This reminds me of how in the '90s my university gave out smartcard student IDs that had a little cash account on them for vending machines and dorm laundry rooms.
They installed readers into the soda machines, and they put a central panel in each laundry room with a reader and a keypad for you to indicate which washing machine you wanted to activate.
We found out that the vending machine hardware would query the card before selling you an item, but wouldn't debit your account until dispensing it, in case the vend failed. If you timed it just right and removed your card after it was interrogated but before the item dropped, you'd get it for free.
The smartcard project was only a 2-year evaluation and the university decided to move away from it, so the smartcard company came and took away all their hardware.
When they did this, they took the panel down out of the laundry rooms, but did not fully clean up the wiring coming out of the back of each washing machine. One of my roomates got curious and discovered shorting the leads of that wiring to a battery would mimic the signal the smartcard panel would use to tell the machine it's been "given" a quarter. Do that 3x and you got a 75 cent wash for free.
Real-world race condition! In the same period I remember the copiers in my college library would debit their magstripe cards about 1-2 seconds after the 'copy' button was pressed. A frugal / amoral user could easily eject the card, reinsert, copy the next page, eject, reinsert...
Val Kilmer did the same thing to a coffee vending machine in the movie Real Genius.
Instead of using Android, he used a freezer and a small hacksaw to section off coin-sized slugs from a frozen rod.
Have to give the points to Kilmer’s character because in addition to doing it first, his crime left almost no trail and didn’t come with felony exposure (most juries would not believe ice slugs are counterfeiting)
Making a daily habit of getting free hacked coffee could result in felony convictions and imprisonment in many countries for violating electronic data laws. I know FBI agents happy to bring charges for matters this trivial. This is where they’d rather spend their time instead of pursuing big league criminals.
I guess plenty of people are going to come in here to wave their e-peen and comment on how trivial and obvious this "hack" is, but that's kind of the point. Us developers could learn a lot from this - mainly how not to design any kind of payment app.
"Never trust the client" is a lesson every developer learns at some point.
Incredible how an entire company missed that, but I'd put this down to "bosses want this out by DATE? Alrighty..."
It's much easier to learn how not to do this than to answer how to do it!
You cannot rely on the data network, have to cope with all kinds of failure modes and mobile features support. Most companies decide that they will make some attempt to make things secure and live with the risk.
>I guess plenty of people are going to come in here to wave their e-peen and comment on how trivial and obvious this "hack" is, but that's kind of the point. Us developers could learn a lot from this - mainly how not to design any kind of payment app.
Yep, I would add that the unknown programmer that wrote the app very likely thought that it was a very clever approach (and probably he/she has been paid good money to write the app).
I actually came to complain about the silly filler content I had to scroll past that felt like ads were inserted? I just closed the page after I lost the article in the memes.
We had one connected vending machine in the building. Its credit database was on a remote server, so such hacks would not work.
However, if you unplugged its ethernet connector and buy something, then somehow your would get your food/drinks and your transaction was stored into a buffer until the machine went online again.
That buffer being in volatile memory, unplugging the power cord of the machine was enough for it to forget you ever bought something.
The article has an old vibe of hacking articles published in the '90s/'00s (in a good way).
> obviously, it was password protected
Not obvious at all. Last time I checked, WhatsApp or Telegram didn't password protect their database (that was a while ago admittedly). And obviously, it doesn't actually provide that much protection if the key is on the phone, as the article demonstrates.
I don't understand why the vending machine would trust the client to tell it how much credit the user had without first verifying from an upstream centralized db. This is bad design in my eyes...
AFAIK this is how Felica works which is the system for many of the transit systems across the world as well as a payment system built into feature phone since 2005, Android since 5-6 years ago and iPhone since iPhone7 in Japan and 8 everywhere else.
I don't know for a fact that it works without a DB but I do know that they exist in places that don't seem to access to a DB and they work instantly (no long pause like credit cards).
My initial thought was that this was how the developers were overcoming the potential for network problems. But in that case it would have been a mere cache, so agreed on that it's bad design.
These are the types of things that keep me worrying about self driving cars and if an entire system can be hacked to do the opposite of avoiding obstacles by malicious forces.
Much simpler hardware hacking: slightly bend the control panel and/or the door with a small lever (a coin might be sufficient). On some models, opening the door starts the "admin mode" where you can control each spire, do tests, change prices etc. The sensor for door opening can be fooled by the slight bend, hence allowing you to take whatever you want.
Sure, also lockpicking the door open would work, and if you had the possibility to bring the vending machine at home and disassemble/study it you would probably also find another three different ways, what gives?
Still, you would need to perform some "unusual" physical action on the physical machine and you might be noticed by people passing by or by a surveillance cam, this app hack is instead "clean".
And it makes you think about the reliability of any similar app based paying system, in this case is "their" money[1] that "you" can "steal" (by drinking and eating for free), but what if it was "your" money?
[1] so before or later the vending machine firm would notice
Most of these systems are inherently insecure. Tbh, I cannot think of a simple way to make this really secure that doesn't require a somewhat more sophisticated system, especially if you don't want the machine to stop working if network connectivity drops, or servers of the vendor are down. If you come up with a really robust system, you're probably gonna charge quite a bit more than the company offering this system, and I'm pretty sure most customers just don't care or take this seriously.
The other point is that often times these machines that support an app get set up in companies for their employees, where you can be reasonably sure that everyone will play by the rules. We have a coffee machine at work that uses RFID tokens to handle credit with no security or encryption, and it works, even though we're all IT folks. A university with a CS department and its respective students is a different story though. :-)
On the one hand it's interesting to see the machines get hacked. On the other hand I love living in a country where the machines generally don't get hacked or vandalized because it means we get to have the convenience of more machines.
My favorite vending machine moment in college occurred when the person stocking the soda vending machine forgot to lock it. We all enjoyed free soda and, most impressively IMHO, no one took advantage and tried to take all of the soda from themselves. People just treated it like a refrigerator and would grab a soda when they were so inclined.
Almost felt like security through obscurity. Because this modify the app hack was huge for cheating in some games on jail broken iPhone years back. I would increase my coins and keep playing. I was under the belief developers stopped it years ago by making purchases done server side. So to see that this app it is done locally on the device was a big surprise to me and I would have not guessed it possible(in the sense that it would be crazy to ever build a payment app that way as this abuse has been done with games for years)."
Curious how the disclosure was handled here. Was it responsible? I can easily see a black market of accounts popping up at this university. It takes a long time to develop hardware stuff, and a month is probably not reasonable to expect changes to be made.
[+] [-] ben1040|7 years ago|reply
They installed readers into the soda machines, and they put a central panel in each laundry room with a reader and a keypad for you to indicate which washing machine you wanted to activate.
We found out that the vending machine hardware would query the card before selling you an item, but wouldn't debit your account until dispensing it, in case the vend failed. If you timed it just right and removed your card after it was interrogated but before the item dropped, you'd get it for free.
The smartcard project was only a 2-year evaluation and the university decided to move away from it, so the smartcard company came and took away all their hardware.
When they did this, they took the panel down out of the laundry rooms, but did not fully clean up the wiring coming out of the back of each washing machine. One of my roomates got curious and discovered shorting the leads of that wiring to a battery would mimic the signal the smartcard panel would use to tell the machine it's been "given" a quarter. Do that 3x and you got a 75 cent wash for free.
[+] [-] blacksmith_tb|7 years ago|reply
[+] [-] innocentfelon|7 years ago|reply
Instead of using Android, he used a freezer and a small hacksaw to section off coin-sized slugs from a frozen rod.
Have to give the points to Kilmer’s character because in addition to doing it first, his crime left almost no trail and didn’t come with felony exposure (most juries would not believe ice slugs are counterfeiting)
Making a daily habit of getting free hacked coffee could result in felony convictions and imprisonment in many countries for violating electronic data laws. I know FBI agents happy to bring charges for matters this trivial. This is where they’d rather spend their time instead of pursuing big league criminals.
Still a great article to read.
[+] [-] bluntfang|7 years ago|reply
Just curious, what does one need to do in order to network with FBI agents and have them divulge what they're willing to charge people with?
[+] [-] maaark|7 years ago|reply
[+] [-] SmellyGeekBoy|7 years ago|reply
[+] [-] csmattryder|7 years ago|reply
[+] [-] lbriner|7 years ago|reply
You cannot rely on the data network, have to cope with all kinds of failure modes and mobile features support. Most companies decide that they will make some attempt to make things secure and live with the risk.
[+] [-] jaclaz|7 years ago|reply
Yep, I would add that the unknown programmer that wrote the app very likely thought that it was a very clever approach (and probably he/she has been paid good money to write the app).
[+] [-] MisterTea|7 years ago|reply
[+] [-] ZeWaren|7 years ago|reply
However, if you unplugged its ethernet connector and buy something, then somehow your would get your food/drinks and your transaction was stored into a buffer until the machine went online again.
That buffer being in volatile memory, unplugging the power cord of the machine was enough for it to forget you ever bought something.
[+] [-] cataflam|7 years ago|reply
The article has an old vibe of hacking articles published in the '90s/'00s (in a good way).
> obviously, it was password protected
Not obvious at all. Last time I checked, WhatsApp or Telegram didn't password protect their database (that was a while ago admittedly). And obviously, it doesn't actually provide that much protection if the key is on the phone, as the article demonstrates.
[+] [-] doctorRetro|7 years ago|reply
What?
[+] [-] curiousDog|7 years ago|reply
[+] [-] cphoover|7 years ago|reply
[+] [-] tokyodude|7 years ago|reply
https://en.wikipedia.org/wiki/FeliCa
I don't know for a fact that it works without a DB but I do know that they exist in places that don't seem to access to a DB and they work instantly (no long pause like credit cards).
[+] [-] ddebernardy|7 years ago|reply
[+] [-] kkotak|7 years ago|reply
[+] [-] BuckarooBanzay|7 years ago|reply
[+] [-] titaniczero|7 years ago|reply
[+] [-] retSava|7 years ago|reply
[+] [-] lapinot|7 years ago|reply
[+] [-] jaclaz|7 years ago|reply
Still, you would need to perform some "unusual" physical action on the physical machine and you might be noticed by people passing by or by a surveillance cam, this app hack is instead "clean".
And it makes you think about the reliability of any similar app based paying system, in this case is "their" money[1] that "you" can "steal" (by drinking and eating for free), but what if it was "your" money?
[1] so before or later the vending machine firm would notice
[+] [-] SmellyGeekBoy|7 years ago|reply
This approach just makes the "hacker" look like a normal user to the casual observer.
[+] [-] bluedino|7 years ago|reply
[+] [-] voltagex_|7 years ago|reply
[+] [-] turbo_fart_box|7 years ago|reply
[+] [-] Insanity|7 years ago|reply
Pretty neat project to undertake. Kudos :D
[+] [-] Robadob|7 years ago|reply
[+] [-] nullbyte|7 years ago|reply
[+] [-] iforgotpassword|7 years ago|reply
The other point is that often times these machines that support an app get set up in companies for their employees, where you can be reasonably sure that everyone will play by the rules. We have a coffee machine at work that uses RFID tokens to handle credit with no security or encryption, and it works, even though we're all IT folks. A university with a CS department and its respective students is a different story though. :-)
[+] [-] danilocesar|7 years ago|reply
[+] [-] tokyodude|7 years ago|reply
[+] [-] fatnoah|7 years ago|reply
[+] [-] 14|7 years ago|reply
[+] [-] danilocesar|7 years ago|reply
[+] [-] orev|7 years ago|reply