A scary series of security flaws raises serious questions
Brinks has a reputation as a trusted name in security, but the findings of a pair of security researchers may crack that wide open. Daniel Petro and Oscar Salazar of security company Bishop Fox decided to take a look at Brinks’ advanced CompuSafe Galileo, a complex modern safe that actually interacts with banks to facilitate day-to-day operations, after learning that several of their customers are users. What they found goes beyond scary, and may qualify as downright negligent.
In an interview with IDG News Service’s Jeremy Kirk that’s making the rounds on tech and networking sites, the pair explained the major flaws they discovered:
The most egregious problem they found is a fully functional USB port on the side of the safe. That allowed them to plug in a keyboard and a mouse, which worked.
“Nothing good comes from that,” Salazar said. It was a sign of more bad things to come. “Every step of the way, we were like, ‘This can’t be possible’,” Petro said.
The CompuSafe has a nine-inch touchscreen that runs an application that is used for entering authentication credentials. They found a way to escape that application—known as a kiosk-bypass attack—through a help menu, gaining access to the backend Windows XP embedded operating system.
At that point, it was game over for the safe. Petro and Salazar had administrator access to a Microsoft Access database file, which retains information on how much money the safe contains, user accounts on the system, when the door has been opened and other log files.
“By just editing that file, you can make the safe do anything you want,” Salazar said.
As our friend Andy Russell, who sent this news along, declared, “Maybe it should operate in ‘safe’ mode!”. Although it’s a groan-worthy joke, the potential consequences of leaving an essential device built to safeguard large amounts of cash so vulnerable to attack are very serious. Being able to alter the database means thieves could trick both the safe and the banks it communicates with into thinking they were receiving the correct amount of money while pocketing a chunk themselves, purposely put the safe owner in a bad position by making deposits appear to be more than what the bank will eventually receive, or engage in a number of other behaviors that we’re loath to even mention.
Considering that Petro and Salazar say they’ve been in contact with Brinks’ tech team for over a year about the problems and there’s no fix yet we’re not sure they’re making it a priority. This boggles our minds, because the financial and reputational risk for everyone involved couldn’t be more clear. Is this be another case where we’ll left asking, “How much pain will it take?”, or will Brinks get its act together in light of the researcher’s promise to present on the vulnerabilities at the upcoming Def Con Hacking Conference August 8?
Erik & Jonathan Bernstein
www.bernsteincrisismanagement.com