A pair of cybersecurity researchers said they plan to bring a Brink's armored vehicle on stage and hack into its cash vault at an upcoming security conference. All it takes to break into the company's safes is to exploit a weakness in a USB located on the outside of the trucks' safe, the researchers said.
Oscar Salazar and Dan Petro, security associates at Bishop Fox, told eweek.com they've created a tool capable of manipulating CompuSafe Galileo, the Brink's cash management system intended for use at corporate retailers. When employees insert cash into the CompuSafe machine, it automatically counts the money and generates a report for the store. CompuSafe then prevents the safe from being opened again unless both a store manager and Brinks security employee verify their presence on a touch screen.
But there's no additional key or any kind of access restriction to provide another layer of physical security on the USB port, said Salazar and Petro. They plan to present their findings in Las Vegas on August 8, at the DefCon 23 conference.
“One of the main vulnerabilities we are focusing on comes by way of a USB port that is on the exterior of the safe,” Salazer told eWeek. “We have created a little tool that we can just plug into the safe, wait 60 seconds for the tool to do its work, and then the safe doors will open and you can take all the cash out.”
Over 14,000 CompuSafe Galileo machines are in use across the U.S., PC World reported, and all appear to be made vulnerable by this hack. The USB design flaws also enabled the researchers to plug a functioning mouse and keyboard into the machine.
“Nothing good comes from that,” Salazer told PC World. “Every step of the way, we were like, 'This can't be possible,” Petro added.