All you need is a small flash drive – and 60 seconds – to break into a safe commonly used in businesses such as grocery stores and diners.
That’s according to researcher Dan Petro and senior security associate Oscar Salazar from information security consulting firm Bishop Fox. The pair promises to demonstrate how an attacker can break into the smart safe next week at the Def Con security conference, one of the largest hacker conventions held in Las Vegas, Nevada.
Connecting the safes to the Internet, Mr. Salazar said, “compromises security in an incredible way.”
“It used to take an hour to break into something like this,” Salazar told Passcode ahead of the planned demonstration. “[Now] it takes under a minute.”
The safe the researchers claim they can hack is a CompuSafe Galileo made by Brink’s, Inc., a globally recognized safe seller based in the US. Brink’s sold more than 20,000 CompuSafe units last year, including some 16,000 in the US, according to its annual filings. The Galileo model is one of several in the CompuSafe line.
Usually mounted under a cash register at a checkout line, the safe stores cash, money orders, and food stamps. It calculates the amount inside, which are wirelessly deposited into the business’ online bank accounts. Each CompuSafe Galileo safe can hold up to a quarter of a million dollars in cash at a time.
Brink’s did not respond to Passcode’s multiple calls and e-mail requests for comment about the alleged vulnerability by the time of publication. Salazar and Petro say they came across the vulnerability while conducting penetration tests on a client’s security systems and reported it to Brink's, the safe seller.
“The safe was not designed with security in mind from the ground up,” Petro said.
Petro and Salazar claim the CompuSafe Galileo is vulnerable because of its physical construction. On the front of the safe, there is a USB port. The researchers were able to insert a flash drive that mimicked a mouse and keyboard and run about 100 lines of code to make the safe open.
It’s a fairly unsophisticated attack, but the researchers claim it works because the safe runs on the Windows XP operating system. Salazar and Petro say they accessed the Microsoft computer operating system in the safe with the flash drive they inserted, and were able to log in to the accounts used to service the safe, which have full administrative privileges.
With that kind of access, the researchers say they were able to gain complete control over the contents of the safe. They could, Petro and Salazar said, conceivably change the logs to appear as if there was never any money in the safe in the first place – or even frame someone for stealing by altering the amount of cash reported. They could also infect the machine with malware to open the safe later.
The Def Con conference next week is known for featuring hackers who reveal vulnerabilities in devices on stage before the companies actually fix them. And Petro and Salazar say they reported the vulnerability to Brink's – now, more than a year ago – and believe the company is still determining how to fix it.
Securing the safe in light of the vulnerability, Petro acknowledged, isn’t as simple as a software patch. Since the problem is in part due to the external construction of the safe, Petro and Salazar said CompuSafe Galileo users would need to disable the USB port using something like super glue. They could also put in place other extra security measures to keep potential attackers away – such as security cameras, lock checks, or even a bigger safe.
However, as Petro said, “it almost defeats the purpose of having the safe if you have to buy a bigger safe to put your safe into.”