
DefCon Hackers Tell How They Cracked Brink's Safe in 60 Seconds - mtuncer
http://www.eweek.com/security/defcon-hackers-tell-how-they-cracked-brinks-safe-in-60-seconds.html
======
xenophonf

      "So the issue isn't so much that there is no
      acknowledgment that there is a problem; rather,
      the vendors have been pointing fingers about
      whose problem it is for over a year, without
      progress made on the actual resolution."
    

And my colleagues wonder why I support full disclosure. I tell you what - if I
was a bank that used these products, I'd be going around and epoxying these
USB ports closed ASAP.

~~~
david_shaw
I used to work as a penetration tester, and one of our clients hired us to
perform a "custom application" assessment. I can't give specific details (for
obvious NDA-related reasons), but this application was a large device that
interfaced with mission-critical hardware -- and ran Windows XP embedded.

They'd done a pretty good job securing the OS and device itself: we couldn't
actually connect it to any networks, so network penetration testing was
difficult, and there were no USB ports or CD drives. Unfortunately for them,
they _did_ leave an archaic port open on the back of the device. Now, this
wasn't a USB port or anything, but (with certain difficult-to-source adaptors)
we _were_ able to get an external 3.5" floppy drive hooked up -- through which
we could (slowly) load arbitrary executables, and take over the device.

When we explained this finding, the client told us that certain customers of
theirs required this port for proprietary communication, and that they
couldn't remove it from production. The end result was that for every
production run of this device that _wasn 't_ going to one of those edge-case
customers, epoxy was manually applied to close off the port.

Not the most elegant solution, but I guess it worked!

~~~
x0054
Why not simply score the motherboard around the port to cut the traces? Epoxy
sounds like such an inelegant solution. But I am a neat freak :)

~~~
xenophonf
I personally would prefer epoxy because just about anybody can apply it,
whereas to safely cut traces on a motherboard requires someone with a modicum
of technical skill, the purchase of suitable tools, hardware testing
afterwards, etc.

~~~
x0054
That's true, but isn't the company making these devices? If they are making
them, they must have someone capable of operating an x-acto knife. Also, if
you are concern about an attack that requires someone to load code very slowly
from floppy, wouldn't you also be concerned about someone using a battery
operated rotary tool to cut the epoxy around the pins, and then connecting
probes to those pins which would allow to than connect the floppy drive.

~~~
simoncion
Epoxied ports are like locks. They're there to keep honest people out and to
slow down (and in the case of epoxied ports, _really_ slow down) dishonest
people.

I don't know where the hardware was going, but computers are often either
located in places where only trusted employees are permitted, or where there
is not-infrequent foot traffic. Combine either trusted employees or random,
unpredictable passers-by with regular inspection of the hardware, and you have
a pretty decent solution.

Epoxied ports can also be used as an after-the-fact intrusion warning. You
know the thing was epoxied from the factory. If your inspection reveals that
the epoxy is missing or has been altered, then you're almost certain that
something nefarious was going on.

~~~
x0054
Some time ago, around 2008, I let my friend use my bicycle for a few weeks. He
ended up loosing a key to the bike lock, and I had to cut off the lock to get
the bike out. So here I was, with an battery operated angle grinder, wearing a
hoody, cutting a bike lock in the middle of downtown San Diego at 4pm on a
weekday with streets full of people, 4 blocks from central jail, and cops
going up and down the street. It took me 15 min to grind though the lock, and
it made a lot of noise. No one even bothered to ask me what I was doing,
people were walking by as if I didn't exist. Cops drove by without stopping.

My point is, if these machines were destined for public places, it wouldn't
surprise me if a man in overalls could sit next to them and grind away epoxy
with impunity for hours before anyone would think twice about it.

~~~
simoncion
From the story, it sounds like the client actually cared about the security of
these devices. I would be somewhat surprised if they were left unobserved long
enough for someone to surreptitiously carve out the epoxy and attach a drive
to it.

Though, we can't know if the client was looking for intrusion prevention, or
merely after-the-fact intrusion detection. :)

------
jhull
'...[they] literally "smashed" on the keyboard to see what would happen when
arbitrary keys were pressed together. Using that smashing technique, the
researchers were able to figure out how to escape the kiosk mode.'

They also just invented the newest SaaS model: "Smashing as a Service"

~~~
stygiansonic
Sounds like keyboard fuzzing; a strange way to get out of kiosk mode, but hey,
it worked.

~~~
hwillis
Certainly does. Public terminals at Boston University used to crash to desktop
if you smashed on the keyboard enough.

~~~
kbenson
This is a tried and true technique used by students for decades.

~~~
FeepingCreature
When I was a kid, a bookstore nearby had a computer where you could download
free software, with a closed interface. Anyway, some guys came along and were
like "look, we're gonna hack this thing", at which point they started mashing
on the keyboard like madmen. (The poor beeps of that abused computer ...)

And now you're telling me this is an actual thing?? My life is a lie.

~~~
kbenson
What do you think fuzzing is? Keyboard mashing taken to 11. ;)

------
striking
So the hack is a classic kiosk mode breakout, like you could try to do with
poorly secured public computers. The wonder here is not in the hack, because
it's just a set of keypresses and mouse clicks. The wonder instead lies with
the the manufacturer who made a safe stupid enough to be bypassed with a mouse
and keyboard.

~~~
timboslice
10+ years ago I was at a public library with terminals that were in kiosk mode
with IE in fullscreen, hidden start menu etc. I used a paperclip to eject the
cd drive, put in a CD with autorun, and voila, visible start menu and was able
to get to the internet from IE

~~~
amalag
I hear Brink's QA department is hiring.

~~~
mannykannot
QA is not the solution - this is a design failure.

~~~
someone7x
Exactly. Often in BigCorp type places bugs are classified as deviations from
requirements. If this poor design was the requirement, then any objections
that may have arisen would've probably been classified as suggestions instead
of bugs.

~~~
mokus
I have to think even the most myopic bureaucrats would remember to include
"cannot be opened except by authorized parties" in a requirements document for
a safe.

~~~
tyho
Yes, but all that will achieve is a tester writing it into their plan to check
that invalid credentials don't let you in. It will not magically teach
programmers to write secure code.

~~~
mokus
The bit I was replying to was a hypothetical situation where QA does, for some
reason, find the flaw but management rejects it because it doesn't match a
bullet point in the requirements. My point was just that if that's not in the
requirements then you have even bigger problems. I never claimed or even
implied (because I don't believe) that writing down that requirement would
actually achieve anything.

------
powertower
> Oscar Salazar, senior security associate at security firm Bishop Fox
> explained that _money inserted into the CompuSafe is automatically deposited
> to the retail store 's bank account_.

In-case anyone was also wondering what that is, after looking it up, it's
provisional credit with the bank... The safe transmit daily deposit data to
the bank, and the bank credits your account.

~~~
ams6110
Which they will certainly debit out of your account if the money isn't
actually in the safe.

------
coldcode
Even funnier that the money is the banks' once it goes into the safe. So once
again the reason to rob a bank is "that's were the money is" except here you
can do it with a usb widget. If the money stays in the safe overnight (how
often do the Brinks people come?) it's a pretty easy score.

~~~
logfromblammo
Now, I'm not all that familiar with the banking industry, but it seems like
assuming ownership of bearer instruments (banknotes) before they are actually
in your possession seems like a risky practice. You're basically assuming that
all those third parties involved in securing your property are going to do
their very best to prevent you from losing it, without actually having much at
stake themselves.

If the transfer of ownership is completed the instant the store drops the cash
into the safe, they only have an interest in securing the path to the point of
deposit, and have no interest in securing the safe itself.

Indeed, the naive criminal plot would be to adjust the store surveillance
cameras such that the safe-deposit process could be visually verified, but the
cracking process would be obfuscated. Then a store employee cracks the store's
own safe, takes the money out, and takes it out through the loading dock with
the trash.

[Edit:] It seems as though the safe credit is actually a provisional deposit,
and banks aren't all that crazy after all.

~~~
pjc50
Banks are quite adept at both insurance and recovery from petty fraud.

------
Vexs

      "tool that Salazar and Petro created basically emulates mouse and keyboard presses"
    

USB Rubber ducky? Neat tool that is.

~~~
VMG
Thanks, haven't heard of it before

[http://usbrubberducky.com/](http://usbrubberducky.com/)

~~~
Vexs
It's pretty cool- afaik, it's based off of the teensy 2.0 uC. There's actually
some neat firmware that lets it emulate a flash drive at the same time as a
keyboard/mouse, allowing you to deploy software on the flash drive. For that
reason especially, it could be useful for anyone in IT.

------
edc117
They've known about the vulnerability for a -year-?? Come on. In some fields,
fine, but in a safe company?

~~~
mfoy_
They probably assumed that the cost of fixing the issue and actually pushing
that fix to every unit in the field would outweigh the cost of not fixing it.

~~~
john_b
True, though now that it's public they may start accounting for the potential
cost of lawsuits within the next year.

------
flashman
This sounds a lot like Samy Kamkar's USBdriveby tool:
[http://samy.pl/usbdriveby/](http://samy.pl/usbdriveby/)

 _USBdriveby is a device you stylishly wear around your neck which can quickly
and covertly install a backdoor and override DNS settings on an unlocked
machine via USB in a matter of seconds. It does this by emulating a keyboard
and mouse, blindly typing controlled commands, flailing the mouse pointer
around and weaponizing mouse clicks._

------
Spoom
I predict they will attempt to shut down the talk before it happens via legal
means.

~~~
beambot
I have a question about this: With all the BlackHat / Defcon talks that have
been squelched over the years in the run-up to the conference... why do they
still advertise talks ahead of time?

Wouldn't it be much, much better to just keep the topics secret until the
moment of disclosure?

~~~
orf
That would derail the hype train

------
god_bless_texas
Is this actually made by Brinks?. Loomis offers a similar product named
"SafePoint".

From the pictures, it looks like the same hardware.

I wonder if the vulnerability is specific to the customer or the hardware?

~~~
tlb
Made by Tidel. [http://www.tidel.com/](http://www.tidel.com/).

------
mfoy_
Interesting article aside, was the shadowy ninja with a fedora really
necessary?

~~~
usefulcat
Also, isn't that figure holding the sword with the blade pointed towards his
own neck? The blade looks pretty straight compared to most katana pictures
I've seen but notice the tip.

~~~
0xffff2
It's straight because it's a Ninjato[1], not a katana. It's most definitely
being held backwards though.

[1]
[https://en.wikipedia.org/wiki/Ninjat%C5%8D](https://en.wikipedia.org/wiki/Ninjat%C5%8D)

------
christop
Somebody took Microcorruption a bit too literally!

------
zimbu668
I was expecting something like this:

[https://www.youtube.com/watch?feature=player_detailpage&v=nB...](https://www.youtube.com/watch?feature=player_detailpage&v=nBhOjWHbD6M#t=148)

but USB sticks are probably a little less suspicious than crow bars.

------
gcb0
> safe had a usb port.

nothing else to read here.

------
at-fates-hands
So if they can use the exploit to open the safe, I'm assuming there is a way
to then lock the safe down and keep the Brinks and company employees out of
the safe?

------
soyiuz
Is it exactly 60 seconds? Or more like 58? or 71? Not a fan of such
sensationalist headlines.

~~~
acveilleux
It's probably blind so it's more like "about a minute".

