I have been saying that one of the challenges with securing IoT is that IoT device makers don’t have the necessary security background, and the security industry does not do enough to make cyber-security more accessible to manufacturers. We should therefore not be surprised that 150 years of experience in making robust safes and transferring money securely, did not help Brinks once they introduced a USB slot into one of their new models.
As reported by WIRED, improper handling of connected USB dongles allowed anyone with physical access to the safe to introduce certain scripts through this USB interface. The demonstrated scripts took over the embedded Windows platform and allowed to execute commands. Those scripts created fake users on the system and used them to pop the safe door open in a minute. Also, since the scripts executed at a high privilege level, they could wipe all tracks of the attack, as well as previous log entries of past deposits.