded operating system.
Brink's safe called CompuSafe Galileo can be hacked using 100 lines of macro code delivered through a USB stick
Once they had access to the backend, they were able to gain administrative access to the Microsoft Access database file.
Apparently the Microsoft Access database file is used by CompuSafe to save log files, and other critical information like how much money is kept in the safe, user accounts on the system, when the door has been opened and other log files.
“By just editing that file, you can make the safe do anything you want,” Salazar said. They were even able to open the safe’s doors by editing one of the database files.
Salazar said that if cyber criminals had access to their exploit, they could also perform much more sophisticated frauds using the database file that would be hard for safe owners (mostly banks) or Brinks to discover.
To demonstrate the sophistication of the attack, Salazar said, if the machine has US$2,000 in it but the database is modified to only report $1,000, no one would even notice the difference unless there is a physical audit of the cash every day.
“You could very easily make the safe lie about the cash total it has,” he said. “It would be very difficult to track that theft down because the bank would receive exactly how much money it thinks it should be getting.”
The researchers duo said that the exploit code is 100 lines of simple macro code which contains instructions for a certain sequence of mouse and keyboard strokes that crack the CompuSafe and can be supplied using a USB stick.
Bishop Fox had contacted the Brinks security team a year back but they have not yet patched the vulnerability. To compound the problem, the software is apparently made by a third party provider called FireKing Security Group.
Petro and Salazar said that while they will demo the PoC at the DefCon, they wont be reveal the full attack code due to legal issues.  “After the presentation, it will be fairly apparent to anybody who has a little bit of time how you could write your own code,” Petro said.

0 comments: