To Turn Plain Paper into Real Money, a Spanish Researcher Hacked a Currency Detector
Counterfeit money doesn’t have to mean cleverly doctored forgeries with watermarks and holograms. Despite the advanced security measures on today’s paper money, bank notes are only as authentic as the machine that checks them. That’s what Ruben Santamarta, a Spanish researcher at computer security company IOActive, set out to prove by hacking a currency detector so it would accept a simple piece of paper as a legitimate euro note.
In a blog post on the IOActive website, Santamarta explains how he modified the firmware in a device called the Secureuro, which is commonly used in places like shops and offices to check for counterfeit notes. “In Spain we have a saying ‘Hecha la ley, hecha la trampa’ which basically means there will always be a way to circumvent a restriction,” he writes. “In fact, that is pretty much what hacking is all about.”
He then goes through the hacking process in detail, but emphasises he’s not disclosing anything that could help would-be counterfeiters fool the machine “as is," or actually forge a banknote. “My sole purpose is to explain how I identified the code behind the validation in order to create 'trojanized' firmware that accepts even a simple piece of paper as a valid currency,” he explains. “We are not exploiting a vulnerability in the device, just a design feature.”
The first step was research. Santamarta found manuals and YouTube videos that showed how the Secureuro functions, and downloaded the firmware straight from the website of a company that sells the device. He analysed the code and found where the number of invalid banknotes was counted. Digging a little deeper, he came across the functions that validate the value of notes based on their security features—a hologram stripe on denominations of €5, €10 or €20, and a hologram patch on €50, €100, €200, and €500 notes.
He then bought a physical device and used what he learned to modify its firmware so it would accept his homemade “IOActive currency” (a sheet of paper with some crude hand-drawn numbers and a skull on it). A video of him putting the note through the Secureuro machine shows the device declaring it a valid €100 note.
The implication is that, in the absence of more stringent built-in security measures, anyone with access to a device like this could install modified firmware similar to Santamarta’s and have counterfeit notes passed off as legitimate. And unlike him, some of them might not just do it “for fun and non-profit."
By Victoria Turk