Brinks

Master thief Willie Sutton famously said he robbed banks because that's where the money was. Of course, he also got caught. But today's thieves don't have to expose themselves to the extra security at banks, and risk getting caught, thanks to a new hack that would let someone swipe a stash of money before it's ever deposited.

Vulnerabilities found in CompuSafe Galileo safes, smart safes made by the ever-reliable Brinks company that are used by retailers, restaurants, and convenience stores, would allow a rogue employee or anyone else with physical access to them to command their doors to open and relinquish their cash, according to Daniel Petro and Oscar Salazar, researchers with the security firm Bishop Fox, who plan to demonstrate their findings next week at the Def Con hacker conference in Las Vegas.

The hack has the makings of the perfect crime, because a thief could also erase any evidence that the theft occurred simply by altering data in a back-end database where the smartsafe logs how much money is inside and who accessed it. If done well, the only telltale sign of an attack would be left on security cameras—if anyone bothered to look.

The smart safes are one of the latest offerings from Brinks, a company that has been synonymous with bank and cash security since its founding in 1859 when it began transporting money with horse and wagon. More than 10,000 Brinks CompuSafe smart safes are currently deployed across the country, each of which can hold a maximum of $240,000.

Generally installed at a counter with a business's point-of-sale system, the smart safes have a digital touchscreen and Internet connectivity and run on an embedded version of Windows XP. When a manager or other employee inserts money into the safes, a smart reader automatically recognizes each bill and tallies the deposit. Information about the deposit is generated on a receipt from an external-facing printer, and a record of the deposit is also sent daily to Brinks via the Internet, where the deposit gets credited to a customer's account even before a driver arrives to pick it up. The system is supposed to virtually eliminate theft, according to Brinks' web site.

But the safes have an external USB port on the side of the touchscreens that allows service technicians to troubleshoot and obtain a backup of the database. This, unfortunately, creates an easy entrypoint for thieves to take complete, administrative control of the devices.

Bishop Fox

"Once you're able to plug into that USB port, you're able to access lots of things that you shouldn't normally be able to access," Petro told WIRED. "There is a full operating system...that you're able to...fully take over...and make [the safe] do whatever you want it to do."

The researchers created a malicious script that, once inserted into a safe on a USB stick, lets a thief automatically open the safe doors by emulating certain mouse and keyboard actions and bypassing standard application controls. "You plug in this little gizmo, wait about 60 seconds, and the door just pops open," says Petro.

He notes that because the safes are generally placed near a cash register in well-trafficked areas, many people can have physical access to them.

The Brinks smart safes are intended to reduce not only theft by outsiders, but also theft by insiders. To this end no one, including store managers, are supposed to have the ability to open a safe on his own—not even a Brinks driver. When a Brinks messenger arrives to collect the cash and take it to a secure facility, the safe requires two sets of credentials to open—the driver's and the store manager's. "But we essentially bypassed all of that," says Salazar. Their script simply creates new user accounts, that they control with their own credentials, in the database.

Because the safe logs information in the database each time money is deposited or the door is opened, data in the database is considered trustworthy by both banks and Brinks. But the database isn't protected, therefore an attacker can alter or erase any information stored in it to cover the fact that the safe has been opened without proper authorization.

"Everything is stored in that database that we have access to," says Petro. "If you have access to that database, you can forge any request you want. We're running as administrator on the Windows XP, so lying to anybody in any direction is possible."

They can even lie about how much money has been deposited in the safe. A malicious insider could have the safe indicate to Brinks, and to the receipt printer, that $1,000 got deposited, when in fact only $500 was placed in the safe, while the thief pocketed the remaining $500. Or an insider could have the safe report the deposit accurately, then open the safe later to steal half the money, leaving Brinks to question whether one of its drivers or the manager absconded with the cash.

"There seems to be layer on layer on layer of vulnerability to the point where you're like 'It can't possibly have done this,' Salazar says. "These are the people making safes. How could this essentially have not been assessed in the same way you would assess a regular safe?"

Petro and Salazar uncovered the vulnerabilities more than a year ago after pen-testing a point-of-sale system owned by a customer who also had the Brinks Galileo safe installed. They later purchased their own safe on E-Bay to study it further.

They notified Brinks about the vulnerabilities more than a year ago, but say the company appears to have done nothing to resolve the issues. Although Brinks could disable driver software associated with the USB port to prevent someone from controlling the safes in this way, or lock down the system and database so it's not running in administrative mode and the database can't be changed, but so far the company appears to have done none of these.

"To our knowledge, we haven't seen any fixes that would help resolve these issues," Salazar says.

Brinks did not respond to a request for comment from WIRED.

Even if Brinks secured the external USB port, the researchers say there's a second one underneath the touch screen, which can be removed by simply unscrewing two screws to access the port.

"Even if they were to lock down the outside [USB port], if they didn't properly lock down the actual [touchscreen] display, I think a similar attack would be possible with a little bit of additional work," Petro says.

Making these safes smart...has actually drastically reduced the security of something that was fairly safe to begin with.

The technique they developed wouldn't require customized codes for each safe; Petro and Salazar found that the same malicious code worked for every CompuSafe Galileo. The malicious tool they created also deletes any trace of itself once the hack is done.

"It essentially deletes all the files that are created. It closes all the applications that were open and leaves you in the same state as when you started," Salazar says.

Salazar says the problem with the safes is a familiar one that happens to a lot of old-school devices that have recently been modernized with digital capabilities as part of the so-called Internet of Things.

"Brinks has been around for an extremely long amount of time," says Salazar. "Making these safes smart...has actually drastically reduced the security of something that was fairly safe to begin with. We see this same thing happening with all devices... A company that does one thing well and they move into a field where they have no experience."