Devices that collect coins for payment typically use standardized coin acceptors like the one shown here. These devices use a protocol called ccTalk to let the system know what coins were inserted. [Balda] has built tools for implementing the ccTalk protocol to let you play around with the devices. He also gave a talk at DEF CON (PDF) about the protocol.
[Balda] got started with ccTalk because he wanted to add a coin acceptor to a MAME cabinet, and had a coin acceptor. His latest project converts ccTalk to standard keyboard keystrokes using a Teensy. The MAME cabinet can then interpret these and add to the player’s credits.
There’s two interesting sides to this project. By providing tools to work with ccTalk, it’s much easier to take a used coin acceptor off eBay and integrate it into your own projects. On the other hand, these acceptors are used everywhere, and the tools could allow you to spoof coins, or even change settings on the acceptor.
Sounds like security through obscurity, never the best solution.
From the linked article:
“The specs are available on the Crane Payment Solutions company(previously Money Controls LLC) website : http://www.craneps.com/en/products/view/151”
What is this “obscurity” you speak of?
From the PDF:
“Some parts of the specs are only available after signing a NDA :-(“
Also from the PDF:
“There is an optional encryption layer and before that there was a mechanism to allow certain commands to be PIN number protected. Also, in January 2010, commands were introduced with DES encryption.”
DES encryption is not exactly what you call “security through obscurity”
Sure there are proprietary vendor specific commands but the basic stuff is all there in the spec.
“and the tools could allow you to spoof coins, or even change settings on the acceptor”, I guess if you already have physical access to the inside of the machine and can plug into the data bus. But if you’re already inside the machine, you could just grab the soda.
Have you ever been inside a soda machine? The soda is inside the refrigerator and the coin unit is on the outside of the refrigerator. To get at the soda, you have to open the refrigerator door by opening the latch that’s inside the front cover, behind that big ugly lock. You won’t get that door open without breaking the lock. However it may be possible to compromise the coin deposit signal without breaking the lock.
Yeah, I’ve seen the vending guys refill the machines. I guess I’m not sure how you could get at the internal wiring without opening the locked cabinet.
If you can hack the coin accepter without getting through the lock then you are superman. I am thinking that you have never seen the inside of them, I have, I have worked on them and rebuilt them. Once you are inside you access everything.
Pretty simply, I’d think sending the right sequence of pulses through a coil, to induce a signal into the wires coming from the coin acceptor. If you manage to get them right, and with a bit of luck, the machine will think they’re genuine coin pulses.
For the settings, presumably there are buttons on the coin acceptor unit that tell the main unit to change settings. I’d guess at one button on the locked inside, that enables extra options thru the keypad and display, through a menu system. Spoof that one button press and the cola is yours!
Encryption would pretty much stop this, I think. But while Youtube is full of stupid fake “scams” like this, I’ve never heard of anyone hacking a soda machine without having the key to it (and then that’s just MIT-style pranks). Is this a solution to a problem that existed, or just something they decided to add now that powerful MPUs are so cheap?
If the encryption’s only been added since 2010, that’s a lot of old machines out there, they tend to last a while. Although they’re usually leased, so are replaced more often. And if the encryrption requires much in the way of processing power from the person operating it, 9 out of 10 will leave it alone. And so what? Has there ever been reported attacks on machines like this? Not including the amazing robot that French kid made, out of an old printer. That was very impressive.
http://hackaday.com/2013/03/25/hackaday-links-march-25-2013/
Here’s that clever French kid, and his friend.
@codered you could grab all the sodas, or you could modify the coin acceptor to think pennies are valid and count as 4 quarters. get it?
That would be a good way to make friends on your college campus, but you’d still have to pick the lock on the machine.
My first comment was a knee jerk reaction to the writer attempting to add pizzazz to the story by mentioning possible mischevious usage.
I was surprised at how strange these protocols are between the control boards and coin handlers. There is a real lack of feedback on what is going on, and more modern payment systems like RFID wallet cards use the same protocols.
I wrote a post about some of these holes a few years ago:
http://cybergibbons.com/uncategorized/cashless-vending-fail-analysis-of-a-rfid-payment-system/
Odd – didn’t mean for that to go in reply to that comment.
The long Con ;)
Salt water in the coin slot. It shorts out the controller and turns the soda machine into a winning slot machine dumping cans and change out of it.
http://www.snopes.com/crime/clever/saltwater.asp
I own a bunch of vending machines and right inside the coin slot is a drain that leads to the bottom of the cabinet. Also the coin path is filled with holes and the coin mech is sometimes in the center of the machine away from the coin slot. Perhaps this worked on old machines but not anymore. And why would you want to ruin my day. Do you think I am a rich man. This is a hard business and those parts are not cheap.
So how do you get 90 gallons of saltwater into the slot so that it floods the inside to above the slot to the controller. ALL controllers are above the coin slot. Let me guess you also believe the tennis ball unlock the car trick.
A sports drink bottle with a good squeeze to really spray it in. It looks like they fixed it in newer machines. Anyway I got probation before judgement so after paying damages and some community service it was like it never happened.
So it worked then? You’re not the kid in the news article on Snopes are you?
That wasn’t me, but yeh, back in the (omgifeelold) mid 90’s
even if we assume it’s possible to hack the coin slots to accept other coins or wooden nickles or whatever, if it is then someone needs to find it and follow responsible disclosure to have it fixed. saying “don’t do that because it could cause someone somewhere to compromise them” is just asinine.
CodeRed is right you have to have access to the inside of the machine in order to get to the wiring so the only way is if the soda co is stupid enough to forget to lockout the diagnostic mode so the pepsi, pepsi, diet pepsi, pepsi method would work (ok i made that one up but there is a sequence of product buttons to push to get the diagnostic mode)
or via the ir sensor ( i have heard that some machines now have a remote)
as of the non disclosure agreement you could sign the agreement and get the info then post it anonymously via p2p like tpb.
“as of the non disclosure agreement you could sign the agreement and get the info then post it anonymously via p2p like tpb.”
Wow, no honor amongst thieves, what problems are you solving by pirating this information?
We’ve been using these for years. Seen attacks where an external switch panel has been prised off to give access to 0V, then a specially crafted stiff wire with bends in the right places inserted into a gap in the cabinet.
They then wiggle this until they touch the cctalk line and start to add their own credit.
This is all years in the past since encryption was implemented. I have not seen any further attacks of this kind.
To hack the protocol to cheat coin operated machines you’d still have to break into the machine, which in these days mostly have audible alarms(yes this includes soda machines). What you actually want to know to cheat them is the electromechanical characteristics of this part of the machine so you can fabricate your own coins out of wood or cheaper metals; if they don’t have magnetic sensors..
How I know: I’ve talked to people who robbed coin operated machines for a living.. Mostly drink machines in front of shopping centers..
P.S. they all can have their tubular locks picked to open them, but the alarms are all RF disabled..
If you could reverse engineer the electromechanical sensors of this part or the paper currency part you could easily “jackpot” any type of machine with little effort or risk..
A lot of coins nowadays, particularly lower denominations, are made just of steel, plated with something. Copper, in the case of pennies, since they had to make the law in the 70s prohibiting people from taking pennies to the scrap yard and selling them for their scrap value, which was more than their cash value.
Some are made of cupronickel. Ebay tells me people make car parts out of it. Maybe a skilled smelter could mix some up.
But for the cheap coins, what’s a coin got that a steel disc hasn’t? In the future, probably even now, it’s practical enough to use a camera and cheap processor to recognise coins, but the methods still in use are the old magnetic / weight / size ones. Some experimentation would be nice, from a person who owns one of these machines. If one were suitably curious I suppose one could buy a coin acceptor themselves, perhaps cheap as part of some old arcade machine. Particularly, acceptors often have instructions in the manuals to adjust them to take new coins. So it must be something anyone could do with a screwdriver and a bit of sense.
There are actually money jars with the sensors in the lid where the slot you slide coins through that count the coins. They are cheap and in local stores in America.
If it’s the same detection you could refine a method off of this with little investment. Else ebay is the best bet but would likely require building a test system using this protocol. Something with a tweeter or LED indicator would work.
It’s interesting R&D, but you couldn’t publish it under a real name while in a US allied nation. You get visits from secret service or FBI just for having certain grades of paper or printing equipment there, you do something that could cost the government or government invested infrastructure a lot of money there, you could easily wind of dead or in a prison with a fixed trial..
I got some coin handlers out of machines in the early 2000s. I was very surprised at how good they were at rejecting invalid coins. I suspect trying to make fake coins to trick them would be a lot of work.
They are pretty good. I once found a 1962 silver quarter in my pocket only because the soda machine would not accept it.
Then it’s based on symmetry and magnetic properties. It could be done with composite molding materials. You’d be better off trying to fool the paper bill detection because of the overhead..
Notes are hard as well. The note handlers tend to be very high tech. But I don’t know about US bills, they look like they might be easy to copy.
US bills have been done in Asia, it’s red fibers, micro printing, heat transfer and chemical treating. Those markers can be fooled just with one chemical on any type of paper.
There is too much overhead though for either, it makes more sence to just pick the lock or crowbar it, except from the depletion aspect..
The link to the PDF seems mangled. In the original article it’s correct:
http://www.balda.ch/publications/defcon2013.pdf