"You could very easily make the safe lie about the cash total it has," he said. "It would be very difficult to track that theft down because the bank would receive exactly how much money it thinks it should be getting."
The code for getting administrator access is surprisingly simple: it's just 100 lines of macro code, which are instructions for a certain sequence of mouse and keyboard strokes that crack the CompuSafe and can be supplied using a USB stick.
Salazar said they've been in contact with Brinks' technical team for more than a year about the problems.
Brinks hasn't fixed them yet, in part because there appears to be somewhat complicated supply chain, Salazar said. Brinks designed the safe, but the software is actually made by another company called FireKing Security Group.
For legal reasons, they're not going to release the full attack code at Def Con, but "after the presentation, it will be fairly apparent to anybody who has a little bit of time how you could write your own code," Petro said.
They hope the disclosure will prompt fixes. "We're going public to try to raise the awareness and hopefully get it fixed," Salazar said.
But the fixes aren't easy, and will likely require physical visits to safes, as the CompuSafe needs BIOS updates and other changes. Even then, it's questionable whether the safes would be fully secure.
"At the end of the day, there is still an exposed USB port," Petro said. "And it's still running Windows XP."
Brinks officials couldn't be reached for comment.
Sign up for CIO Asia eNewsletters.