Hacker Pops Top On NFC Vending Machines

Vending machines used to be a pretty simple affair: you put some coins in, and food or drink that in all likelihood isn’t fit for human consumption comes out. But like everything else today, they are becoming increasingly complex Internet connected devices. Forget fishing around for pocket change; the Coke machine at the mall more often than not has a credit card terminal and a 30 inch touch screen display to better facilitate dispensing cans of chilled sugar water. Of course, increased complexity almost always goes hand in hand with increased vulnerability.

So when [Matteo Pisani] recently came across a vending machine that offered users the ability to pay from an application on their phone, he immediately got to wondering if the system could be compromised. After all, how much thought would be put into the security of a machine that basically sells flavored water? The answer, perhaps not surprisingly, is very little.

The write-up [Matteo] has put together is an outstanding case study in hacking Android applications, from pulling the .apk package off the phone to decompiling it into its principal components with programs like apktool and jadx. He even shows how you can reassemble the package and get it suitable for reinstallation on your device after fiddling around with the source code. If you’ve ever wanted a crash course on taking a peek inside of Android programs, this is a great resource.

By snooping around in the source code, [Matteo] was able to discover not only the location of the encrypted database that serves as the “wallet” for the user, but the routine that generates the encryption key. To cut a long story short, the program simply uses the phone’s IMEI as the key to get into the database. With that in hand, he was able to get into the wallet and give himself a nice stack of “coins” for the next time he hit the vending machines. Given his new-found knowledge of how the system works, he even came up with a separate Android app that allows adding credit to the user’s account on a rooted device.

In the video after the break, [Matteo] demonstrates his program by buying a soda and then bumping his credit back up to buy another. He ends his write-up by saying that he has reported his findings to the company that manufacturers the vending machines, but no word on what (if any) changes they plan on making. At the end of the day, you have to wonder what the cost-befit analysis looks like for a full security overhaul when when you’re only selling sodas and bags of chips.

When he isn’t liberating carbonated beverages from their capitalistic prisons, he’s freeing peripherals from their arbitrary OS limitations. We’re starting to get a good idea about what makes this guy tick.

23 thoughts on “Hacker Pops Top On NFC Vending Machines

  1. As someone who used to write software for vending machines and vending machine peripherals, you wouldn’t be surprised by how insecure it all is. It’s basically duct tape, bubble gum and paper clips all the way down.

  2. “After all, how much thought would be put into the security of a machine that basically sells flavored water? The answer, perhaps not surprisingly, is very little.”

    They probably have the same viewpoint about their product as you do. So why indeed?

  3. I once encountered an extremely broken soda machine in the basement of a building with no cellular coverage. It had a credit card reader, which used some cellular provider to authorize purchases. After swiping your card, it would tell the vending machine you had credit for the most expensive item. When you selected an item, it would then try to authorize your card, and not having signal, would time out and say “cash only.” But then the soda machine thought it was in cash mode with a bunch of money inserted, so if you selected something again, not only would it vend, BUT it would also give you change! This continued to work until it finally refused to dispense anything because it ran out of change to give you.

    1. Exactly. Or the contactful vending machine that was actually a small EEPROM with the credit value and a small checksum. Or the vending machine that made coffee when a sufficient strong magnet vas put in a corner of the faceplate.

      Not to mention the brute force approach. A malfuncioning vending machine that eats the money in a warehouse with big guys driving forklift could be forced to spit out the “foods” tather easily…

  4. On the less spooky side: vending machines usually have a nice array of salvageable parts. Wonderfully expensive gearhead motors- intended to last a while- cherry switches, reprogrammable motherboards -often PICs and a few Atmel which are the same thing now. Motor drivers, hall effect and reed magnet swithes, photo interruptors, modular gearboxes, oversized torquey steppers, and other goodies for hacking. All is needed is to find a scrap yard that has them and doesnt mind poking around and have to pay usually by the pound which is minuscule.

  5. “he has reported his findings to the company that manufacturers the vending machines, but no word on what (if any) changes they plan on making. ”

    “but no word on what (if any) chaRges they plan on making against him. ”


  6. A slightly off-topic rant: Vending machines that won’t even accept cash when the Internet is down.

    One day the Internet was down in my area. I went to an ice vending machine. It wouldn’t even accept cash. Went home and noticed that the Internet was still down. I knew it wasn’t due to not having any ice as it apparently doesn’t have a mechanism to detect when it’s out as a week or so earlier when I tried to buy ice just before the hurricane. It happily took my money, made a bit of noise but no ice came out. Apparently there was so much demand that it was unable to keep up with ice production.

  7. Cool find and one of the reasons I have NFC disabled on my phone lol. Glad he did the good thing and informed the vending company. In my experiences with CPO on old machines, it will take them 20-30 years to patch it. Still, glad to see someone fighting the good fight.

    1. I guess companies install these vending machines not for the revenue, but to educate their employees in IT security related matters. Kind of a “hacking challenge”. At one workplace, as I casually remarked that the “secret keys” are not really that well protected, I was told that *everyone* in the department had also completed that challenge already. Ouch.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.