In the old days, thieves used explosives to get into a safe. But these days for one kind of Brinks safe, all it takes is a USB stick with 100 lines of code.
The surprising findings will be described at the Def Con Hacking Conference early next month in Las Vegas and marks a year's research by Daniel Petro and Oscar Salazar of security company Bishop Fox.
Some of Bishop Fox's customers use Brinks' CompuSafe Galileo, a modernized safe that makes cash management easier for businesses.
Employees can insert cash into the machine, which is counted. The CompuSafe generates reports for stores and can provide cash totals to banks, which can grant provisional credit for the deposits made before the cash is actually transported.
Brinks claims the CompuSafe helps stores eliminate deposit discrepancies, reduce theft and free staff from recounting and auditing cash.
But what the seasoned security investigators found shocked them. They uncovered a slew of vulnerabilities and design flaws that, in some cases, may be hard for Brinks to fix.
As of a couple of years ago, more than 14,000 CompuSafe Galileos were deployed across the U.S. All are still vulnerable to their attack, the researchers said.
They bought a Galileo CompuSafe on eBay. The most egregious problem they found is a fully functional USB port on the side of the safe. That allowed them to plug in a keyboard and a mouse, which worked.
"Nothing good comes from that," Salazar said. It was a sign of more bad things to come. "Every step of the way, we were like, 'This can't be possible'," Petro said.
The CompuSafe has a nine-inch touchscreen that runs an application that is used for entering authentication credentials. They found a way to escape that application -- known as a kiosk-bypass attack -- through a help menu, gaining access to the backend Windows XP embedded operating system.
At that point, it was game over for the safe. Petro and Salazar had administrator access to a Microsoft Access database file, which retains information on how much money the safe contains, user accounts on the system, when the door has been opened and other log files.
"By just editing that file, you can make the safe do anything you want," Salazar said.
That includes popping open the safe's doors, which they did.
Attackers could also perform much more sophisticated frauds using the database file that would be harder to detect, Salazar said.
The store inherently trusts the safe to report how much cash it has, Salazar said. If the machine has US$2,000 in it but the database is modified to only report $1,000, the bank and retailer would be none the wiser.