Brinks’ CompuSafe Galileo is a highly sophisticated and modernized safe that is marketed by Brinks as a easy cash management option.  Brinks claims the CompuSafe helps stores eliminate deposit discrepancies, reduce theft and free staff from recounting and auditing cash. However Petro and Salazar took a special liking to this particular safe and started testing it for vulnerabilities. After a year of research, the duo uncovered a slew of vulnerabilities and design flaws that could easily be exploited by cyber criminals. The researchers said that all off the 14000 CompuSafe Galileos sold by Brinks in the United States are vulnerable to this attack. Petro and Salazar said that that work of finding the vulnerability in the Safe was made easier by the fact that the CompuSafe Galileo has a functional USB port on the one of its sides. That allowed them to plug in a keyboard and a mouse, which worked. Once they used the USB port as a input device they were able to bypass the CompuSafe’s authentication screen using a method known as a kiosk-bypass attack. They made use of the 9inch display on the Compusafe and using the application’s help menu, gained access to the backend Windows XP embedded operating system. Once they had access to the backend, they were able to gain administrative access to the Microsoft Access database file. Apparently the Microsoft Access database file is used by CompuSafe to save log files, and other critical information like how much money is kept in the safe, user accounts on the system, when the door has been opened and other log files. “By just editing that file, you can make the safe do anything you want,” Salazar said. They were even able to open the safe’s doors by editing one of the database files. Salazar said that if cyber criminals had access to their exploit, they could also perform much more sophisticated frauds using the database file that would be hard for safe owners (mostly banks) or Brinks to discover. To demonstrate the sophistication of the attack, Salazar said, if the machine has US$2,000 in it but the database is modified to only report $1,000, no one would even notice the difference unless there is a physical audit of the cash every day. The researchers duo said that the exploit code is 100 lines of simple macro code which contains instructions for a certain sequence of mouse and keyboard strokes that crack the CompuSafe and can be supplied using a USB stick. Bishop Fox had contacted the Brinks security team a year back but they have not yet patched the vulnerability. To compound the problem, the software is apparently made by a third party provider called FireKing Security Group. Petro and Salazar said that while they will demo the PoC at the DefCon, they wont be reveal the full attack code due to legal issues.  “After the presentation, it will be fairly apparent to anybody who has a little bit of time how you could write your own code,” Petro said. Brinks has not yet commented on the issue. Resource : PC World.

Researcher hacks Brinks ultrasafe  Safe  using USB and 100 lines of code - 14