"So the issue isn't so much that there is no
acknowledgment that there is a problem; rather,
the vendors have been pointing fingers about
whose problem it is for over a year, without
progress made on the actual resolution."
And my colleagues wonder why I support full disclosure. I tell you what - if I was a bank that used these products, I'd be going around and epoxying these USB ports closed ASAP.
I used to work as a penetration tester, and one of our clients hired us to perform a "custom application" assessment. I can't give specific details (for obvious NDA-related reasons), but this application was a large device that interfaced with mission-critical hardware -- and ran Windows XP embedded.
They'd done a pretty good job securing the OS and device itself: we couldn't actually connect it to any networks, so network penetration testing was difficult, and there were no USB ports or CD drives. Unfortunately for them, they did leave an archaic port open on the back of the device. Now, this wasn't a USB port or anything, but (with certain difficult-to-source adaptors) we were able to get an external 3.5" floppy drive hooked up -- through which we could (slowly) load arbitrary executables, and take over the device.
When we explained this finding, the client told us that certain customers of theirs required this port for proprietary communication, and that they couldn't remove it from production. The end result was that for every production run of this device that wasn't going to one of those edge-case customers, epoxy was manually applied to close off the port.
Not the most elegant solution, but I guess it worked!
Using epoxy It would also allow the production line to only make one model to sit on the shelf and then epoxy the ones going to Customer X when they need to go out to them. If you cut the traces then you'd have to make 2 different types and track them, and really make sure none of the cut traces ones make it to Customer X.
I personally would prefer epoxy because just about anybody can apply it, whereas to safely cut traces on a motherboard requires someone with a modicum of technical skill, the purchase of suitable tools, hardware testing afterwards, etc.
That's true, but isn't the company making these devices? If they are making them, they must have someone capable of operating an x-acto knife. Also, if you are concern about an attack that requires someone to load code very slowly from floppy, wouldn't you also be concerned about someone using a battery operated rotary tool to cut the epoxy around the pins, and then connecting probes to those pins which would allow to than connect the floppy drive.
Epoxied ports are like locks. They're there to keep honest people out and to slow down (and in the case of epoxied ports, really slow down) dishonest people.
I don't know where the hardware was going, but computers are often either located in places where only trusted employees are permitted, or where there is not-infrequent foot traffic. Combine either trusted employees or random, unpredictable passers-by with regular inspection of the hardware, and you have a pretty decent solution.
Epoxied ports can also be used as an after-the-fact intrusion warning. You know the thing was epoxied from the factory. If your inspection reveals that the epoxy is missing or has been altered, then you're almost certain that something nefarious was going on.
Some time ago, around 2008, I let my friend use my bicycle for a few weeks. He ended up loosing a key to the bike lock, and I had to cut off the lock to get the bike out. So here I was, with an battery operated angle grinder, wearing a hoody, cutting a bike lock in the middle of downtown San Diego at 4pm on a weekday with streets full of people, 4 blocks from central jail, and cops going up and down the street. It took me 15 min to grind though the lock, and it made a lot of noise. No one even bothered to ask me what I was doing, people were walking by as if I didn't exist. Cops drove by without stopping.
My point is, if these machines were destined for public places, it wouldn't surprise me if a man in overalls could sit next to them and grind away epoxy with impunity for hours before anyone would think twice about it.
From the story, it sounds like the client actually cared about the security of these devices. I would be somewhat surprised if they were left unobserved long enough for someone to surreptitiously carve out the epoxy and attach a drive to it.
Though, we can't know if the client was looking for intrusion prevention, or merely after-the-fact intrusion detection. :)
I looked up the safe, and it looks very expensive, and something that's stored in a locked, video taped room? Something the average employee/theif would never even get a chance to play with?
These security hacks are cute, but sometimes I feel they are nothing more than advertisements? Don't we always have one of these "golly gee, I had no idea?" hacks around this time of year?
If I didn't have a company to promote, I don't know if I would come foreward with vunerabilities? Especially for a theiving bank? (I don't like banks these days. The fees are a slap in the face, along with pawn shop/Payday interest rates they charge us, and in return give us 0% on our money in most cases? $1500 minimum balance in order to not pay a monthly service charge? And, yes--I wished we let them suffocate in 2008. The myth of Capitalilism?)
IMHO--the biggest deterrent to crime these days is the proliferation of video cameras. They are everywhere.
You're likely mistaken. The device whose ports we are talking about epoxying was referred to by david_shaw. Noone in the thread has speculated as to the type or model of device. The only information we have about the device comes from david_shaw:
"I can't give specific details (for obvious NDA-related reasons), but this application was a large device that interfaced with mission-critical hardware -- and ran Windows XP embedded."
> If I didn't have a company to promote, I don't know if I would come foreward with vunerabilities? [sic]
If you were not doing the research for a paying client, nor were you doing it to publish a report, why would you be doing it?
> ...the biggest deterrent to crime these days is the proliferation of video cameras...
London has a very dense CCTV deployment. Look at the crime-reduction studies that have been done since their deployment. It'll be enlightening.
Also, I am now on notice that you will not likely work for a bank. Thank you for that information, I guess.
And, uh, my bank is a lot better than yours, it seems. Shop around!
Again, if I was a bank that used these safes, I would not only epoxy the USB ports but also instruct the people picking up the money from them to inspect the epoxy. Think of it like the seal on an envelope. Apply the epoxy, mix in some glitter or something so it has a unique pattern, and take a photo of the epoxied port at time of application. Compare pictures when picking up the money. It won't keep attackers out, but it will let you know if somebody got in.
This is a less than perfect solution, of course. The manufacturer of these safes deserves all of the flack it gets for not fixing the vulnerability /tout suite/. If I remember the article correctly, they've known about the attack for a year!!!
Would it not be trivial to spray a can of air upside-down at the epoxy for 30 secs and scrape it out with a screwdriver or craft knife? Paint thinner takes too long and a heat gun isn't exactly mobile (also sticky, eck).
Done correctly, seals aren't tamper-proof but tamper-evident. A little bit of glue isn't going to stop someone determined to steal from my hypothetical bank, but at least I'll know about it.
'...[they] literally "smashed" on the keyboard to see what would happen when arbitrary keys were pressed together. Using that smashing technique, the researchers were able to figure out how to escape the kiosk mode.'
They also just invented the newest SaaS model: "Smashing as a Service"
When I was a kid, a bookstore nearby had a computer where you could download free software, with a closed interface. Anyway, some guys came along and were like "look, we're gonna hack this thing", at which point they started mashing on the keyboard like madmen. (The poor beeps of that abused computer ...)
And now you're telling me this is an actual thing?? My life is a lie.
I learned an awful lot about software testing and security as a kid trying to sneak illicit games onto school computers. Granted, this was in the 95/3.1 days, so it was a little easier ;)
I had great luck with this technique when friends forced me to play Mortal Kombat or Street Fighter or other similar uninteresting-to-me video games as a kid.
They always thought it was "unfair" when I beat them.
Well maybe you shouldn't enjoy playing such poorly designed games then!
Applies equally to poor security practices. Play stupid games, win stupid prizes.
I once stumbled on a bug this way. I reached for a key to do something, a coworker reached for a different key to do something else, and the program crashed. And we looked at each other and asked, "What keys did we hit?" (It took maybe five minutes to figure out, which isn't very bad.)
So the hack is a classic kiosk mode breakout, like you could try to do with poorly secured public computers. The wonder here is not in the hack, because it's just a set of keypresses and mouse clicks. The wonder instead lies with the the manufacturer who made a safe stupid enough to be bypassed with a mouse and keyboard.
Who put the USB port on the outside? The article made it seem like they didnt need to use the USB port for normal operations (unlocking/locking). So why didnt they face it toward the safe or disable access somehow until the safe is unlocked. I'm not going to even touch on the Windows XP issue.
I am guessing it's a failsafe in case the touch screen on the safe fails and they need to plug in a keyboard to open it / diagnose it. It's a legitimate thing to do, but you would think that the USB port would have protection.
For instance, the USB port could be on a daughter board, and requires you to enter a password on the plugged in keyboard before the daughter board would complete the connection to the main motherboard.
The really simple method would be to at least have a USB Lock that plugs into the USB port, and once locked it hooks into a USB port and if physically ripped out without unlocking, it would rip out the USB port with it. This is something they can retrofit quickly while figuring out other problems with their software problems.
Auto-enabling keyboard input at all is totally crazy; if you can type you can compromise something. my last startup (it's still around, just without me) makes kiosks with touch displays and accessible usb ports, and disabling that shit was the first obvious move.
We then allowed them to be re-enabled selectively based on a challenge-response touch screen input (didn't require connectivity, just pre-shared keys to verify the response) or via our server (if connectivity was stable and the touch screen had an issue).
Assuming you have a team competent enough to build a platform that you can at minimum reboot and ensure it'll always come back up, you'd never, ever want to automatically let someone access your system.
I see people getting upset all the time about cashier tills running windows xp - but that doesn't make any sense. If the software works fine in that situation then it could be just as well running windows 3.11 and I don't see a problem.
There are unpatched 0-days that go back years that still make WinXP dangerous to have on any sort of network. Not only that, but they will never be fixed. Nor can you fix them yourself (no source code).
And yes, cash registers will be networked because of data mining. I can get an accurate picture of store utilization solely by watching registers. And also by seeing what was purchased, I can change inventory appropriately. So yes, networking is essential. Perhaps it's not for the small business that handles flea markets and such.
Windows XP Embedded is still supported and still gets security patches. I'm also pretty sure you can get the source to it too, if you pay Microsoft and sign an NDA.
Windows XP; the security researchers favorite distro.
There are few things better than showing up to a security review gig and have them running XP. Makes my job super easy and clients love when I rain down bugs. It's even better because we can actually write exploits in a short time frame. Love XP.
Somewhat related, check this out. In the video they theorize that the power line attack is obfuscated by software techniques. An old OS may have buggy USB drivers I can imagine but they claim the OS does not matter.
"0-day" is a vulnerability that's discovered at the same time there are already exploits in the wild. It means you have zero days to get a patch deployed before the target is vulnerable to attack. Obviously a very bad situation to be in.
And yet these days it gets thrown around as if it describes the severity of the vulnerability itself. Thus the above scoffing at "0-days that go back years". What does that mean? It's like saying you have a matinee movie on blue-ray that you'll watch tonight.
I suppose one could have a patched 0-day? It would need to be be fixed by the vendor without them ever acknowledging the underlying issue existed, right?
As for the "go back years" bit, the guy just has some XP vulns that were found ages back and he's never released them, and of course they still work.
So the machine connected to your Windows XP tills has internet access and/or external storage enabled. Of course that's not safe....if I said "not connected to a network" would that be better?
Nope. You just flipped one of your caveats: no internet connectivity.
I only specified networking.
Its also how Target was attacked. Their registers are networked yet there was a hole from the internet to their corporate net. That hole was through their HVAC control system.
The Tl;Dr. Is that you design a secure system, so that if one part fails, the whole system doesn't fall like a house of cards. Security through layers.
You can say that... but I think GP's point is that there's an obvious behavioral pattern to that, which is less data mining of your sales info and customer's buying habits, compared to the sometimes unobvious but major downside of the terminals being hacked. I think we've seem what choices businesses make when presented with the obvious upside over the poorly understood downside.
Evidently it's not completely secure if you can add an external keyboard and it's in kiosk mode.
(Having worked somewhere close to the field of XP-for-POS, the answer appears to be that the customers really do not like having to do updates. They'd much rather just firewall the tills and hope they don't suffer a stuxnet. They're attacked surprisingly rarely because you can't steal money over the internet this way.)
10+ years ago I was at a public library with terminals that were in kiosk mode with IE in fullscreen, hidden start menu etc. I used a paperclip to eject the cd drive, put in a CD with autorun, and voila, visible start menu and was able to get to the internet from IE
Exactly. Often in BigCorp type places bugs are classified as deviations from requirements. If this poor design was the requirement, then any objections that may have arisen would've probably been classified as suggestions instead of bugs.
I have to think even the most myopic bureaucrats would remember to include "cannot be opened except by authorized parties" in a requirements document for a safe.
Yes, but all that will achieve is a tester writing it into their plan to check that invalid credentials don't let you in. It will not magically teach programmers to write secure code.
The bit I was replying to was a hypothetical situation where QA does, for some reason, find the flaw but management rejects it because it doesn't match a bullet point in the requirements. My point was just that if that's not in the requirements then you have even bigger problems. I never claimed or even implied (because I don't believe) that writing down that requirement would actually achieve anything.
Seriously -- this is ludicrous. I founded a hardware tech company a few years back that does a similar thing (machines in very public places) and -- knowing approximately dick about building robust hardware -- auto mounting of input devices was basically the first thing I locked down once I had the basics up and running.
> Oscar Salazar, senior security associate at security firm Bishop Fox explained that money inserted into the CompuSafe is automatically deposited to the retail store's bank account.
In-case anyone was also wondering what that is, after looking it up, it's provisional credit with the bank... The safe transmit daily deposit data to the bank, and the bank credits your account.
Even funnier that the money is the banks' once it goes into the safe. So once again the reason to rob a bank is "that's were the money is" except here you can do it with a usb widget. If the money stays in the safe overnight (how often do the Brinks people come?) it's a pretty easy score.
Now, I'm not all that familiar with the banking industry, but it seems like assuming ownership of bearer instruments (banknotes) before they are actually in your possession seems like a risky practice. You're basically assuming that all those third parties involved in securing your property are going to do their very best to prevent you from losing it, without actually having much at stake themselves.
If the transfer of ownership is completed the instant the store drops the cash into the safe, they only have an interest in securing the path to the point of deposit, and have no interest in securing the safe itself.
Indeed, the naive criminal plot would be to adjust the store surveillance cameras such that the safe-deposit process could be visually verified, but the cracking process would be obfuscated. Then a store employee cracks the store's own safe, takes the money out, and takes it out through the loading dock with the trash.
[Edit:] It seems as though the safe credit is actually a provisional deposit, and banks aren't all that crazy after all.
It's pretty cool- afaik, it's based off of the teensy 2.0 uC. There's actually some neat firmware that lets it emulate a flash drive at the same time as a keyboard/mouse, allowing you to deploy software on the flash drive. For that reason especially, it could be useful for anyone in IT.
They probably assumed that the cost of fixing the issue and actually pushing that fix to every unit in the field would outweigh the cost of not fixing it.
We will see if they dare use the 'it is not supposed to be secure' excuse that lock-maker Onity made (Onity is the company that charged its customers for fixing its faulty product.)
A strong engineering case can be made for "Look, if you installed a Brinks safe for a year, experienced no employee theft, and then had an Evil Hacker come in and swipe $10k from you, you got excellent ROI. Your insurance will inevitably pay the claim. We'll reimburse them. They won't cancel your policy. 998 similarly situated stores lost nothing; the last one had someone crash a pickup truck through the window and winch the safe away. Terrible thing, that, but that's why we're all insured."
You don't buy a safe so that you'll never get robbed. Banks don't have that as a desirable security posture! [+] You buy a safe to cheaply decrease the total cost of theft.
[+] Fun fact: average bank robbery costs the bank only $8k or so in lost cash. This is one of the many reasons why every bank in the country has In The Event Of A Bank Robbery Don't Try To Be A Hero Seriously It's Pocket Lint in their training about it.
If they had made that argument to their customers at the purchase time, together with a realistic estimate of the degree of security being provided, then that would be a valid argument for them to make now.
Also, as this argument depends in part on insurance, the insurance companies are entitled to the same information.
The real point here, however, is not that the safes can be broken, but that they can be broken relatively easily with techniques that have been known for a long time, and which can be defended against. There is no strong case to be made that this is a well-engineered product.
USBdriveby is a device you stylishly wear around your neck which can quickly and covertly install a backdoor and override DNS settings on an unlocked machine via USB in a matter of seconds. It does this by emulating a keyboard and mouse, blindly typing controlled commands, flailing the mouse pointer around and weaponizing mouse clicks.
I have a question about this: With all the BlackHat / Defcon talks that have been squelched over the years in the run-up to the conference... why do they still advertise talks ahead of time?
Wouldn't it be much, much better to just keep the topics secret until the moment of disclosure?
Also, isn't that figure holding the sword with the blade pointed towards his own neck? The blade looks pretty straight compared to most katana pictures I've seen but notice the tip.
So if they can use the exploit to open the safe, I'm assuming there is a way to then lock the safe down and keep the Brinks and company employees out of the safe?
