That's true, but isn't the company making these devices? If they are making them, they must have someone capable of operating an x-acto knife. Also, if you are concern about an attack that requires someone to load code very slowly from floppy, wouldn't you also be concerned about someone using a battery operated rotary tool to cut the epoxy around the pins, and then connecting probes to those pins which would allow to than connect the floppy drive.
Epoxied ports are like locks. They're there to keep honest people out and to slow down (and in the case of epoxied ports, really slow down) dishonest people.
I don't know where the hardware was going, but computers are often either located in places where only trusted employees are permitted, or where there is not-infrequent foot traffic. Combine either trusted employees or random, unpredictable passers-by with regular inspection of the hardware, and you have a pretty decent solution.
Epoxied ports can also be used as an after-the-fact intrusion warning. You know the thing was epoxied from the factory. If your inspection reveals that the epoxy is missing or has been altered, then you're almost certain that something nefarious was going on.
Some time ago, around 2008, I let my friend use my bicycle for a few weeks. He ended up loosing a key to the bike lock, and I had to cut off the lock to get the bike out. So here I was, with an battery operated angle grinder, wearing a hoody, cutting a bike lock in the middle of downtown San Diego at 4pm on a weekday with streets full of people, 4 blocks from central jail, and cops going up and down the street. It took me 15 min to grind though the lock, and it made a lot of noise. No one even bothered to ask me what I was doing, people were walking by as if I didn't exist. Cops drove by without stopping.
My point is, if these machines were destined for public places, it wouldn't surprise me if a man in overalls could sit next to them and grind away epoxy with impunity for hours before anyone would think twice about it.
From the story, it sounds like the client actually cared about the security of these devices. I would be somewhat surprised if they were left unobserved long enough for someone to surreptitiously carve out the epoxy and attach a drive to it.
Though, we can't know if the client was looking for intrusion prevention, or merely after-the-fact intrusion detection. :)
I looked up the safe, and it looks very expensive, and something that's stored in a locked, video taped room? Something the average employee/theif would never even get a chance to play with?
These security hacks are cute, but sometimes I feel they are nothing more than advertisements? Don't we always have one of these "golly gee, I had no idea?" hacks around this time of year?
If I didn't have a company to promote, I don't know if I would come foreward with vunerabilities? Especially for a theiving bank? (I don't like banks these days. The fees are a slap in the face, along with pawn shop/Payday interest rates they charge us, and in return give us 0% on our money in most cases? $1500 minimum balance in order to not pay a monthly service charge? And, yes--I wished we let them suffocate in 2008. The myth of Capitalilism?)
IMHO--the biggest deterrent to crime these days is the proliferation of video cameras. They are everywhere.
You're likely mistaken. The device whose ports we are talking about epoxying was referred to by david_shaw. Noone in the thread has speculated as to the type or model of device. The only information we have about the device comes from david_shaw:
"I can't give specific details (for obvious NDA-related reasons), but this application was a large device that interfaced with mission-critical hardware -- and ran Windows XP embedded."
> If I didn't have a company to promote, I don't know if I would come foreward with vunerabilities? [sic]
If you were not doing the research for a paying client, nor were you doing it to publish a report, why would you be doing it?
> ...the biggest deterrent to crime these days is the proliferation of video cameras...
London has a very dense CCTV deployment. Look at the crime-reduction studies that have been done since their deployment. It'll be enlightening.
Also, I am now on notice that you will not likely work for a bank. Thank you for that information, I guess.
And, uh, my bank is a lot better than yours, it seems. Shop around!
Again, if I was a bank that used these safes, I would not only epoxy the USB ports but also instruct the people picking up the money from them to inspect the epoxy. Think of it like the seal on an envelope. Apply the epoxy, mix in some glitter or something so it has a unique pattern, and take a photo of the epoxied port at time of application. Compare pictures when picking up the money. It won't keep attackers out, but it will let you know if somebody got in.
This is a less than perfect solution, of course. The manufacturer of these safes deserves all of the flack it gets for not fixing the vulnerability /tout suite/. If I remember the article correctly, they've known about the attack for a year!!!
