Vulnerabilities in Brink's Smart Safe

Brink’s sells an Internet-enabled smart safe called the CompuSafe Galileo. Despite being sold as a more secure safe, it’s wildly insecure:

Vulnerabilities found in CompuSafe Galileo safes, smart safes made by the ever-reliable Brinks company that are used by retailers, restaurants, and convenience stores, would allow a rogue employee or anyone else with physical access to them to command their doors to open and relinquish their cash….

The hack has the makings of the perfect crime, because a thief could also erase any evidence that the theft occurred simply by altering data in a back-end database where the smartsafe logs how much money is inside and who accessed it.

Nothing about these vulnerabilities is a surprise to anyone who works in computer security:

But the safes have an external USB port on the side of the touchscreens that allows service technicians to troubleshoot and obtain a backup of the database. This, unfortunately, creates an easy entrypoint for thieves to take complete, administrative control of the devices.

“Once you’re able to plug into that USB port, you’re able to access lots of things that you shouldn’t normally be able to access,” Petro told WIRED. “There is a full operating system…that you’re able to…fully take over…and make [the safe] do whatever you want it to do.”

The researchers created a malicious script that, once inserted into a safe on a USB stick, lets a thief automatically open the safe doors by emulating certain mouse and keyboard actions and bypassing standard application controls. “You plug in this little gizmo, wait about 60 seconds, and the door just pops open,” says Petro.

If it sounds like the people who designed this e-safe ignored all of the things we’ve learned about computer security in the last few decades, you’re right. And that’s the problem with Internet-of-Things security: it’s often designed by people who don’t know computer or Internet security.

They also haven’t learned the lessons of full disclosure or rapid patching:

They notified Brinks about the vulnerabilities more than a year ago, but say the company appears to have done nothing to resolve the issues. Although Brinks could disable driver software associated with the USB port to prevent someone from controlling the safes in this way, or lock down the system and database so it’s not running in administrative mode and the database can’t be changed, but so far the company appears to have done none of these.

Again, this all sounds familiar. The computer industry learned its lessons over a decade ago. Before then they ignored security vulnerabilities, threatened researchers, and generally behaved very badly. I expect the same things to happen with Internet-of-Things companies.

Tags: disclosure, locks, patching, physical security, safes, vulnerabilities

Posted on August 3, 2015 at 1:27 PM • 36 Comments

Comments

EasyMonet • August 3, 2015 1:41 PM

Get some good stock paper.
Type out a convincing security company letter, logohead, etc.
Mass mail this to any/all targets referencing this safe and general security.
By def, anyone who takes you up on this offer to improve their security is now a mark.
Rob everyone who replies.

Most of the people who reply will be interested in improving their security, thusly they will be the ones with low security. You could go legit, and take their consulting fee and actually upgrade them with overpriced equipment you’re reselling, or you could sneak in after hours and rob them blind…

Bob Pickles • August 3, 2015 2:03 PM

Having worked for the aforementioned company in a IT security-related capacity, I am not in the least bit surprised. Remember the diamond heist from the plane being loaded in Brussels a few years back? When senior management at Brink’s thinks of security, they think of insurance and guns, not computers.

Alan Kaminsky • August 3, 2015 2:29 PM

We should stop calling it the IoT. We should start calling it the IoIT — Internet of Insecure Things.

That’s not a very catchy acronym. Anyone have a better suggestion?

Arclight • August 3, 2015 2:49 PM

This is a perfect example of why not all “things” need to be “Internetted of.” Look at the high-assurance electronic locks for GSA containers made by Mas-Hamilton and S&G. Those are self-contained devices with a small attack surface and small firmware stack. There isn’t even a battery terminal. And whatever physical connectors exist are inside the safe itself.

Generic USB is much too complicated and heavy for a simple application like this, where a simple serial interface on the inside of the safe would suffice.

This to me shows a fundamental lack of imagination on the part of the vendor.

Arclight

Alan Kaminsky • August 3, 2015 2:59 PM

Here’s one — ISIS: InSecure Internet Stuff.

Anura • August 3, 2015 3:02 PM

Seriously, how did people even think this was a good idea?

@Alan Kaminsky

Internet of Distributed Insecure Outlandish Things

TimH • August 3, 2015 3:15 PM

Alan Kaminsky and @Anura
IDIST not IDIOT is less catchy but more accurate:

Internet of Distributed Insecure Spying Things

Daniel • August 3, 2015 3:28 PM

@Alan Kaminsky

Nick P and I came up with a term some months ago.

insanity.

DF • August 3, 2015 3:31 PM

@Anura,

I had the same idea just slightly different:

Internet, Designed Insecurely, Of Things.

albert • August 3, 2015 3:45 PM

I don’t know the Brinks business model, but there’s a disturbing trend among companies hiring contractors to do the ‘computer stuff’. This system looks like a PC slapped onto a safe. As far as I can see, the lock interface is the only unique feature; every thing else is quite standard. XPe can be ‘configured’ to eliminate unneeded features, i.e. to reduced its footprint. A simple VB application, database, network connection, and a simple hardware I/F for the lock, and you’re good to go. Plus, Built-In-Security(tm)….at no extra cost.
.
..
.
..
o

Toto • August 3, 2015 4:13 PM

Why am I not surprised?

Plus ça change…

Twenty-five years ago I pointed out to my boss that the expensive access card gimmicks he got installed were nothing but a joke. The readers were controlled by an accessible serial port, and I could show how one could get into the computer room.

IIRC, the access control and logging software was a childish BASIC application running on an IBM PC, and you could easily figure out what data was obtained from the reader, and what port controlled the door magnet. The cards were based on magnetic stripes, so all you had to do to get in was to dissimulate in the code a literal back door recognizing as valid some random old credit card found on the street, and of course add a “goto” statement jumping over the logging section.

Then I saw that the broker’s X25 ports, which cost something like 10k$/month for a 19.2kB/s service, made network management very difficult because of the rigid closed user groups. But if I dialed the shared packet data switch control port at the stock market, which was protected by an impressive zero-character long password, I could configure a connection into any other firms’ internal network, or impersonate their trading terminals. Think of the possibilities…

In my next job there was also a “secure” access card system. But the asset that was protected was an RF engineering lab… And the cards relied on a combination of two or three resonators tuned with capacitors, with a maximum of something like 10-15 discrete frequencies. I didn’t try making a complete “duplicate”, just knowing it was possible was enough. Hacking the photocopier or the manager’s printer driver to modify on the fly the spelling of his name was more fun.

BoppingAround • August 3, 2015 4:19 PM

Alan Kaminsky,
The dream of the fisherman’s wife it is.

Clive Robinson • August 3, 2015 5:40 PM

@Alan Kaminsky,

Howcabout “Internet of Insomnia” for those much benighted individuals trying “through night endless to wrest the beast from it’s ivory tower” and thus “bring peace and equanimity to those who knowest not the fates they would suffer without such selfless striving”.

Slime Mold with Mustard • August 3, 2015 6:51 PM

@ Alan Kaminsky
I was thinking IoS, but that is inappropriate for corporate use.

@ Arclight
“This is a perfect example of why not all ‘things’ need to be ‘Internetted of'”. Damn straight.

@ Everyone
I guarantee that this was first the brain fart of someone in Marketing. Buzzwords; “cyber-age”, “smartphones”, “millennials”, “ease of use” et al ad nauseam are the tools of the hip and pretty zombies that come up with this crap. Things will not really improve until the rest of us are allowed to defenestrate them.

Anura • August 3, 2015 7:19 PM

I think we need to petition the FTC to change the rules so that you can’t advertise something as being “smart” if it has an internet connection.

cynical • August 3, 2015 8:07 PM

@ Alan Kaminsky

a great idea for spies with enough computing to handle fill take, and even greater for public corps with pressure to grow. a no brainer.

iot is a bit counter current to security because cost is an issue at the center, both if which appear unwilling to compromise. Acceptability is another but lesser issue because we have corps that are very creative about getting folks to give up their privacies. In my opinions.

K.S. • August 3, 2015 9:18 PM

The Brink’s safe is an interesting case. Universally, any network device is assumed to be physically secure from tampering. For example, most network equipment will outright grant you CLI over serial, and I don’t know of any implementations that would encrypt serial communication with a terminal server, so you could always get valid credentials that are useful for remote access this way.

Whoever designed that safe operated in this mindset. Clearly, it isn’t appropriate for a safe. Would we even blink if that was a router? Perhaps we should reconsider common set of assumptions about physical access on all kinds of devices?

Winter • August 4, 2015 4:15 AM

@K.S.
“Whoever designed that safe operated in this mindset.”

But security is hard, even for those that do it on a daily basis (I know, it is a little off topic):

Free upgrade to Windows 10 reveals your porn collection to your wife.
http://www.reddit.com/r/Windows10/comments/3f5won/tablet_view_is_showing_saved_porn_images/

It is so easy to spill the beans, so to say, just by coding for convenience.

Karellen • August 4, 2015 6:24 AM

@Arclight: “Generic USB is much too complicated and heavy for a simple application like this, where a simple serial interface on the inside of the safe would suffice.”

Even USB would be fine if the connection were on the inside of the safe.

Bob S. • August 4, 2015 6:33 AM

Brinks: Another brand down to toilet.

Alex • August 4, 2015 7:56 AM

Internet of Terrible Things.

Clive Robinson • August 4, 2015 8:11 AM

@ Bruce,

And that’s the problem with Internet- of-Things security: it’s often designed by people who don’t know computer or Internet security.

At the risk of “Preaching to the Choir” this is a problem not just with the “IoT”, but “Smart Meters”, “Implanted medical dvices”, “Medical equipmment in General”, “Industrial Control Systems”, “Aviation Systems”, “Maritime Systems”, “Space Systems”, “Terestrial Vehicle Systems” oh and quite a few “Military Systems”…

I know I bang on about it from time to time, but unlike the safe and many IoT systems, all of those I’ve listed can quite easily be used to kill you, your loved ones and many others…

Oh I recently saw demonstrated the NFC system in one particular mobile phone being used to talk to implanted medical equipment, that had no confidentiality, authentication or authorisation… as a person present commented “Dial M for murder, has a new plot line”.

The real issue is anybody can pick up a tool chain and with no training, cobble together something that vaguely works. That is it’s like a juvenile stick person drawing, a very poor picture of reality at best.

Yes we have some regulation, but it’s usually a “paper chase” excercise, where the designer picks the threats they are going to mitigate, then waffles about method. Thus, it’s harder to get a UL rating on an electronic lock than it is to get regulatory approval for medical electronics in most places.

Clive Robinson • August 4, 2015 8:35 AM

@ Arclight, Karellen,

*if the connection were on the inside of the safe*.

And that’s the rub…

Even old mechanical locks reliable as they are suffer from failure due either to mechanical fault or loss of key.

Electronic locks have the same failings but additionaly suffer from others such as battery failing, or electronics failing due to static etc.

Older safes had “secret” weak points that a lock smith in the know could drill. But as “we know” that is security by obscurity, and as we frequently tell people “it is a bad idea”.

But is it, when somebody decides that this means a method of over ride for an electronic lock can be just put on the front panel, but has insufficient understanding of what that realy means…

I have at home an early generation table top electronic safe, however if you know which piece of plastic to pop out you will find an old fashioned very very cheap two posibly three pin lock that can be picked in a very short time… I would say that it is actually more secure than this Brinks safe, simply because the level of skill to pick the cheap lock is somewhat higher than pluging in a USB device…

Dirk Praet • August 4, 2015 8:51 AM

@ Anura, @ Alan Kaminsky

It’s a clear case of IoT-frenzy induced SHITE: Security Hazard (of) Internet Things Everywhere.

Nick P • August 4, 2015 11:05 AM

@ Bruce

A prior article here on safes ended up with several endorsements of Kaba Mas’s X-09 (now X-10). Brink’s customers should’ve just bought that instead. Yeah, I know: real security ain’t cheap. 😉

And it’s virtually never Internet-connected!

@ Justin

Yes, Internet enabling, Windows XP, $240,000… quite an insane combination. Previously only reserved for ACH “security.” You’d think those results would’ve taught people something. 😉

Steve Friedl • August 4, 2015 1:36 PM

Seems to me that if one wants to get this fixed, one ought not talk to Brink’s, who has every incentive to hide/obscure the issue, but to the banks who are offering provisional credit for the contents of the safe, and have real-deal money on the line.

Name • August 4, 2015 3:45 PM

@Steve Friedl – I once complained to a cable TV station that one of their ads was louder than others and was overloading my TV’s circuits, causing considerable THD.

Even though I spoke to an engineer who identified the problem. It would cost them an (obviously obligatory) audio compander upgrade to fix, and it was their circuits being overloaded, not mine. Nothing happened for a week and everyone had to keep putting up with the audio distortion.

A week later I complained to the company being advertised: problem was fixed same day. I finally felt powerful. The advertiser was McCain Foods, and the cable TV company was CTV in Canada.

albert • August 4, 2015 4:29 PM

@Name,
Kudos, you’ve discovered the power of the dollar! Even the CAD has power:) Sorry, couldn’t resist it…
.
..
.
..
o

Mike the goat • August 5, 2015 5:13 AM

This seems to be a disturbing trend with emerging IoT devices, especially those from vendors who traditionally had products which weren’t globally connected.

It is worrying to see, using tools like Shodan just how many disparate devices are actually online. So many really don’t even have cause to be. I remember way back in the early 2000s telnetting to an IP and mistyping it and discovering a control system for a water supply plant in BC. Granted no changes were able to be made without authentication but just being able to see its configuration may be a threat.

The recent Jeep Cherokee remote exploitation that has been so talked about in infosec circles just highlights that what we have learned through decades of experience in hardening networked devices has not been learned by the embedded techs that develop for these corporations. I do wonder if anyone at Chrysler sat down and asked the essential question, “how much access does this infotainment system need?” and the equally important, “if compromised, exactly what would be the consequence and how can we limit the damage if this happened”

Designing products that not just actively prevent intrusion but fail safely in the event of compromise is absolutely essential, especially when you talk of safety critical products like an automobile.

I don’t want to live in a future when someone can exclaim “my refrigerator has been hijacked” and not be certifiably insane. If that limits the feature set, then so be it – as so often happens the outcomes of a compromise in an internet enabled device aren’t necessarily obvious. For example, refrigerators are often used for the storage of vaccines and although purpose built units exist many domestic units are used in clinics throughout the world. If temperature was controllable by the firmware and the unit was compromised, having the temperature go wildly outside spec at random periods – preferably of an evening or when usage logs indicate that discovery is unlikely would result in people being given denatured products. Even in a domestic usage scenario people could get ill from food going bad.

You really need to question the WHY of some of these products. Is an internet enabled safe/icebox/lamp/etc really a useful thing and does its utility as a network connected device compensate for the risk that this brings with it?

albert • August 5, 2015 10:33 AM

@Mike the goat,
I’ll come right out and say it: “It’s a fad.”

[choir]
When personal computers first came out, the race was on to write programs for everything, and those programs have become very sophisticated and important. When microcontrollers first became available, the race was on to put them in everything, and folks have succeeded in that task. They’re ubiquitous. Now we’re going through the same thing with connectivity(driven by the insatiable greed of the telcos), but with a twist. With the world being in a constant state of ‘war’ (military and economic), bad actors suddenly have huge budgets to breach security holes in networked systems. Mischievous individuals can do a lot of damage as well. We left Sesame Street and we’ in da ‘hood now.
[/choir]
.
You are correct about “embedded techs”. They live in their own little world…and that was fine in the beginning. Think of the ECU as a stand-alone system, with EFI, EI, all wonderfully efficient. Government regulations(reduced emissions) and marketing demands(better fuel economy) drove these developments. Also, circuit boards are cheaper that mechanicals. Remote ‘updating’* of firmware was the last, fatal, flaw. It’s totally absurd to think, let alone demand, that network ‘security’ be incorporated into embedded systems.
.
Connectivity and embedded systems need a divorce, and the sooner, the better. That’s my position, and I’m sticking to it!
.
*that is, ‘bug fixing’…sorry, ‘software anomaly’ correction.
.
..
.
..
o

JohnH • August 6, 2015 6:02 PM

@Toto – in regards to door locks – many of these doors have ultrasonic motion detectors on the inside to automatically unlock the door when someone wants to leave. A large piece of cardboard put under the door and moved around is frequently sufficient to trigger the ultrasonics, unlocking the door, and then one can enter. This works best on interior doors, as moving the cardboard under door sills may be difficult. Double doors on the exterior without something covering the opening may also work, but there is less surface area the ultrasonics can see.

cynical • August 6, 2015 10:05 PM

@ Mike the goat

Its Scottie beam me up!

We’ve been entrenched in the 70s sci-fi vision of responsive tech. The invisible hand if you will that gear and gear to our demands.

This has long been educated into our culture non-textbook so it’s only natural that we set to pursue.

Alex • August 8, 2015 2:50 PM

Bruce,

I can’t go into too much detail, but the safes do not appear to be engineered or manufactured by Brink’s. Brink’s operates as a service-provider to their clients (retailers). The safe is actually designed/manufactured by company known as FireKing, who then sells these safes as a White Label product.

A patch was written and distributed to address the vulnerability a year ago, when the matter was first privately disclosed to both the manufacturer and service-provider. Bishop Fox evidently had an interest in acquiring a decommissioned (and hence, unpatched) unit to make a demonstration out of the situation. True, these vulnerabilities only serve to highlight the importance of including infosec early in the design phase of any product or service. But I question just how much “communication” really occurred over the course of the year in which Bishop Fox claims “nothing” was done to block this attack.

More info from FireKing:
http://www.prnewswire.com/news-releases/fireking-patch-secures-brinks-safe-against-hacks-featured-in-media-reports-last-week-300125775.html

fajensen • August 10, 2015 7:42 AM

Anura • August 3, 2015 7:19 PM

I think we need to petition the FTC to change the rules so that you can’t advertise something as being “smart” if it has an internet connection.

Any product using an adjective as part of the name will posses the inverse properties of what the adjective confers:

“Simple” – Simple Network Management Protocol, SNMP -> Unreasonably Complex Device Management Protocol,

“Smart” Meter / Car -> Retarded Meter / Car,

“Intelligent” Power Management, IPMI -> Barely-Works bit-flipping protocol used for many things Unrelated to Power,

“Secure ….” -> Yeah, Riiiight.

et cetera.

The general rule is that if “they” have to tag plus-words onto the name of the product, then the product as-is sucks.

JJ • August 17, 2015 3:33 AM

Is anyone worried about the economy?

The stock market collapsed in 2008 due to subprime loans and massive fraud, but nothing
has been fixed. The criminal bankers were rewarded with bailouts instead of being sent to
prison.

The true US debt is now $210 trillion.

http://www.washingtonexaminer.com/study-true-size-of-federal-government-debt-is-210-trillion/article/2565559

The US may launch QE4.

https://www.yahoo.com/music/s/forget-patience-qe4-coming-peter-203844732.html?nf=1

U.S. economic growth is slowing.

https://uk.finance.yahoo.com/news/u-economic-growth-slows-q4-132633131.html

Warning signs are developing in the housing market.

http://money.cnn.com/2015/03/25/investing/housing-bubble-homebuilders/index.html

Construction spending is falling.

https://www.bostonglobe.com/business/2015/04/01/construction-spending-falls-for-second-month-february/X6xShaKh38SPVTVPYuo59J/story.html

Sales are falling.

http://www.stltoday.com/business/local/u-s-companies-expected-to-report-worst-sales-fall-in/article_260df4cf-5850-503e-b15e-2006af0441eb.html