Brinks’ Secure Safe Can Be Hacked by a USB Stick

CompuSafe Galileo safes are smart safes made by Brinks and used by restaurants, stores and retailers on a daily basis. Security researchers claim that the specific model of safe can be cracked by a simple hack comprising of a 100 lines of code in a USB stick, according to a report in Wired.

The vulnerability was brought to light by security researchers Daniel Petro and Oscar Salazar who work at security firm Bishop Fox. They intent to demonstrate the exploit and further explain the vulnerability at the Def Con Hacking Conference next week in Las Vegas.

Modern safes

The CompuSafe Galileo series are modernized safes essentially, making cash management easier for businesses wherein frequent and often daily transactions are of the norm. They work in a simple, seamless way wherein:

  • Cash is inserted into the machine by employees.
  • The safe counts the cash before totaling the numbers.
  • Reports are then generated by the safe (automatically).
  • These reports are forwarded over to banks immediately.
  • Banks can then instantly credit the amount to the customer’s account, even before the actual cash is transported to the banks.

Safe manufacturer Brinks claims that the safes help stores and businesses with:

  • Eliminating deposit discrepancies.
  • Reducing petty theft and other losses.
  • Helping staff by freeing them of recounting and auditing the cash.

There are over 14,000 CompuSafe Galileos deployed across the country after being deployed a couple of years ago and each safe can hold up to $240,000, nearly a quarter of a million dollars in cash. Researchers say that all 14,000 safes are vulnerable to their hack.

Secure safes? Not quite

Despite being equipped with a digital touchscreen for authentication, the safes also house an external USB port which was designed to allow technicians to troubleshoot and service the safe. Unfortunately, the very existence of a fully-functional USB port brings with it a world of trouble.

“Nothing good comes from that,” Salazar said. It was a sign of more bad things to come. “Every step of the way, we were like, ‘This can’t be possible’,” Petro added.

The researchers were able to completely circumvent the authentication system that uses the nine-inch touchscreen on the safe.

“Once you’re able to plug into that USB port, you’re able to access lots of things that you shouldn’t normally be able to access,” Petro noted. “There is a full operating system…that you’re able to…fully take over…and make [the safe] do whatever you want it to do.”

It was at this point that the researchers were able to gain administrator access to the embedded Windows XP operating system through a Microsoft Access database file.

“By just editing that file, you can make the safe do anything you want,” Salazar mused.

The researchers were indeed able to do anything they wanted, including opening the safe’s doors.

They hope that the disclosure and reveal of the vulnerability during the hacking conference will spur on action and bring fixes by the manufacturer.  “We’re going public to try to raise the awareness and hopefully get it fixed,” Salazar concluded.