Ruben Santamarta, Principal Security Consultant at IOActive and obviously a hacker at heart, has recently decided to analyze the security of Secureuro, a counterfeit money detectors that is used widely in Spain in placed where cash is accepted (shops, banks, etc.).
By analyzing the technical specifications of the device, watching videos on how it's used, and by analyzing, reverse engineering and modifying the firmware installed on it, he managed to make it accept any piece of paper as legitimate currency.
He explained in depth his approach to the whole endeavor in a blog post, and the post gives good insight into how a hacker's mind works.
But, he made sure to note that he didn't not disclose any trick that could help criminals to bypass the device "as is".
"My intention is not to forge a banknote that could pass as legitimate, that is a criminal offense. My sole purpose is to explain how I identified the code behind the validation in order to create 'trojanized' firmware that accepts even a simple piece of paper as a valid currency," he wrote. "We are not exploiting a vulnerability in the device, just a design feature."
In fact, despite the device manual claiming that firmware is protected against reading and reverse engineering by an encryption system, the sad fact is that this system is nonexistent.
After he finished with the changes to the firmware, he bought a Secureuro device to test the firmware on it. Sure enough, the device said that his poorly drawn "banknote" is legitimate.
"The impact is obvious. An attacker with temporary physical access to the device could install customized firmware and cause the device to accept counterfeit money. Taking into account the types of places where these devices are usually deployed (shops, mall, offices, etc.) this scenario is more than feasible," he comments, adding that he hopes his research will spur vendors to consider building in good security defenses.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.