 we're going to be talking about hacking smart safes today. I've said the words safe hacking before and people are always like what are you talking about? Practicing safe hacking? I'm not sure what that means. Not related to that whatsoever. These are physical safes that have smart devices on them. Really quick, just as an introduction, I'm Dan Petro, this is Oscar Salzar, we're both associates, Oscar's senior associate. At Bishop Fox we do pen testing for a number of things, these sorts of internet of things, devices included. So I guess without further ado we can get into the meat of the talk. So this is the CompuSafe Galileo as a particular brand of smart safe that we happen to come across. So I want to kind of start this off with an apology I guess. We tried really, really hard to get one of these things here on stage at DEF CON. But the thing is a tank and just logistically would not have worked out whatsoever. It's 380 pounds, it's actually not that big. It's only like maybe three feet tall or something like that. So for 380 pounds for such a small object like it's just completely immense, you cannot lift it basically. You have to like roll it around. And these things don't have ramps. If you notice, like these stages, it was going to cost like $400 from the labor union to carry it onto the stage. And then another $400 to carry it off. Not to mention like shipping costs. It was complete nightmare and we eventually had to give up on it. So just really sorry we wanted to have one here on stage but it was not in the cards. So that kind of tells you a little bit about like what this safe is. Just like it could legitimately stand a bomb blast. The thing is a tank. Yeah, and essentially this thing handles money, right? You put money into the slot reader, the money dispenser things at the top. It's like a reverse ATM essentially. You put money in. The money then is no longer yours. You don't own that money. It actually gets deposited into your bank account. And so because of that process, the safe itself can't be opened by the managers. So it has a set of like authentication and authorization where a manager can have, you know, create new users and employees can put money in. But this is meant to be kind of in retail stores. Yeah, so it's not meant to be something that you as a consumer would have in your house, right? It's like a cash management solution meant for business like retail outlets, right? So this would be something that would be sitting underneath the cash register like at stores you probably go to. Like they're out there in the wild, right? And so this would be something that would take money from the till like after like an employee has too much money rather than leaving in the till or having them count it in a way that can have lots of accounting problems. You like insert the money into the safe and it can wait there until like the carrier service actually carries it away. Right. And so the carrier service essentially will come and pick up the money at some either designated amount of time or when the safe reaches a certain amount of money and they'll take it away. And in order for them to take the money out of the safe it requires both the manager and the carrier service, the armored car service to both sign into the application. That's an important point to mention is that because the money for the safe is deposited into the store's account once money is inserted into it, that informs two things. One, it informs the security model behind the safe. So like as Oscar said, the store manager is not actually allowed to open the top drawer of the safe where the cash is because the cash is no longer his money, right? Once the cash is inside that safe it's already deposited into the bank's account, that's the bank's money, just temporarily sitting around inside of that safe. So the way that the security model is worked out is it's like a nuclear launch facility, which is what we have here, right? So like two people have to simultaneously put in their keys and turn them right. So both the carrier service have to authenticate to the safe, they have to type in their code or in practice they have this little touch memory thing that we'll talk about. And in addition to that the store manager also has to put in their code. So we did this assessment as part of essentially a customer came to us, they had a point of sale system that they wanted us to review and this safe was part of that point of sale system. We worked with the vendors to disclose the vulnerability and Brinks has informed us that they are in the process of releasing a patch and we have actually tested a patch that Fire King created that fixes one of the specific issues that was used to create this attack chain. Yeah, let's see. Also, so we have a safe that we had purchased off of eBay with remarkably no questions asked. And that was the one that we were trying to bring here in person. I guess there's another little anecdote to share with you about just how kind of crazy and massive the thing is. So we got this thing shipped, it has to ship me a freight and it gets to our office over at Bishop Fox and I'm like all super happy, finally the safe is here, I'm going to get to mess with it. And a dude comes around the side and says okay, we've got this big package where you go ahead and bring around your forklift and bring it off the truck. I'm like a forklift, I don't have a goddamn forklift. Why would you expect that I have a forklift? I didn't expect to need a forklift. So we had to schedule a completely different truck that has like a pneumatic lift to come by and it was a complete nightmare. Even just like getting it like 10 feet from the truck like into our office. So nothing about this has been easy basically. Yeah, and so we're kind of disclosing all this information for you know educational purposes, informational purposes only. Don't try this at home. This is you know. Definitely don't try this at your neighbor's home. Yeah, you can try it in your own home if you own your own safe maybe. Alright, so we're actually going to go ahead and do a demonstration now. Yeah, this is where we hope we have audio. We don't. Let's see. I'm definitely plugged in. So let's see if we can get audio. I hear it now. Okay, let's play this and see if we don't blow everyone's ears out. I think that's a reasonable level. Traditional safes like just about everything nowadays have technologically evolved into computerized smart safes which are currently being used by countless businesses across the country. A safe by definition is inherently safe. People trust them with their most valuable possessions and businesses trust them with cash, large amounts of cash. You would think that smart safes are even more trustworthy and secure than the old fashion kind, right? But how smart are they really? For the most part, smart safes seem pretty secure. However, one particular model has a serious design flaw. The Brinks CompuSafe LAO has a USB port on the safes exterior. This enables a malicious user to automate an attack on the safes computer and quickly opens its doors. All someone needs to do is plug a program thumb drive into that port and voila. To learn more, visit our website at www.bishopfonds.com So that was an awesome video. That's totally on our YouTube channel. Some company named Graphic or Grabbock, I'm not sure exactly how to say it, made that. They do like graphic design and info sack. Like seriously, that was awesome. Shout out to those guys. They made this sweet cartoon and everything for it. That goes really quickly through some of the major vulnerabilities that we identified with the safe. We're going to talk individually about every single step along that line. If you freeze frame through that video, you can kind of see the exploit chain as it were. But we'll go through a bit more depth here. What we want to talk about a little bit is how this is actually a combination of a bunch of different issues. This is kind of a long attack chain that ends with the safe opening. But each individual piece by itself doesn't lead to a full compromise. So this is kind of hardware, software, configurations, networking. All of those things kind of are required in order to perform this type of exploit. I think that's maybe even something worth mentioning in terms of the Internet of Things. These are all areas that we as packers are used to. These are issues that we're used to dealing with. But now that you have these other devices that are coming out with people that are very used to making toasters, and they're not used to making toasters that are secure against attacks over the Internet, that these are all issues that are going to be coming up in everyday devices that we didn't use to make things seem obvious and almost laughable to us. But keep in mind that these are issues that are going to be coming forward more often. These are types of things that we see across all types of Internet of Things devices. We recently saw the news about the cars that can be hacked. That's something that was a space before that never had to worry about security in that fashion other than car alarm. Now you have to protect against attacks and attacks. Some of these objects like cars and airplanes get a lot of press and maybe they should right but everyday objects and things implanted inside of businesses and homes also need a lot of attention as well. This is a picture of the outside of the safe. The front panel has a touch screen and this is on the left panel of that touch screen. The way that the service pickups authenticate to it, like to say if you are going to be picking up actually had no idea what this even was until I had to Google it because I was like wondering what on earth this connector was and like it's like magnetic thing that maybe talks over some cryptographic protocol or maybe something like that and that's how like the drivers basically authenticate to the safe to say hey I'm here to pick up cash. I really wish we were up here talking about how we reverse engineered some really cool thing and like we were doing stuff with this contact key but that's not really what this talk is about. This talks about the exposed USB port on the side of the safe. Right next to it. Immediately right next to it. Yeah. That port is not like it's not behind a panel of some kind. It's not like hidden underneath something. You don't need to like open the door to get to it. It's just right on the side of the safe. So having an exposed USB is a pretty big deal in terms of being able to plug into the device. We saw this. We immediately plugged in a mouse and we saw a cursor pop up on the screen and we're like all right. I like where this is going. Yeah. Immediately liked where that was going. Yeah. And so we're like okay. So we're plugging in a mouse. We're moving it around. We're plugging in like unplugging that. We're plugging in the keyboard. We're typing some stuff and we're like I'm plugging that and plugging in the mouse again and it starts getting quite cumbersome. So we make like a quick trip. We're like okay we've got to solve this problem and so we go to. Best buy. And we buy a USB dongle. Like a hub that allows us to connect multiple devices. Like a problem solved. Great news. And so we plug that in and start working our way through. Shortly afterwards we actually remove the four Phillips head screws from the side of the display. So what you're seeing here is the front panel, the entire touch screen just unhinges and moves forward. Yeah. There's just four Phillips head screws. Not like security screws. They're not like epoxied in. It's not like behind. Just regular Phillips head screws. Unhinge the whole thing. You can get access to some computer innards there as well. Yeah. So this is actually a picture from the top down. They also had the same epiphany as we did. They bought a USB hub and velcroed it into the inside of the safe as well. Yeah. It's literally velcroed in. I think it's almost like a microcosm of what happened with like the safe, right? Like I have this mental picture in my head of like the safe being designed and manufactured and then come time like somebody's putting it all together to go like oh shit. We needed two USB ports in the front. And we only ran one in. They're like well shit. Run out to Best Buy. Velcro in a USB hub and just call it a day. And so this is actually really important because the touch screen itself is just a USB head device, right? It's just like a touch. That's what it is. So the fact that like you can unhinge this and just get direct access to that USB is really important because that's like built into the design of the safe, right? It's not like you can just easily remove that because there has to be a USB port leading out to this front panel. And if you can just unhinge the front panel and get access to that USB then that's like good hardware access right there. That one's not showing up. The even more slightly less exposed USB port so that on the back of the safe so like in the complete rear of it the lower left hand corner. There's a little hole that has like an ethernet jack coming out, serial port and another USB port. This one is like so this is the third USB port basically coming out of the side of the safe. This one is less important because like it's in the back and like these things are not meant to be easily accessed. Like they're bolted to the ground so it's not like you can like pull it out to move it. It's probably in some sort of an enclosure. Yeah, I mean if you're getting to the point where you're kind of pulling the hole safe out to connect to the USB it's going to be pretty obvious you're not going to be able to kind of do that in a sneaky fashion so yeah, I'm too bad. Right, so these USB drives had full drivers enabled right. This has had the ability to plug in a keyboard, a mouse that immediately recognized it. We were able to plug in a thumb drive as well to get access to storage. Yeah, USB mass storage, USB head, basically full drivers enabled. There's nothing like restricted in any way. There wasn't some sort of like a USB device whitelisting or like nothing like that basically. You just plug in and it just works. Yeah, so one of the big things is you can actually boot off of the USB. So at the bottom of the touch panel there's a button that allows you to reboot the device. It's a big red button. Right like underneath it so if you're looking at the touch screen it's just like right underneath it and as soon as you hit it like the big Windows XP like would you like to log out, reboot or turn off like comes up. Before we pressed it we were like is it going to inject the money? What does that button do? It's unlabeled and it's just a big red button. So it was beautiful. Yeah, so right from there you can just reboot the machine. You don't need to have access to authenticate. You just touch the button, you can reboot the machine right from there and then plugging in a USB hard drive, you just boot from USB and then do whatever you want to the safe from there basically. So that's actually a really important attack combined with this. Yeah, and so the whole database or the whole safe essentially works off of this one database and it's an MX access database 4.0 which is a little bit old. You start to hear rumbling snickering like ugh. So it's password protected but it's not encrypted. So if you try to access it using MSXS then you'll get prompted with a password. It's kind of like an opt-in password policy. If you open it on Mac or Linux it doesn't prompt you for it at all. Yeah, that's just access as fault basically, right? That's just how the old versions work. They just decided to stick a password in plain text, the header of the file and just cross their fingers and hope that no one reads it. Yeah, I think the very, very early versions had a plain text password in the header and then they started kind of encoding it more and more and more. Because of security. So version 4.0 it's encoded but completely reversible as well so you can get the plain text password out of it. Yeah, so you could just not use Windows and it just opens up the file just fine. Yeah, so this also handles, this database handles all the authentication authorization. It's where all of your user information is stored, has credentials in there. It stores all the logs about access to the safe so when you go and put money in and make a deposit and when the armored car, people come and pull the money out, all of that is logged into this database. So gaining access to this database is basically the keys of the castle, right? Once you're able to access this database or modify this database, you're able to essentially open a door. So you can imagine a world where like a safe were designed with like a crypto chip on the inside of it like burnt into piece of hardware that can't be like modified where it would like do some sort of cryptographic challenge response like protocol that way like if the computer were to be like hijacked and like you couldn't man in the middle of that connection you couldn't do replay attacks or whatever and that's just not how this works. And like that's just not how this works at all. There's just the safe is essentially a COM port attached to the XP box that's beneath this thing and just sends the like unlock command and then just unlocks, right? So compromise of the OS itself. Yeah. You compromise the OS, you compromise the whole thing. Yeah. So we have a second demonstration here. Oh, actually, no, this is just a breakout. I'm used to the slides. Sorry. I'm getting ahead of myself. Go ahead. So when we first plugged in the keyboard and mouse, right, we're in this kiosk mode for the safe. We're trying to break out of the kiosk mode. We try the regular things, right? We try like control shift escape. We try alt tab. We try alt of four. We try, you know, the windows key a couple of combinations and nothing seems to work. And so start feeling a little frustrated and decide that kind of the Hulk smash technique will work and just start pounding on the keyboard. And highly manual like keyboard fuzzing. Yeah. Technical term. And it actually works. So something pops up and allows us to break out of the sandbox. And we're like, all right, this is awesome. Unfortunately, the kiosk mode on the application kind of reasserts itself every once in a while. So like push in front of everything. It's like 60 seconds. It just like forces itself back to the foreground. So we're like halfway into breaking out of this sandbox. We have explore running already. And then everything falls behind the kiosk mode again. Like, all right. And so we start trying to smash on the keyboard again. Probably look like a bunch of idiots sitting in front of the state. This is how we hack. Yeah. Just like the movies. Just like the movies. And unfortunately, we can't get it to reproduce. So we have to find a more reliable exploit. And so this is what we ended up coming up with. So the way that this safe works is there's a... So there's a tutorial system on the safe. If you want to add a user or learn about how to deposit money into the safe, there's a tutorial button. So you click on this tutorial button. It brings you to a bunch of videos that will allow you to learn how to properly operate the safe. However, they're all flash videos. So right clicking on the flash object there allows you to pull up flash settings. You go to the about configuration. Also something worth mentioning on those flash videos, one of the awesome things about... They have like a... Help videos about basically to do anything with the safe, including like how to log in as a manager. And in the like how to log in as a manager video that's like on the safe, it says like about half way through it, like, don't forget. Like if you forget your password, the default is one, two, three, four, five. And like our safe still had that, like enabled on it, which was pretty good. Though importantly, this is just a store manager who doesn't have access to the safe door. So even though that's there, like it doesn't really get us anything. Yeah. So once we were able to go to the Internet Explorer, the about config for Adobe, it pops up Internet Explorer. So it tries to go to Adobe.com in Internet Explorer 6. Yeah. And from there, you're able to kind of go through the bypass, like go through the motions, right? Internet Explorer to Explorer, Explorer to let's say CMD, and you have, you're running as administrators. Yeah. So once you get out to Internet Explorer, basically you can break out into the operating system. It's pretty much game over from there. So yeah, it is running Windows XP. It's like an embedded version of XP. So at least hypothetically it's getting like remote back ports. But like still, it's probably not great. Though it should be worth mentioning that like Windows 10 would not have saved the safe, right? Like there's a lot of other issues. The fact that it was XP tended not to be terribly important to the entire exploit chain. Like there could have been a lot of other like permissions maybe. Like maybe the application could have been running as a lower privileged user. That way you couldn't like break out and to run other commands, but like that's not. So that was helpful at least, right? The fact that we could just modify arbitrary things in the operating system. Yeah. And so, yeah. Opening the Internet Explorer is actually what Fire King did as the patch, right? To break the exploit chain to prevent us from going through the process of escaping the keyless mode. So once you have access to the command line, you're able to do things like add users to the database, right? Since we have the credentials for the MS Access database that are stored in the headers. We're able to add around service accounts and service accounts don't have the same requirements as a manager, right? If you're a service technician and you come and you have to work on the safe, you're the only person that needs to be logging in. Yeah, there aren't actually any service accounts already enabled on safes by default. So we just have to add ourselves like two new service accounts into the safe. We just call them like hack one and hack two. Curiously, you still need two service accounts? Like presumably because like they don't want just one service person to be able to open up the safe, right? You need to have like two people simultaneously like okay fine. So we'll just add two accounts and then log in with both accounts. Which is a little strange because. Yeah. So in the video you'll probably see that. Like it actually has to like log in with two different accounts. Yeah, if you're going to work on one of these safes, you have to add your own account anyways. So there's no reason why you couldn't add two, I guess. All right, so we're going to go play through the video of the actual exploit now. We'll kind of pause it every once in a while and describe what's going on. We need audio on the computer again if that is not already done. See if that works. Sweet, it works. Yeah. So this is the safe. It's essentially we created a script on a teensy. I don't know if you guys are familiar with teensy. I think in the printed materials we said USB rubber ducky. Turns out that the ducky doesn't do mouse movements. It's only keyboard. So we wanted to switch away from that. So unfortunately the printed materials are out of day. We couldn't fix them in time. It's no big deal. Basically we had to switch to a teensy which is an Arduino board instead that does mouse and keyboard. Yeah. And so basically the way that this works is we wrote up a script that's a macro, a blind macro essentially. The code is like move to these coordinates, click, move to these coordinates, right click, type in this stuff and essentially created a macro that had no feedback from the system. And when we were recording this video actually we ran the recording software on the safe itself. And it actually slowed everything down so much that we had to rewrite the whole script because all the timings were off at that point. So yeah, this is essentially the way the breakout works. Went into the tutorial section. We opened up flash. You right click on that guy. Internet Explorer comes up. It's all running real slow because it's trying to run video capture software like from the safe as well. Yeah. So then we open up a new page and make it a system 32 directory. And from here we're, you know, open up the command. So this is awesome by the way. So the teensy doesn't actually have any capability to like store files on it. So if we want to run something we have to like open up notepad and type out a script in VB. That's what it's doing right now, right? Yeah. So the VB script basically creates the new users in the database. It closes up all the applications that we're running that we use to break out of the kiosk mode. And then finally it deletes itself off the file system. So right after that's completed the teensy finishes the open like types in the passwords for the accounts that we put in. The primary thing that all this is doing basically is having the VB script that interfaces with the MS access database and adds two new service accounts into the back end of it. And all of this is without us touching the safe. So this is plug in the teensy walk away and 60 seconds later. Yeah. All the drivers by the way for like interfacing with the MS access from VB is like totally already enabled on the safe. So this is the door opening. Those are the canisters that have all the money. So that was the main exploit chain that we used. There are other things that we identified while looking through the system. So passwords were stored, hashed in the database with another column immediately beside it with the plain text credentials. Yeah. That was a really, I just have this mental picture in my head of like the developers writing a safe software right and they like have plain text passwords in the database and the manager comes by and says like, you can't do that. That's insecure. And so they're like, all right, like hit new column, add hashed passwords and just like calls it a day, like fix that problem, hashed passwords done. But again, that one's not being terribly relevant to like our exploit chain, like to get access to it because all the credentials that are in there that you would steal are like the store manager accounts and like cashier accounts that don't have access to the caches. Yeah, the armored car guys don't have credentials stored in these databases that use their authentication keys. So you would only have access to manager accounts or something like that, which wouldn't open the safe. So also kind of turns out you don't need a mouse. You can perform all the actions. It's a touch screen after all, but right click is essentially just a click and hold, which is I think just a feature of the touch display and not so much feature of the software itself. So if you really wanted to, you could do the whole thing right from the touch screen, just like go to the flash video and hold and press and then like pull up an on screen keyboard, it would be horrible, right? We didn't actually ever bother to go through that chain because it would take like a day or something. I can imagine trying to automate that by like putting some device like on top of the safe that like press the buttons for it would be horrible. It would be horrible. The USB board is basically just like there to help streamline the entire exploit. And so I think Dan touched on this a little bit earlier, but the way that the safe operates is there is essentially a com port that sends the open door command to, you know, the solenoids or whatever that connects to the safe doors. So if you were to kind of use that instead, right, you could have just as easily have hooked into the DLL and issued the open door command. There's literally a DLL with an open door as a function. We're like, we didn't even bother with it, didn't need to as it turned out. Like the way that we exploited it was just like adding an account and logging in and using the application, right? But of course one could simply just like send direct com port traffic to that, like implement your own common driver. That would be a lot like cleaner perhaps as an exploit, but we just didn't need to. So that sounded hard and we didn't feel like doing hard things. All right, so I guess we kind of touched it a little bit earlier as well. The Internet of Things is happening, right? There's smart devices that are, or devices that typically haven't been connected to the Internet that are in this rush to become smart, get connected to the network, get connected to your home, give you feedback. The idea I think is just we got to make this work as soon as possible. Everyone's doing this. We got to get this out before anybody else does. That's the state of most like large software developing houses, right? They're just barely struggling to get things to work, let alone getting them to work well and let alone getting them to fail well. So like as like this moves forward to everyday household or business devices like this is only going to be something we see more of. And a lot of it's hardware companies moving into the space of software, right? They typically have been working on, you know, these safes that have been around for centuries or they've been working on these cars or a light bulb or a toaster or whatever. They've never had to have a development team and a security team. And so as that starts to happen more and more, I think that we'll be seeing a lot more. I think it's really easy to be flipping about it right and be like, come on, do we really need a smart safe? Like the old mechanical ones are doing just fine. But like that's kind of being approved about it, right? Like this is going to happen. This is the future whether you like it or not. And so we as security people can either help or not. Like these sort of smart devices were in a way that like the promise that we as technology people made to the rest of the world that we said all this technology was going to transform like households and devices in the world and like this is partly what that means, right? So like let's not try to shut that down instead try to you know help these devices out as we go forward into that world. And I think that's everything. That's about it. Thanks. I am told that we have a microphone that we're going to do for questions. So I don't know where that is. I expect to see a goon like frantically running around with a microphone at any moment now. Until that point maybe I could just like repeat a question. I saw at least a hand here. I could like repeat it to the crowd. Auto run. USB out to run. Try it. Auto run. Oh, auto run. Yeah, so there's a difference between auto run and auto play as it turns out. So the question was about USB auto run, right? So if you plug in like a USB device like it will come up with a prompt that's auto play that will say what would you like to do with this device? It doesn't do auto run which is the like run the first executable you see on this like CD. That would be like really easy and that was the first thing we tried. But no, that did not work unfortunately. And so also the pop up when it says like what executable would you like to run on here? That comes up behind the application, right? So you still need a way to exit out of the full screen application or for that to happen. Looks like we have a microphone finally. So it's in the front here if you're looking to ask a question. Hello, my name is Fred Smith and I was wondering if you had a written, everything you talked about in a written format or online that I could access? Like this entire presentation, is it written down somewhere that I could access? The content of the presentation? Yes. I think that they've been writing it out over there. I don't know. I'm sure it will be available on the DEF CON website. I hope so. So you mentioned the USB port on the back that you said was hard to access because of the physical access. Did you ever actually try your TNC board on that port to see if it would work? Yeah, that one works as well. In fact the back, the rear USB port seems to be powered a bit more. Like if I have a regular USB device like a USB, if you try giving it an entire USB hard drive that sucks out a little bit more power, the front port just doesn't work. I think just the back one has more power. But they're otherwise completely hooked up. Did you ever connect to the network ports to see what those do? No, we never hooked it up to the network. Yeah. At least the one that we have sitting around in the office. We saw a talk yesterday where they used a TNC in twin-dook mode so they could do mass storage and keyboard stuff. So basically you just stick it in the laptop and basically set up a new wireless access profile and all this crazy stuff to basically put on the machine. So you think that would have worked as well for this? Will that even have to get past the kiosk mode? Yes. So once you bypass the kiosk, you're running as administrator. So you could easily think of a scenario where instead of having it just immediately open the safe, you upload a piece of software that will, let's say, open the door later or run any configuration files that you want. Yeah, for our purposes we just wanted to demonstrate opening the door so that was like the first thing that we did. Thanks. First of all, thanks for an excellent presentation. That looked like it was a lot of fun to tinker with. Did you mention that it's a Brink safe and you mentioned another company along the way fire somebody rather than catch the name of that worked around and closed the exploit chain, if you will, Internet Explorer. You demonstrated or at least alluded to several other avenues by which you could compromise this ridiculously poorly designed safe. Did they tip to address the rest of this sort of obvious low hanging fruit there? Are we going to see you next year doing this talk again about how you loaded the DLL and called the appropriate unlock? You're definitely not going to see us next year. At least not hit this, maybe something else. Next week? Yeah, we worked with the vendors involved to try to get a fix for that exact exploit chain. And they've been informed of the other things and they're working on addressing this. So you may have aware it's on their to-do list somewhere, eventually. Fun. Hi. You had mentioned the possibility of replay attacks over just the comport to the actual safe. Did you guys look at that protocol and say, is it the same command to all of the safes? Is there an actual key for each one? Do you break it for one? There's ostensibly, we didn't like, so we tried looking at the comport traffic just a little bit and I was kind of crossing my fingers and hoping there'd be like a four-byte message that would just be like unlock. And it was not that easy. It was like back and forth protocol. It was just hard and I'm not even going to look into it, basically. Yeah, the comport communications ends up being like there's like a ping and a like response and like a, it's like on a timer and there's a bunch of like variables as well. So it's definitely something that presumably could be done but we didn't really look into it. Yeah. Presumably there's not a key involved there or if there is, they're the same or we don't really know, I guess. Thanks. I wasn't sure if I heard it correctly. It sounded like in the beginning you mentioned something about this thing having a full-time network connectivity and normal operation like cell data, anything like that or just hardware. It's just hardware. So it's meant to talk back to the bank, right? So it knows how much money you have at any time. So as you deposit money into it, that money gets deposited into your bank account and because of that it's always connected. Was there any evidence of support for other network methods like cell modems, that sort of thing? No, I don't think there's cell phone. It's all wired. Like a phone jack for like old dial up I think as well if you had that in your store. But I didn't see any evidence of any cell phone or other kind of wireless. A lot of point of sale systems still run off of phone jacks basically. Did you get the impression that if the network connection was in place it would have reported your actions as you were functioning? Logs and such are definitely sent out over the network, right? So it could hypothetically but if you have complete control over the operating system then you could just modify that to not report your like opening the safe or not report opening the door. Yeah, so I mean you're running as administrator and once you break out of the kiosk mode that wouldn't be logged, right? And you could shut down the network while you worked on whatever you wanted to and then plug the back in afterwards if you wanted to. Thanks. Thanks. Did the vendor, it seems like the USB port facilitated everything? Did the vendor say there was a business need for that USB port on the front? Yeah, there's definitely something to be said about like usability versus security in that respect, right? Because it's useful, right? Being able to like have a mouse and keyboard present there, right? And so there's also like something that's come up a bunch is like well what happens with the hard drive just crashes, right? Or like what happens if the computer just melts down and now you're just like locked out of your safe. And so having like an external like device that you could like reboot into the BIOS and whatever like that's handy, right? You can then recover from that situation. So you kind of have a tradeoff between security and usability there, right? You want to have a safe that like fails open in this sense, right? Like if the hard drive fails, then you can still open it anyway, or do you want to have a safe that fails closed? And that's kind of a business decision to be made. Thank you. Thanks. Since it gives provisional credit to the financial institution, could you see customer information? Like account numbers? I didn't hear that. When they put the money in the safe, it gives the provisional credit to the bank. Could you see account numbers? Account numbers? I don't. The customer account number. No, we didn't look too much into the actual mechanism of like how it like specifically sends your money. Like they very well could just be some web servers that says like deposit this money into this account. And if you like change the account, then like bad thing. No idea. That's all just pure speculation basically. I would assume that they would have something baked into there. We would know what account you are. I mean it has to know what account you are. What was the fix offered by the vendor? So they essentially broke the attack chain by preventing Internet Explorer from opening. Kind of blacklist Internet Explorer. So they're going to like flash and right clicking and go down about configuration wouldn't float up that portion and we wouldn't be able to escape out that way. But would you still be able to do something with a USB drive in that case that completely block it? Yeah so the same attacks where you would plug in a USB and like boot from it and do that kind of attack would still be possible. But you would have to figure out how to reverse engineer the software first essentially. You could just reboot it with the red button right? I'm sorry? You could just reboot it with the red button right? Yeah you can reboot the device yes. You do need physical access right? So that's true you need physical access to basically do the entire hack. But at the same time you need physical access to actually carry away the cash. So like that's kind of required anyway. I'm just saying if you can plug in the USB you can also click that red button right? Exactly that's correct. So I mean there are other fixes that would be able to help against like a boot from USB attack. Like trying to put a password on a BIOS to lock down the BIOS so you can't boot from USB. Maybe encrypting the file system. A whole number of things right? You can play into the usability of the safe right? If everybody has to boot into BIOS and plug in a keyboard and type in the password and do all that stuff that might not be a reasonable solution. And as they're essentially embedded devices it's not necessarily easy to update the software as well. Thank you. Especially at the BIOS level. Do I see any other questions? Yeah. So if you have like the USB drive that can act as a keyboard or a mouse or whatever. Why do you actually need to like open Internet Explorer? Why can't you just send commands as a keyboard and do it in the background without any visible... So there are some things that are already locked down right? So if you try to hit like Alt Tab like that just doesn't work. That's like in the Windows registry like been disabled as a keyboard. So like going to Internet Explorer is basically a way of escaping out of the kiosk sandbox because their application is just a regular Windows program running in full screen mode. So there's no way to like run arbitrary commands just because there's no button to press to get there right? So the first step in being able to run arbitrary commands is escaping out of that sandbox like pulling up Internet Explorer which then runs regular Explorer which then runs a command prompt. So if you were to like try to type commands the application itself would register all your typing and so you wouldn't be running and you can't run it in the background. So if you were to type in the keyboard to like type in your username and password if you were to plug in the keyboard that's how you could log in as well. So you can do like the run command to execute? Right, you can press the Windows button. The Windows button is disabled as well. So you can't just hit the run command. Thank you. Do you guys have any plans on researching how the money gets deposited in the bank through the network? Yeah, I don't know if we're going to be doing too much additional research on that. I think we'll probably be moving on to something else pretty soon but we're still working with the vendors to address the rest of the issues. Okay. Because with what we're doing we're going to be doing the same thing with stealing the cash. There's only this much cash you can steal but if you can like replay and keep adding money to the account Right. So are you saying like if you were to essentially falsify how much money was in the account? Yeah, since you have access as an administrator you have access like if you're able to essentially get access from the security of the of the safe itself is at that point compromised. So the security is based on keeping you in the kiosk mode. So yeah. Right. So if the hard drive isn't encrypted and you can boot from USB couldn't you just like boot to a live CD and then edit the registry to break out of the sandbox? Yeah and you can absolutely just boot from Linux. Like that's something that is pretty straightforward. Maybe making like a Minecraft server that would run on the safe or something like that but the specs on it are just quite good enough. Certainly not a client maybe a server. But yeah you can run arbitrary software like boot from another device and run a non-windows operating system and then maybe even if the hard drive are encrypted just clobber the hard drive with an entirely new image. So that's why in addition to things like full disk encryption you would also want something like password like on the BIOS right? And that point it would actually usually BIOS level like BIOS passwords are kind of chuckle that because you just like remove the CMOS battery or something like that. But in this situation the computer is inside the safe right? So you can't just do that. So it would actually be a reasonable defense. All right cool thanks. Anyone else? Considering the the whole complicated solution the safe manufacturer they just locking it and all that thing. Wasn't it simple just to place all the innards just behind lock and key and that's it? Why just leave the port exposed and not just lock it in? Yeah so again it kind of just boils down to usability it seems like having access to an exposed USB port makes it easy for a technician to come in and do their work. But they could have just as easily had the technician you know remove the front panel into the back USB or do something else. Yeah. Or you give them just a key to each technician and that's it. Thank you. Thanks. Yeah real quick I'm hoping you sort of thought this out in the fantasy world. What would be like your fantasy real world heist involving this capability and then what if anything can you extrapolate to other smart safes? I think that we want to emphasize that like enable theft right? Like we're providing the information like for pen testers that like if you're a pen tester and you have one of these safes right I think you'd be abundantly clear like how to reproduce our findings to be able to like do this on your own but like you know going through some actual like theft scenario isn't you know something we really want to encourage. Okay looks like we're out of time so thanks a lot. Alright thanks everyone.