This reminds me of how in the '90s my university gave out smartcard student IDs that had a little cash account on them for vending machines and dorm laundry rooms.
They installed readers into the soda machines, and they put a central panel in each laundry room with a reader and a keypad for you to indicate which washing machine you wanted to activate.
We found out that the vending machine hardware would query the card before selling you an item, but wouldn't debit your account until dispensing it, in case the vend failed. If you timed it just right and removed your card after it was interrogated but before the item dropped, you'd get it for free.
The smartcard project was only a 2-year evaluation and the university decided to move away from it, so the smartcard company came and took away all their hardware.
When they did this, they took the panel down out of the laundry rooms, but did not fully clean up the wiring coming out of the back of each washing machine. One of my roomates got curious and discovered shorting the leads of that wiring to a battery would mimic the signal the smartcard panel would use to tell the machine it's been "given" a quarter. Do that 3x and you got a 75 cent wash for free.
Real-world race condition! In the same period I remember the copiers in my college library would debit their magstripe cards about 1-2 seconds after the 'copy' button was pressed. A frugal / amoral user could easily eject the card, reinsert, copy the next page, eject, reinsert...
Val Kilmer did the same thing to a coffee vending machine in the movie Real Genius.
Instead of using Android, he used a freezer and a small hacksaw to section off coin-sized slugs from a frozen rod.
Have to give the points to Kilmer’s character because in addition to doing it first, his crime left almost no trail and didn’t come with felony exposure (most juries would not believe ice slugs are counterfeiting)
Making a daily habit of getting free hacked coffee could result in felony convictions and imprisonment in many countries for violating electronic data laws. I know FBI agents happy to bring charges for matters this trivial. This is where they’d rather spend their time instead of pursuing big league criminals.
Be very unlucky. Then the networking happens against your will.
The divulging comes in the form of an indictment, or, if you decide your integrity is not for sale and you turn down a plea offer, multiple days of hearings, trial, and sentencing.
I guess plenty of people are going to come in here to wave their e-peen and comment on how trivial and obvious this "hack" is, but that's kind of the point. Us developers could learn a lot from this - mainly how not to design any kind of payment app.
"Never trust the client" is a lesson every developer learns at some point.
Incredible how an entire company missed that, but I'd put this down to "bosses want this out by DATE? Alrighty..."
To be fair, I'm sure the amount of money lost to people hacking vending machines by reverse engineering APKs is far smaller than the cost of getting every machine a network connection to a central server
But the benchmark this system was compared to was already a trust-the-client system : coin payments! I'm sure you can defraud coin-op machines, it's just not easy or common enough to worry too much about.
It's my impression that consumer payment systems operate on a good-enough principle. Being fraud-proof is not the goal, the goal is not to spend more on security than you are preventing in fraud.
By adding the element of a mobile device to verify the transaction it changes the dynamic here. There are protections and precautions to verify against fraudulent currency performed within the machine. The implied here is that there is no verification or protection (by means of storing values local rather then remote). In a system where there is transactional data / values stored, the default should be to have the data stored and housed within a protected system. IE central server that a simple app queries with API calls vs a database walled on a phone.
The same principles often come into play with online games and cheating, yet constantly developers make the same mistakes.
Although modern credit card now have a kind of local storage that's used to pay for small amounts of money without querying the server (at least in europe). That may have deceived the developer of that app into thinking it was doing approximately the same.
You've always been able to accept a credit card without online authorization. If you've used credit cards for long enough, you've seen the carbon copy charge slips. Magstripes (or keying in the card number) works offline too, and chip cards have an offline mode. The merchant fees are higher when you run cards offline, and the risk of having a charge declined is higher too.
I'm guessing the reason they're doing a stored value system is because the per transaction part of the merchant fees is too high for vending machine coffee, getting a larger deposit as one transaction helps a lot with that (although, apparently not enough to hire people who know not to trust clients)
>"Never trust the client" is a lesson every developer learns at some point. Incredible how an entire company missed that, but I'd put this down to "bosses want this out by DATE? Alrighty..."
Can you clarify?
It sounds like the responsability for having designed an insecure app is of the people that asked the programmer/sofware house to write it[1]?
[1] and as said very likely paid good money for it ...
Never trust the client of a client-server system (not the client that hired the programmer). The server needs to own the truth. He was able to hack the app because the wallet was stored locally.
I've seen far too many projects where security/usability/accessibility is compromised because a project manager with limited technical qualifications decides that a time-frame is much more important than these features, and the programmers just have to get XYZ built to release for the date.
Isn't it up to you to make absolutely sure that PM knows what they are risking by pushing that deadline? Maybe they understand the tradeoff already. If they don't, make sure they do.
Sadly, when you tell that type of PM things that he doesn't want to hear, you get pegged as "not a team player" and either marginalized or sometimes fired.
It's much easier to learn how not to do this than to answer how to do it!
You cannot rely on the data network, have to cope with all kinds of failure modes and mobile features support. Most companies decide that they will make some attempt to make things secure and live with the risk.
>I guess plenty of people are going to come in here to wave their e-peen and comment on how trivial and obvious this "hack" is, but that's kind of the point. Us developers could learn a lot from this - mainly how not to design any kind of payment app.
Yep, I would add that the unknown programmer that wrote the app very likely thought that it was a very clever approach (and probably he/she has been paid good money to write the app).
I actually came to complain about the silly filler content I had to scroll past that felt like ads were inserted? I just closed the page after I lost the article in the memes.
We had one connected vending machine in the building. Its credit database was on a remote server, so such hacks would not work.
However, if you unplugged its ethernet connector and buy something, then somehow your would get your food/drinks and your transaction was stored into a buffer until the machine went online again.
That buffer being in volatile memory, unplugging the power cord of the machine was enough for it to forget you ever bought something.
The article has an old vibe of hacking articles published in the '90s/'00s (in a good way).
> obviously, it was password protected
Not obvious at all. Last time I checked, WhatsApp or Telegram didn't password protect their database (that was a while ago admittedly). And obviously, it doesn't actually provide that much protection if the key is on the phone, as the article demonstrates.
Yeah seasoning in italian never means “adding spice to some food” but only “keeping it in a cold/dry place and wait for it to be ready“ (usually months, sometimes years).
I don't understand why the vending machine would trust the client to tell it how much credit the user had without first verifying from an upstream centralized db. This is bad design in my eyes...
AFAIK this is how Felica works which is the system for many of the transit systems across the world as well as a payment system built into feature phone since 2005, Android since 5-6 years ago and iPhone since iPhone7 in Japan and 8 everywhere else.
I don't know for a fact that it works without a DB but I do know that they exist in places that don't seem to access to a DB and they work instantly (no long pause like credit cards).
It works without a DB as far as I know, and there are handful incidents where people knowingly blocked a connection to the payment system to charge the card with no money spent. Primary security measures against fraudulent transport cards had been blacklisting, which seems to work well enough as there are not much hacked cards.
My initial thought was that this was how the developers were overcoming the potential for network problems. But in that case it would have been a mere cache, so agreed on that it's bad design.
These are the types of things that keep me worrying about self driving cars and if an entire system can be hacked to do the opposite of avoiding obstacles by malicious forces.
Is there any duty of care for the vending machine software vendor towards the owners of the vending machines? Are they not playing the role of a virtual clerk that allows shoplifters to walk out of the store unchallenged whenever they yell out "It's okay; I've already paid for this!"?
It's worth stealing a $1 coffee to expose the extreme negligence behind the virtual clerk software. The software is essentially turning the vending machine into an honor box, and presumably the owner of the machine actually wanted proof of payment before vending anything, or they wouldn't have bought the machine. They could have put up a mains-powered samovar with a coin box bolted to it and a sign reading "1 euro per coffee. Call (+39) 355 5555555 to report problems."
It's not even clear to me who is being stolen from. How does Argenta determine how much they are to pay the machine owner? How do they determine how much to pay the machine servicer? If Argenta pays for the coffee, and the owners and servicers are unharmed, potential theft of coffee becomes an incentive to repair their software. Otherwise, you'd just be screwing some vending machine operator whose only failing was to trust Argenta over a dumb(er) coin and note validator.
Much simpler hardware hacking: slightly bend the control panel and/or the door with a small lever (a coin might be sufficient). On some models, opening the door starts the "admin mode" where you can control each spire, do tests, change prices etc. The sensor for door opening can be fooled by the slight bend, hence allowing you to take whatever you want.
Sure, also lockpicking the door open would work, and if you had the possibility to bring the vending machine at home and disassemble/study it you would probably also find another three different ways, what gives?
Still, you would need to perform some "unusual" physical action on the physical machine and you might be noticed by people passing by or by a surveillance cam, this app hack is instead "clean".
And it makes you think about the reliability of any similar app based paying system, in this case is "their" money[1] that "you" can "steal" (by drinking and eating for free), but what if it was "your" money?
[1] so before or later the vending machine firm would notice
Yeah, I pictured the victim too. A friend of mine owned vending machines. He paid rent for each location, and any loss of product came from his own pocket. Similarly, I remember reading a letter to my local newspaper by a woman whose husband managed the newspaper vending machines. She pleaded for people to stop taking extra copies, because her husband had to pay for them. I always thought the newspaper ran those machines, but they're serviced by independent contractors here.
Speaking as a millennial, millennials as an age group have a lot to do with it. Have you actually communicated in writing with people of varying age groups? It's blatantly obvious to anyone with "millennial" / "Gen Y" (loosely: born after 1985) family or friends that emoji use is heavily driven by younger users.
Although I grant you that plenty of baby boomers (and even older folks) do in fact use emojis, you can't seriously be arguing that they do so more than younger generations?
I would love to see some actual research on this. I have a completely untested theory, purely based on direct observation of my own friends and family, that the people who use emojis the most are those with the lowest writing skills. If that turns out to be true then emojis are in fact exacerbating the problem, because it doesn't much matter if my mother uses emojis instead of learning to spell, but I'd be very concerned if my daughter did.
Most of these systems are inherently insecure. Tbh, I cannot think of a simple way to make this really secure that doesn't require a somewhat more sophisticated system, especially if you don't want the machine to stop working if network connectivity drops, or servers of the vendor are down. If you come up with a really robust system, you're probably gonna charge quite a bit more than the company offering this system, and I'm pretty sure most customers just don't care or take this seriously.
The other point is that often times these machines that support an app get set up in companies for their employees, where you can be reasonably sure that everyone will play by the rules. We have a coffee machine at work that uses RFID tokens to handle credit with no security or encryption, and it works, even though we're all IT folks. A university with a CS department and its respective students is a different story though. :-)
On the one hand it's interesting to see the machines get hacked. On the other hand I love living in a country where the machines generally don't get hacked or vandalized because it means we get to have the convenience of more machines.
My favorite vending machine moment in college occurred when the person stocking the soda vending machine forgot to lock it. We all enjoyed free soda and, most impressively IMHO, no one took advantage and tried to take all of the soda from themselves. People just treated it like a refrigerator and would grab a soda when they were so inclined.
Almost felt like security through obscurity. Because this modify the app hack was huge for cheating in some games on jail broken iPhone years back. I would increase my coins and keep playing. I was under the belief developers stopped it years ago by making purchases done server side. So to see that this app it is done locally on the device was a big surprise to me and I would have not guessed it possible(in the sense that it would be crazy to ever build a payment app that way as this abuse has been done with games for years)."
Curious how the disclosure was handled here. Was it responsible? I can easily see a black market of accounts popping up at this university. It takes a long time to develop hardware stuff, and a month is probably not reasonable to expect changes to be made.
Sorry didn't mean it negative. But "hacking a vending machine" sounded much more like touching the real hardware.
Teaches an important story about app security, in any case.
I really mean baseline is just getting higher among devs, that wasn't case before the smart phones were that popular (ive read your comment as 'challenge' is there, not negative)
I bet you complain about build videos on YouTube too? "Come on, people have been building tables like this for millennia" not stopping to think that there are people without the skills to or that want to learn how to, or that can be shown a different way of thinking about an object via a well worded, easy-to-follow essay and guide on how they did their not-cutting-edge research?
They installed readers into the soda machines, and they put a central panel in each laundry room with a reader and a keypad for you to indicate which washing machine you wanted to activate.
We found out that the vending machine hardware would query the card before selling you an item, but wouldn't debit your account until dispensing it, in case the vend failed. If you timed it just right and removed your card after it was interrogated but before the item dropped, you'd get it for free.
The smartcard project was only a 2-year evaluation and the university decided to move away from it, so the smartcard company came and took away all their hardware.
When they did this, they took the panel down out of the laundry rooms, but did not fully clean up the wiring coming out of the back of each washing machine. One of my roomates got curious and discovered shorting the leads of that wiring to a battery would mimic the signal the smartcard panel would use to tell the machine it's been "given" a quarter. Do that 3x and you got a 75 cent wash for free.