Hacking Smart Safes: On the "Brink" of a Robbery

Presented at DEF CON 23 (2015), Aug. 8, 2015, noon (60 minutes)

Have you ever wanted to crack open a safe full of cash with nothing but a USB stick? Now you can! The Brink's CompuSafe cash management product line provides a "smart safe as a service" solution to major retailers and fast food franchises. They offer end-to-end management of your cash, transporting it safely from your storefront safe to your bank via armored car. During this talk, we'll uncover a major flaw in the Brink's CompuSafe and demonstrate how to crack one open in seconds flat. All you need is a USB stick and a large bag to hold all of the cash. We'll discuss how to remotely takeover the safe with full administrator privileges, and show how to enumerate a target list of other major Brink's CompuSafe customers (exposed via configuration files stored right on the safe). At any given time, up to $240,000 can be sitting in each of the 14,000 Brink's CompuSafe smart safes currently deployed across the United States - potentially billions of dollars just waiting to be stolen. So come ready to engage us as we explore these tools and more in this DEMO-rich presentation. And don't forget to call Kenny Loggins… because this presentation is your highway to the Danger Zone… Note - This presentation is about exposing flaws in the Brinks's Compusafe to improve security and allow pentesters to demonstrate these flaws to their customers. Please use this information responsibly.


Presenters:

  • Oscar Salazar - Senior Security Associate at Bishop Fox
    Oscar Salazar is a Senior Security Associate at Bishop Fox (formerly Stach & Liu), a security consulting firm providing IT security services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on application penetration testing, source code review, and secure software design. Oscar has presented at RSA, Bsides, and Adobe’s annual private Security Summit conference. Prior to joining Bishop Fox, Oscar served as a web security research engineer at Hewlett-Packard’s Application Security Center where he designed and developed security checks for the WebInspect web application security scanner. In addition, his research involved developing more effective methods of scanning Web 2.0 applications. Oscar holds a Bachelor of Science from the Georgia Institute of Technology with a major in Computer Science and a focus on Networking and Security.
  • Dan Petro / AltF4 - Security Associate, Bishop Fox   as Dan "AltF4" Petro
    Dan Petro is a Security Associate at Bishop Fox (formerly Stach & Liu), a security consulting firm providing IT security services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on application penetration testing and secure development. Dan has presented at numerous conferences, including DEF CON, BlackHat, HOPE, and BSides, and is the founding member of the Pi Backwards CTF team. Prior to joining Bishop Fox, Dan served as Lead Software Engineer for a security contracting firm. Dan holds a Bachelor of Science from Arizona State University with a major in Computer Science, as well as a Master’s Degree in Computer Science from Arizona State University.

Links:

Similar Presentations: