Hackers Break Currency Validator To Pass Any Paper As Valid Euro 162
Trailrunner7 writes "If espionage is the world's second-oldest profession, counterfeiting may be in the running to be third on that list. People have been trying to forge currency for just about as long as currency has been circulating, and anti-counterfeiting methods have tried to keep pace with the state of the art. The anti-counterfeiting technology in use today of course relies on computers and software, and like all software, it has bugs, as researchers at IOActive discovered when they reverse-engineered the firmware in a popular Euro currency verifier and found that they could insert their own firmware and force the machine to verify any piece of paper as a valid Euro note. 'The impact is obvious. An attacker with temporary physical access to the device could install customized firmware and cause the device to accept counterfeit money. Taking into account the types of places where these devices are usually deployed (shops, mall, offices, etc.) this scenario is more than feasible.'"
Well duh (Score:5, Insightful)
If you can physically access and modify a machine, you can change the way it behaves. Is this really news? Can they do it wirelessly? Over the internet?
Re:Firmware update? Unlikely. (Score:5, Insightful)
"Hello, I'm from the maintenance department and I'm here to update your firmware to protect you from the exploit that was recently published on 2013-10-13."
Re:Firmware update? Unlikely. (Score:5, Insightful)
According to TFA, the guy went and analyzed the firmware to discover how it worked, and then noted that you could bypass the check routines in it to always set the "good" pins high. About the only thing even mildly worrying is that there is apparently no crypto lock on the firmware, but a crypto lock on the firmware would be useless if you have physical access to the machine anyway, only slightly complicating the job of redesigning the internals, so that's not saying much. There's a reason these machines are secured with a lock and a sturdy metal case.
Re:Well duh (Score:5, Insightful)
This part of the article is what struck me:
So it sounds more like the company said "our stuff is secure, awesome, and hax0r proof", and someone essentially said "challenge accepted".
That he could do the initial reverse engineering without ever even having had the device (he downloaded just the free firmware) tells me that this device was pretty ripe for the picking.
Counterfeiting ? (Score:4, Insightful)
If it accepts _any_ piece of paper, I don't see how that is counterfeiting - theft and fraud, sure, but if I make no effort to copy something, how is that still counterfeiting?
Re:Second-oldest profession FTFY (Score:4, Insightful)
You are absolutely right. Here are the top ten similarities between politics and programming:
Re:Firmware update? Unlikely. (Score:5, Insightful)
> Which is a vulnerability of your employees
> allowing access to some stranger...
I work in an office with over 500 employees. Do you think I know everyone who works in security, telecom, and I.T.?
Re:Firmware update? Unlikely. (Score:4, Insightful)
And how did that work out for him?
Don't be so smug. Crimes like these have a reverse survivorship bias. You usually
only hear about the ones that get caught or at least leave evidence behind.