How can vending machines be hacked? And how can I prevent it?

When I wrote that comment, I was referring to vending machines in a generalised sense - including things like ticket machines as well as the obvious food-dispensing ones. I was specifically thinking about a model of ticket vending machine at a place I frequent, which has the following interfaces:

• Keypad
• Credit / debit card terminal
• RFID for contactless use of a customer loyalty card, but also for employee override.
• Ethernet cable plugged in the back.
• JTAG port behind the front panel (requires you to unlock the front panel, but it's only a tubular pin lock and can easily be defeated)

So, how might we own such a vending machine? Well, it's got enough interfaces for us to try...

Keypad

The keypad is an interesting vector, but it's unlikely to fall to any form of buffer overflow since there aren't really any buffers involved. At most we might be able to figure out some sort of back-door access code that gets us into a config screen, but it's doubtful.

Credit / debit card terminal

The one near me has an Ingenico i3300 card reader fixed into a recess in the side of the machine. I happen to have one to hand (yay eBay!) and can approach the reverse engineering of it in two ways:

1. Attack the hardware. There's an FCC ID on the device, which I used to pull up the regulatory information from the Office of Engineering and Technology. The FCC deal with emissions testing and a bunch of other stuff, and as part of an application the company must provide detailed documentation of the product, internal and external photos (great for me, since opening the device myself would trip the tamper detect) and other test data. From there, I might discover a weakness in how the card reader detects intrusions, and find a way to open it and mess with the internal firmware. If I screw up, it's not a big deal - I can pick up another for less than £10 on eBay. Alternatively, I could remove the real board and replace it with my own, with an XBee / bluetooth / 802.11x device that transmits card info and pin numbers.
2. Attack the software. There has been a lot of research into this (e.g. PinPadPwn) and many devices are vulnerable to buffer overflows from custom cards. It's possible to program the chips on chip & pin cards to install firmware mods onto a device, simply via putting them in the device as if you were a normal customer. It's then possible to come back later and download card numbers and pins onto another special card. Scary, eh?

RFID

This is a likely source of ownage. It's a bi-directional communications port that allows us to send and receive data that will be directly handled by code on the machine itself, rather than a separate module. A lot of RFID data contains strings and integers, so overflows are likely. We could also take a look at capturing the data from an employee override swipe, which could open up new possibilities to steal stuff from the machine. In order to actually fuzz the device, we'd need to have the vending machine in our possession. This time, I don't happen to have one to hand. The physical possession requirement with such a large bit of kit does give a barrier to entry, but it's possible to get them second hand. A discrete RFID sniffer should be able to record data from live transactions, though, which could be used to replay communications.

Ethernet

When I saw the ethernet cable, I giggled like a script kiddy finding an SQL injection hole. It's trivial to unplug one of these cables and insert a pass-through device to record and alter traffic going to and from the device. You could do this with an embedded device like a Wifi Pineapple. It's low cost and potentially high-yield, because you can monitor and fuzz live devices from a distance. I've got no idea what data is going down those lines, but it'd be fun to find out.

JTAG

If you can get the cover off, the JTAG port is the pinnacle of pwnage. The device is probably an embedded Linux system running on an ARM chip, so getting access to the JTAG gives you full control over the processor and RAM. You'd be able to pull out a memory image (probably containing firmware) and analyse it, and later go back and make changes. If the bad guys can get at your JTAG, you're owned.

---

So, how can you stop this from being attacked? For a large part you can't, but mitigation is an important thing. Here are a few tips:

• Remember that you're dealing with money, and take security precautions as such. Tip sensors on food vending machines aren't useful if a bad guy can turn them off with a magnet, or change the software to avoid the alarm.
• Choose card machine vendors that have a long track history of no security issues, and get some insurance against any failings in that department.
• Lock communications ports down, and have a way to lock any ethernet cables into the device so that they can't be easily replaced.
• Use transport security (e.g. SSL) if you're talking to external devices via TCP/IP.
• If they're network-connected devices, segment them from your internal network. Plugging a device into an ethernet socket is so damn easy.
• Have your software reviewed by a security consultant - especially if you've got RFID or NFC involved.
• Don't use tubular pin locks that can be defeated with a damn pen. Use a proper lock.
• Stay paranoid.

Vending machine hacks, like attacks against any hardware device, are specific to a given manufacturer and model.

As for buffer overflows: any input device (including keypads, etc.) could theoretically be leveraged in such an attack. Whether or not a given model is susceptible would depend on how the machine was built. But older vending machines are simple state machines with no concept of a buffer (or even a CPU), so attacks against that style would probably leverage some other corner case.

The most common attacks against a vending machine involve more physics than computer skills to physically circumvent security measures. Another type of attack leverages certain sensing features to "confuse" the machine as to whether product has been delivered or how many are being delivered. Another type of attack takes advantage of normally-hidden administration features or interfaces to steal product.