
How I hacked modern vending machines - matteopisani
https://hackernoon.com/how-i-hacked-modern-vending-machines-43f4ae8decec
======
ben1040
This reminds me of how in the '90s my university gave out smartcard student
IDs that had a little cash account on them for vending machines and dorm
laundry rooms.

They installed readers into the soda machines, and they put a central panel in
each laundry room with a reader and a keypad for you to indicate which washing
machine you wanted to activate.

We found out that the vending machine hardware would query the card before
selling you an item, but wouldn't debit your account until dispensing it, in
case the vend failed. If you timed it just right and removed your card after
it was interrogated but before the item dropped, you'd get it for free.

The smartcard project was only a 2-year evaluation and the university decided
to move away from it, so the smartcard company came and took away all their
hardware.

When they did this, they took the panel down out of the laundry rooms, but did
not fully clean up the wiring coming out of the back of each washing machine.
One of my roomates got curious and discovered shorting the leads of that
wiring to a battery would mimic the signal the smartcard panel would use to
tell the machine it's been "given" a quarter. Do that 3x and you got a 75 cent
wash for free.

~~~
blacksmith_tb
Real-world race condition! In the same period I remember the copiers in my
college library would debit their magstripe cards about 1-2 seconds after the
'copy' button was pressed. A frugal / amoral user could easily eject the card,
reinsert, copy the next page, eject, reinsert...

------
innocentfelon
Val Kilmer did the same thing to a coffee vending machine in the movie _Real
Genius_.

Instead of using Android, he used a freezer and a small hacksaw to section off
coin-sized slugs from a frozen rod.

Have to give the points to Kilmer’s character because in addition to doing it
first, his crime left almost no trail and didn’t come with felony exposure
(most juries would not believe ice slugs are counterfeiting)

Making a daily habit of getting free hacked coffee could result in felony
convictions and imprisonment in many countries for violating electronic data
laws. I know FBI agents happy to bring charges for matters this trivial. This
is where they’d rather spend their time instead of pursuing big league
criminals.

Still a great article to read.

~~~
bluntfang
>I know FBI agents happy to bring charges for matters this trivial.

Just curious, what does one need to do in order to network with FBI agents and
have them divulge what they're willing to charge people with?

~~~
innocentfelon
Be very unlucky. Then the networking happens against your will.

The divulging comes in the form of an indictment, or, if you decide your
integrity is not for sale and you turn down a plea offer, multiple days of
hearings, trial, and sentencing.

------
SmellyGeekBoy
I guess plenty of people are going to come in here to wave their e-peen and
comment on how trivial and obvious this "hack" is, but that's kind of the
point. Us developers could learn a lot from this - mainly how _not_ to design
any kind of payment app.

~~~
csmattryder
"Never trust the client" is a lesson every developer learns at some point.
Incredible how an entire company missed that, but I'd put this down to "bosses
want this out by DATE? Alrighty..."

~~~
nojvek
Vending machines could be in buildings that blocking cell reception. I bet one
of the requirements were that app should work offline.

And there you have it. Most people don’t understand security. The business can
say they are MVP and “secure enough”.

~~~
paulie_a
If they are actively blocking it the building is doing something illegal.

~~~
androidgirl
It could be passive though. For example, underground parking lots both have
vending machines and block my cellular reception.

------
ZeWaren
We had one connected vending machine in the building. Its credit database was
on a remote server, so such hacks would not work.

However, if you unplugged its ethernet connector and buy something, then
somehow your would get your food/drinks and your transaction was stored into a
buffer until the machine went online again.

That buffer being in volatile memory, unplugging the power cord of the machine
was enough for it to forget you ever bought something.

------
cataflam
Fun stuff!

The article has an old vibe of hacking articles published in the '90s/'00s (in
a good way).

> obviously, it was password protected

Not obvious at all. Last time I checked, WhatsApp or Telegram didn't password
protect their database (that was a while ago admittedly). And obviously, it
doesn't actually provide that much protection if the key is on the phone, as
the article demonstrates.

------
doctorRetro
"One day I decided to interrupt seasoning myself in the bat-cave and direct to
my hometown to get some sunlight..."

What?

~~~
curiousDog
I was laughing at that myself. Guessing this is something that sounds way
better in the author's native language.

~~~
yuchi
Yeah seasoning in italian never means “adding spice to some food” but only
“keeping it in a cold/dry place and wait for it to be ready“ (usually months,
sometimes years).

~~~
namdnay
Good to know, thanks! I guess the term in english would be "maturing"

~~~
iamjaredwalters
Curing?

~~~
dcm1104
aging?

~~~
tk75x
marinating.

------
cphoover
I don't understand why the vending machine would trust the client to tell it
how much credit the user had without first verifying from an upstream
centralized db. This is bad design in my eyes...

~~~
tokyodude
AFAIK this is how Felica works which is the system for many of the transit
systems across the world as well as a payment system built into feature phone
since 2005, Android since 5-6 years ago and iPhone since iPhone7 in Japan and
8 everywhere else.

[https://en.wikipedia.org/wiki/FeliCa](https://en.wikipedia.org/wiki/FeliCa)

I don't know for a fact that it works without a DB but I do know that they
exist in places that don't seem to access to a DB and they work instantly (no
long pause like credit cards).

~~~
lifthrasiir
It works without a DB as far as I know, and there are handful incidents where
people knowingly blocked a connection to the payment system to charge the card
with no money spent. Primary security measures against fraudulent transport
cards had been blacklisting, which seems to work well enough as there are not
much hacked cards.

------
kkotak
These are the types of things that keep me worrying about self driving cars
and if an entire system can be hacked to do the opposite of avoiding obstacles
by malicious forces.

------
BuckarooBanzay
Would a simple backup/copy of the "charged" database have sufficed? e.g:
backup the db with a 5$ charge, use the credits, restore the database...

~~~
titaniczero
Absolutely. I've seen these vending machines before, naive me assumed they had
a server-side database. I was completely wrong..

~~~
softawre
Still, is it worth stealing a 1$ coffee to potentially be criminally charged
with theft?

~~~
logfromblammo
Is there any duty of care for the vending machine software vendor towards the
owners of the vending machines? Are they not playing the role of a virtual
clerk that allows shoplifters to walk out of the store unchallenged whenever
they yell out "It's okay; I've already paid for this!"?

It's worth stealing a $1 coffee to expose the extreme negligence behind the
virtual clerk software. The software is essentially turning the vending
machine into an honor box, and presumably the owner of the machine actually
wanted proof of payment before vending anything, or they wouldn't have bought
the machine. They could have put up a mains-powered samovar with a coin box
bolted to it and a sign reading "1 euro per coffee. Call (+39) 355 5555555 to
report problems."

It's not even clear to me who is being stolen from. How does Argenta determine
how much they are to pay the machine owner? How do they determine how much to
pay the machine servicer? If Argenta pays for the coffee, and the owners and
servicers are unharmed, potential theft of coffee becomes an incentive to
repair their software. Otherwise, you'd just be screwing some vending machine
operator whose only failing was to trust Argenta over a dumb(er) coin and note
validator.

------
lapinot
Much simpler hardware hacking: slightly bend the control panel and/or the door
with a small lever (a coin might be sufficient). On some models, opening the
door starts the "admin mode" where you can control each spire, do tests,
change prices etc. The sensor for door opening can be fooled by the slight
bend, hence allowing you to take whatever you want.

~~~
jaclaz
Sure, also lockpicking the door open would work, and if you had the
possibility to bring the vending machine at home and disassemble/study it you
would probably also find another three different ways, what gives?

Still, you would need to perform some "unusual" physical action on the
physical machine and you might be noticed by people passing by or by a
surveillance cam, this app hack is instead "clean".

And it makes you think about the reliability of any similar app based paying
system, in this case is "their" money[1] that "you" can "steal" (by drinking
and eating for free), but what if it was "your" money?

[1] so before or later the vending machine firm would notice

~~~
beautifulfreak
Yeah, I pictured the victim too. A friend of mine owned vending machines. He
paid rent for each location, and any loss of product came from his own pocket.
Similarly, I remember reading a letter to my local newspaper by a woman whose
husband managed the newspaper vending machines. She pleaded for people to stop
taking extra copies, because her husband had to pay for them. I always thought
the newspaper ran those machines, but they're serviced by independent
contractors here.

------
bluedino
This feels like a 2600 article, in a good way.

~~~
voltagex_
Yep, really solid and you could apply a lot of the steps (creating a
debuggable APK) to other projects.

------
turbo_fart_box
This is great. I love the step by step guide. I didn't know you could modify
code and just resign the APK in order to flip the debug switch.

------
Insanity
So in the end he informed the company, and they fixed it? I wasn't clear on
the ending with 'hogus bogus', maybe I missed something.

Pretty neat project to undertake. Kudos :D

~~~
Robadob
I took the stock photo of coins to suggest that they disabled the App, leaving
the only means to pay as the old fashioned method.

~~~
3chelon
This is why I so love the millenials' habit of communicating via hieroglyphs
when we have perfectly good words.

~~~
gmjoe
What do millenials have to do with it? You think baby boomers don't use emoji
too?

Relax and have some fun. ;)

~~~
EForEndeavour
Speaking as a millennial, millennials as an age group have a lot to do with
it. Have you actually communicated in writing with people of varying age
groups? It's blatantly obvious to anyone with "millennial" / "Gen Y" (loosely:
born after 1985) family or friends that emoji use is heavily driven by younger
users.

Further reading: [http://time.com/4834112/millennials-gifs-
emojis/](http://time.com/4834112/millennials-gifs-emojis/)

------
nullbyte
Fantastic article. This is the stuff I like to see on HN.

------
iforgotpassword
Most of these systems are inherently insecure. Tbh, I cannot think of a simple
way to make this really secure that doesn't require a somewhat more
sophisticated system, especially if you don't want the machine to stop working
if network connectivity drops, or servers of the vendor are down. If you come
up with a really robust system, you're probably gonna charge quite a bit more
than the company offering this system, and I'm pretty sure most customers just
don't care or take this seriously.

The other point is that often times these machines that support an app get set
up in companies for their employees, where you can be reasonably sure that
everyone will play by the rules. We have a coffee machine at work that uses
RFID tokens to handle credit with no security or encryption, and it works,
even though we're all IT folks. A university with a CS department and its
respective students is a different story though. :-)

------
danilocesar
As a reward for his finding, did the company gave him a .db file with 500
credits in coffee?! :)

------
tokyodude
On the one hand it's interesting to see the machines get hacked. On the other
hand I love living in a country where the machines generally don't get hacked
or vandalized because it means we get to have the convenience of more
machines.

~~~
fatnoah
My favorite vending machine moment in college occurred when the person
stocking the soda vending machine forgot to lock it. We all enjoyed free soda
and, most impressively IMHO, no one took advantage and tried to take all of
the soda from themselves. People just treated it like a refrigerator and would
grab a soda when they were so inclined.

~~~
GFischer
I remember my mind being blown when I saw a newspaper dispensing machine in
Canada for the first time...

That would absolutely not work in South America.

You can clearly see which tourists are from our part of the world in Europe
where paying for transport is "optional"...

------
14
Almost felt like security through obscurity. Because this modify the app hack
was huge for cheating in some games on jail broken iPhone years back. I would
increase my coins and keep playing. I was under the belief developers stopped
it years ago by making purchases done server side. So to see that this app it
is done locally on the device was a big surprise to me and I would have not
guessed it possible(in the sense that it would be crazy to ever build a
payment app that way as this abuse has been done with games for years)."

------
danilocesar
Honestly, what did the company say when he reported the security issue?

------
orev
Curious how the disclosure was handled here. Was it responsible? I can easily
see a black market of accounts popping up at this university. It takes a long
time to develop hardware stuff, and a month is probably not reasonable to
expect changes to be made.

------
danilocesar
I don't want to be that guy, but....

He didn't hack the vending machine. He did hack the app. It was very cool and
such, but not what I was expecting from the head line.

~~~
athenot
The vending machine trusts the app without any checks, therefore its security
posture depends on how secure the app is.

------
1024core
Does this require a rooted device, or will any Android device work?

------
caf
Probably could have boosted the "walletFreeVend" value also.

------
mkesper
How I hacked a totally insecure android vending machine wallet app would be
more to the point, but nice anyway.

~~~
leowoo91
Do you guys also feel like many people started to become too high level, not
getting satisfied with simple app hacks? Hello future.

~~~
mkesper
Sorry didn't mean it negative. But "hacking a vending machine" sounded much
more like touching the real hardware. Teaches an important story about app
security, in any case.

~~~
leowoo91
I really mean baseline is just getting higher among devs, that wasn't case
before the smart phones were that popular (ive read your comment as
'challenge' is there, not negative)

