Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker Set To Demonstrate 60 Second Brinks Safe Hack At DEFCON

Posted by samzenpus on from the thunderbolt-and-lightfoot dept.

darthcamaro writes: Ok so we know that Chrysler cars will be hacked at Black Hat, Android will be hacked at DEFCON with Stagefright, and now word has come out that a pair of security researchers plan on bringing a Brinks safe onstage at DEFCON to demonstrate how it can be digitally hacked. No this isn't some kind of lockpick, but rather a digital hack, abusing the safe's exposed USB port. And oh yeah, it doesn't hurt that the new safe is running Windows XP either.

22 of 147 comments (clear)

  1. Seriously! by invictusvoyd · · Score: 5, Insightful

    Digital safe running XP = = special ops commando running with a muzzle load flint lock.

    1. Re:Seriously! by Stuarticus · · Score: 4, Funny

      Yeah they should be running Windows ten, so many bugs even the exploits won't run.

      --
      If you think someone isn't free to have a different definition of "freedom" you may be a tyrant.
    2. Re:Seriously! by thegarbz · · Score: 4, Insightful

      I think a more apt example would be a special ops commando dragging a trebuchet. It's slow, unwieldly, probably would hinder you more than help you, and is incredibly heavy for an otherwise simple mission.

      The WTF is not that it is running Windows XP, it's that it is running a full blown OS at all.

    3. Re:Seriously! by Mal-2 · · Score: 5, Informative

      In this case, the Windows version is irrelevant. They didn't attack Windows, they attacked the software running on top of it. Since the OS wasn't compromised, upgrading it would do one of two things: (1) break things, either a little or a lot OR (2) absolutely nothing.

      "Even if the CompuSafe were running Windows 10, it wouldn't have changed the exploit that we will be demonstrating," Salazar said.

      It's right in there. Of course that would require reading the article, and I'm sure I broke some unwritten rule by doing so.

      --
      How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
    4. Re:Seriously! by invictusvoyd · · Score: 2

      I've read the article and am fully aware that windows XP had no role in this particular exploit but just the thought of a digital safe running a fully blown bloatware OS like XP is so offending that many of us can't restrain ourselves .

    5. Re:Seriously! by oobayly · · Score: 5, Interesting

      This was my immediate thought too. Dave on eevblog did two videos on seeing if there was a power line vulnerability on a cheap digital safe - they're pretty interesting, plus he's quite amusing to watch.

      EEVblog #762 - How Secure Are Electronic Safe Locks?
      EEVblog #771 - Electronic Safe Lock Powerline Attack Part 2

    6. Re:Seriously! by K.+S.+Kyosuke · · Score: 4, Insightful

      In this case, the Windows version is irrelevant. They didn't attack Windows, they attacked the software running on top of it.

      There may be a somewhat strong correlation between being so stupid that you decide to run Windows XP on a sensitive embedded system and being so stupid that you write a sensitive application in a way that makes the whole system have obvious mistakes in it.

      --
      Ezekiel 23:20
    7. Re:Seriously! by nate_in_ME · · Score: 2

      I didn't read the actual article, but from some other comments on here, it sounds like this is doing a bit more than a traditional safe: Counting the funds inserted and Transmitting this deposit to the bank to name just a couple things. This means: - Network/Internet access to some degree, including all the necessary security features (SSL, etc) - Peripheral access (bill reader) - Some sort of confirmation on the safe that the deposit was completed Considering this has been described by some as an "ATM in reverse", it probably makes sense to use the same code base as an ATM, which in many cases means XP embedded (or its newer versions).

    8. Re:Seriously! by BitZtream · · Score: 2

      Because?

      No, you have no reason why XP is wrong for the job, you're just parroting what you've heard others say without understanding why.

      In an embedded environment with limited attack vectors, XP is fine.

      Note: They aren't even attacking XP here, they are attacking the software Brink's themselves wrote. Might be a good idea to get a clue before blaming the wrong thing fanboy.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
    9. Re:Seriously! by Joce640k · · Score: 2

      The article says it's nothing to do with the OS, but any excuse, eh?

      --
      No sig today...
    10. Re:Seriously! by zerosomething · · Score: 2

      Security by obscurity

      Really, what were they thinking by not using OS2.

      --
      It all starts at 0
    11. Re:Seriously! by vtcodger · · Score: 5, Insightful

      A "safe" with a USB port? What could possibly go wrong?

      --
      You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
    12. Re: Seriously! by KGIII · · Score: 2

      Any malware on a Windows system is bad Windows security. Any malware on Linux is Linux is the kernel! Very few (lately) exploits are Windows kernel (the explorer.exe process) and most are a fault of an application running on top of the kernel (which should have, and does have, better protection). We just see what we want to see and have our own prejudices. If we strip it down to current threats across the kernel (or across software loaded on the kernel) but keep them equal the numbers look different which is not to say the actual malware numbers match.

      An interesting aside was the recent article about a MMS malware vector for Android. When we count Linux installs we happily count Android. When the malware article showed up that view was not so popular. Of course, it won't be counted because it is not the kernel. We will find justification to reenforce our beliefs no matter how much evidence is contrary to those beliefs. We are humans, it is what we do.

      And no, I am not a Windows shill. I do use Windows from time to time but I mostly use Mint and, lately, CentOS. I was also a Microsoft MVP (Shell, IE/OE, Security) for quite some time. I was also a Unix user (SunOS/Solaris mostly) for even longer before that. I do own two Apple products, modern - a few if we count older stuff, but I am not familiar enough with OS X/iOS to claim that I actually use them - they are nice but I just can not get past the interface to learn to be comfortable with them, my own failing. So, no, I am not really a fan of any OS or any distro. I am a slut and will use them all to my advantage.

      --
      "So long and thanks for all the fish."
  2. wow by invictusvoyd · · Score: 2

    "A large portion of the attack is about escaping out of the kiosk mode that is put in place on the safe, in order to prevent someone from accessing the backend system,"

    And I thought Tom Cruise would be dodging laser beams and planting a sophisticated code cracking super gadget into the USB port.

  3. Interesting Observation... by KGIII · · Score: 2

    I have been to defcon in the past. What is amusing is all the people there from a variety of three letter agencies. They are usually the ones with nice shoes and/or dressed in dark attire. That is my impression at least though I suppose I could be mistaken. Anyhow, the amusement is in the number of them. I suspect they could send fewer or just get together and send a lot fewer people. In some of the smaller and more detailed talks there would be a bunch of them and they seem to gravitate towards each other.

    I wonder about the possibility of an event where the feds were not invited and the venue was invite only sans marketers? They would need some way to vet attendees and some would get in through the cracks. Blackhat Con USA was weird feeling. You are sitting there in a talk and you know you are surrounded by law enforcement. I can only imagine that they are like the pervs that attend gaming conventions these days. (I have not been to a gaming convention in a good many years. I did go and get Dungeons and Dragons in loose-leaf format once but that was oh so many years ago and I am too old for such now.)

    --
    "So long and thanks for all the fish."
    1. Re:Interesting Observation... by meta-monkey · · Score: 2

      You check out as the real KGIII. Or a very good KGIII Markov chain text generator.

      --
      We don't have a state-run media we have a media-run state.
    2. Re:Interesting Observation... by Demonoid-Penguin · · Score: 2

      I have been to defcon in the past. What is amusing is all the people there from a variety of three letter agencies.

      Spot the Fed is always fun. I've always wondered how many that look obvious then are just low ranking Postal workers taking the piss.

      There's been talk in the past of banning them - but I don't think the organisers are actually serious about it. I think it's one of the main attractions. They have the best swag to swap.

  4. Standards by invictusvoyd · · Score: 2

    The good thing about standards is that we have so many of them to choose from.

  5. Why? by bickerdyke · · Score: 5, Insightful

    Why does a safe need an operating system?

    And then why for heavens sake has it to be a desktop operating system? Does it need to run MS Office or what was the design idea here? It's not like there are especially hardened OSses out there for embedded devices. (Not to mention that this means we have a safe that's running on a x86 architecture)

    And after having such a terrible design idea, why have it implemented by a moron using an out of date, unsupported, and buggy OS?

    --
    bickerdyke
  6. Re:Why not have mechanical security too? by Mal-2 · · Score: 5, Informative

    It's basically an ATM in reverse, for stores. Put money in, and you're not SUPPOSED to be able to get it back out. Instead, it immediately shows up in your bank account. The bank will come around and empty the safe when it is convenient to them. If the power fails, they'll just have to come back some other time.

    At least that's the plan. The exploit clearly shows that someone other than the bank or a Brinks employee CAN open the safe.

    But of course, nobody reads the articles before complaining. This is /. after all.

    --
    How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
  7. Still a problem more than a year later? by jenningsthecat · · Score: 2

    FTA: "So the issue isn't so much that there is no acknowledgment that there is a problem; rather, the vendors have been pointing fingers about whose problem it is for over a year, without progress made on the actual resolution."

    Finger pointing or not, it's hard to believe that it could take that long to address the issue. Even if they can't get their shit together to fix the fundamental problem, couldn't they at least kludge in a piece of gateway software that would intercept the USB port data and raise the difficulty level of gaining access and exiting kiosk mode? That, plus actual lock-and-key protection of the port, (and maybe a retrofit of a custom connector that would make it even more difficult to make the physical connection), would buy them a lot of time to get through the exercise of deciding who's going to fix the REAL problem.

    Speaking of fixing the problem - I know the answer to this, but I have to ask anyway: What happened to the practice of just fixing it because you can, and because it makes you look good, without regard to whose fault the problem was in the first place? They could have had this taken care of inside two weeks - maybe a month at the outside - if they weren't playing juvenile schoolyard politics.

    --
    'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
  8. We have this awesome new tech... by pla · · Score: 2

    They call it a "lock and key". Totally uncrackable over the internet or via USB, and although exploits do exist, for higher quality setups they take considerable time with physical access to the device.

    The "IoT" is not our friend, folks - It turns solid, reliable old-school products into yet another vector for malware in your house. And if you think reinstalling Windows sucks, how about having your oven go into self-cleaning mode during your vacation without the safety latch closed? How about having your blender "playfully" get your cat's attention with brief pulses before going full puree? How about overriding your on-demand hot water heater to its "steam clean" setting with you in the shower?

    I love toys, including electronics. But the fewer things in my house vulnerable to remote exploits, the better. My toaster should have one dial and one lever and zero computers, period.