Hacker Set To Demonstrate 60 Second Brinks Safe Hack At DEFCON

darthcamaro writes: Ok so we know that Chrysler cars will be hacked at Black Hat, Android will be hacked at DEFCON with Stagefright, and now word has come out that a pair of security researchers plan on bringing a Brinks safe onstage at DEFCON to demonstrate how it can be digitally hacked. No this isn't some kind of lockpick, but rather a digital hack, abusing the safe's exposed USB port. And oh yeah, it doesn't hurt that the new safe is running Windows XP either.

Seriously!

[invictusvoyd]

Digital safe running XP = = special ops commando running with a muzzle load flint lock.

Re:Seriously!

[Stuarticus]

Yeah they should be running Windows ten, so many bugs even the exploits won't run.

Re:Seriously!

[thegarbz]

I think a more apt example would be a special ops commando dragging a trebuchet. It's slow, unwieldly, probably would hinder you more than help you, and is incredibly heavy for an otherwise simple mission.

The WTF is not that it is running Windows XP, it's that it is running a full blown OS at all.

Re:Seriously!

[Mal-2]

In this case, the Windows version is irrelevant. They didn't attack Windows, they attacked the software running on top of it. Since the OS wasn't compromised, upgrading it would do one of two things: (1) break things, either a little or a lot OR (2) absolutely nothing.

"Even if the CompuSafe were running Windows 10, it wouldn't have changed the exploit that we will be demonstrating," Salazar said.

It's right in there. Of course that would require reading the article, and I'm sure I broke some unwritten rule by doing so.

Re:Seriously!

[oobayly]

This was my immediate thought too. Dave on eevblog did two videos on seeing if there was a power line vulnerability on a cheap digital safe - they're pretty interesting, plus he's quite amusing to watch.

EEVblog #762 - How Secure Are Electronic Safe Locks?
EEVblog #771 - Electronic Safe Lock Powerline Attack Part 2

Re:Seriously!

[K.+S.+Kyosuke]

In this case, the Windows version is irrelevant. They didn't attack Windows, they attacked the software running on top of it.

There may be a somewhat strong correlation between being so stupid that you decide to run Windows XP on a sensitive embedded system and being so stupid that you write a sensitive application in a way that makes the whole system have obvious mistakes in it.

Re:Seriously!

[vtcodger]

A "safe" with a USB port? What could possibly go wrong?

Why?

[bickerdyke]

Why does a safe need an operating system?

And then why for heavens sake has it to be a desktop operating system? Does it need to run MS Office or what was the design idea here? It's not like there are especially hardened OSses out there for embedded devices. (Not to mention that this means we have a safe that's running on a x86 architecture)

And after having such a terrible design idea, why have it implemented by a moron using an out of date, unsupported, and buggy OS?

Re:Why not have mechanical security too?

[Mal-2]

It's basically an ATM in reverse, for stores. Put money in, and you're not SUPPOSED to be able to get it back out. Instead, it immediately shows up in your bank account. The bank will come around and empty the safe when it is convenient to them. If the power fails, they'll just have to come back some other time.

At least that's the plan. The exploit clearly shows that someone other than the bank or a Brinks employee CAN open the safe.

But of course, nobody reads the articles before complaining. This is /. after all.