Counterfeit money detector easily hacked to accept fake money
Posted on 30 October 2013.
A lot of simple electronic devices that we use every day can be easily hacked, because security has for a long time been at the very bottom of the list of things to care about when creating them.

Ruben Santamarta, Principal Security Consultant at IOActive and obviously a hacker at heart, has recently decided to analyze the security of Secureuro, a counterfeit money detectors that is used widely in Spain in placed where cash is accepted (shops, banks, etc.).

By analyzing the technical specifications of the device, watching videos on how it's used, and by analyzing, reverse engineering and modifying the firmware installed on it, he managed to make it accept any piece of paper as legitimate currency.

He explained in depth his approach to the whole endeavor in a blog post, and the post gives good insight into how a hacker's mind works.

But, he made sure to note that he didn't not disclose any trick that could help criminals to bypass the device "as is".

"My intention is not to forge a banknote that could pass as legitimate, that is a criminal offense. My sole purpose is to explain how I identified the code behind the validation in order to create 'trojanized' firmware that accepts even a simple piece of paper as a valid currency," he wrote. "We are not exploiting a vulnerability in the device, just a design feature."

In fact, despite the device manual claiming that firmware is protected against reading and reverse engineering by an encryption system, the sad fact is that this system is nonexistent.

After he finished with the changes to the firmware, he bought a Secureuro device to test the firmware on it. Sure enough, the device said that his poorly drawn "banknote" is legitimate.

"The impact is obvious. An attacker with temporary physical access to the device could install customized firmware and cause the device to accept counterfeit money. Taking into account the types of places where these devices are usually deployed (shops, mall, offices, etc.) this scenario is more than feasible," he comments, adding that he hopes his research will spur vendors to consider building in good security defenses.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th