Schneier on Security
A blog covering security and security technology.
« Colossus Has Been Rebuilt |
| Gitmo Manual Leaked »
November 19, 2007
Hacking a Soda Machine
An instructional video.
The idea is simple: prevent the machine from completing an action and place it in an error state, and then exploit that state. In this instance, the hacker prevents the machine from dispensing the drink bottle. The machine refunds the money, but the bottle stays on the conveyor belt. Then the hacker purchases a second bottle, and receives them both.
Posted on November 19, 2007 at 1:39 PM
• 49 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Next week, tune in for how to "hack" a liquor store using only a .357 and ski mask.
This reminds me of a trick to get free drinks at my University a few years ago.
Basically the protocol for using the money from one's student dining accounts for the vending machines went as followed:
1. Machine scans ID
2. Machine checks with central database via ethernet cable to confirm that ID is associated with a Bevo Bucks account, and that the balance is sufficient to cover the cost of a drink.
3. Machine allows customer to make drink selection
4. Machine dispenses drink
5. Machine notifies central database and deducts cost of drink from account balance
6. Machine resets to original state after confirming that message went through.
What people did was unplug the ethernet cable between steps 2 and 3, THEN unplug the machine completely after step 4 so that the machine would not ever send the command to deduct the cost of a drink from the balance. Unfortunately for them, the machines all saved records of such transactions locally, and those who used this trick were eventually caught.
Way back in highschooll one of the soda machines was easy to hack. When you made your selection you would press all the buttons at once several times in rapid succession. Usually about 50% of the time it would error out and dump two to three sodas randomly from it's supply.
The upgraded the soda machine a few months later...
I was talking to our local vending machine operator the other day and they are losing a lot of money due more to "programming errors." Typical problem: Machine accepts a (U.S.) five dollar bill, then dispenses the product and change for a one dollar bill, and finally spits the five dollar bill back out.
Unfortunate, as the vending machine operators make their living on a fairly slim margin.
This is how the hackers of tomorrow will be captured.
Not by some intense analysis of system logfiles and audit trails but by the fact that they're the ones with a big pile of empty 7-Up cans in their wastebasket! :)
Here's an old one. In the few years after Communism fell the Polish Zloty was worth a fraction of a US dollar (in August 1989 when the currency was first freed you could get 20:1 on the street), but the one zloty coin "read" like a US quarter. Use zlotys instead of quarters you paid only about 1/4th as much.
It was quite revealing to hear a vending machine filler knowledgably discuss international finance.
Maybe they will be caught because they post closeups videos of themselves on the Internet?
This reminds me of how I HACKED my garbage service by waiting outside for them to pick it up, then quickly refilling the can and rolling it around the corner for them to pick up again!
Two containers of garbage picked up for the price of one! The error in their protocol is that while the cans are individually serialized, there is no checking done upon pickup for duplicates!
Bruce, I've said it before and I remain respectful, but this kind of chum is not why we're here and interested in what you have to say regarding security :)
I was in Munich some time back for a summer job, staying in a campground used by a lot of other foreign students also on summer jobs.
IIRC there was another low-value Polish coin that read sufficiently like a German 5 Deutschmark coin to fool many cigarette machines. I believe the coin was no longer used in Poland - you might have been able to bring them in to a bank, but not spend them in shops.
Not surprisingly, many people were declining to bring these near-worthless slugs in to the banks, when anyone who was going to Germany could turn them into a backpack full of dirt-cheap cigarettes.
Many years ago when I was a teenager, I went to Italy and ended up bringing back a bunch of 50 lire pieces because they were worth so little the money changers at the airport wouldn't accept them. Delighted I was to find that the machines at the biggest video arcade in my area easily accepted them as tokens.
The question, then, is a what is a cost-effective way to fix this.
@scosol: Nice garbage-sploit! I will h4x0rz my garbage next week. Give Bruce a break. It's clearly been a slow security-news day.
We used to "hack" the incoming-only phone line in college by rapidly clicking the pulse code on the handset switch. It was OK for local numbers with only 6 digits, but the error rate was sufficiently high that trunk calls usually failed. It's difficult to input 9 or 10 clicks (for the numbers 9 and 0) sufficiently fast and not lose count. They eventually changed the line to an exchange-side one way line.
Now, 30 years on, I'm more likely to call it theft of course!
There was a vending machine like this in my apartment building for a long time. If you ordered a drink from rows beneath the height of the dispenser, the belt would jam, the soda would remain at the bottom of the machine, and you'd get your money back. The funniest part about this was that the desirable sodas were all on the bottom, so in order to get, say, root beer, one needed to exploit the machine.
Needless to say, there were many Minute Maid Lite Lemonade bottles stacked around the floor of the vending machine that people simply didn't want after receiving two free sodas.
Looks like a good way to lose a hand.
The vending machine at my workplace "fixes" this by never giving refunds, even when it fails to deliver goods....
Ah, reminds me of when I used to 'hack' the print server in the Engineering college labs.
There was a solitary Apple laser printer for each lab, serviced by an old DEC/ultrix machine as print server. I found out quite accidentally (honest!) that if the postscript job file contained syntax errors, the printer would still print the full job up to the point of the error, but return a "whole job failed" code to the server, so you were never deducted the cost of the pages you'd printed.
So... a judicious bit of garbage text inserted at the right spot in the .ps file, and free print jobs for life (until they upgraded the server and closed the loophole).
I've spent a great deal of time being abused by disfunctional vending machines, laundry machines, etc. I feed them money, they do nothing (or in the case of driers, they spin for an hour, and I come back to find cold wet laundry). Persuading the college to refund is difficult because there is a lack of evidence, and because they probably lose money on the devices from students cheating them.
One morning I saw a vending machine for which the front door had been very carefully removed and left standing beside it.
I'm pretty sure the reason that Carnegie Mellon swapped out the one conveyor-belt machine they used to have is that I know a number of people who would do this regularly. The design of those machines is rather awful.
(I doubt they noticed the missing revenue, but the procedure has a tendency to jam the machines, especially after they turned down the torque on the conveyor belt so the second bottle would just get stuck instead of dispensing.)
New Jersey has this rivalry with New York. New Jersey picked a token for one of their mass transit systems that would operate the old New York City turnstiles, so they had to be replaced.
This guy I use to know got this one from an army pal of his.... You take a nice crisp dollar bill, about 4 feet of packing tape folded over so its not sticky, and attach tape the edge of the bill. Insert bill, it will pause while the machine reads the relevant symbols. When the bill starts to continue feeding in YANK out the bill by the lenght of tape. You get the product and the change. Don't tell anybody else.
Time to filter through when suggesting a link: 10 days. ;)
My original comment: Other than being illegal and immoral, I could imagine such behaviours would be fairly common in schools that have vending machines. The easiest way I can think of to prevent such an attack is to have a "tilt" flag that gets set upon any error condition, thus disabling the machine completely until an authorized service representative arrives. Simply getting the money / number of dispensed drinks tally at the end of the week is insufficient. Placing cameras is both costly and wasteful, and only useful in hindsight.
Pass-cards and complete client/server applications are stupidly complex, not to mention potentially expensive.
> Next week, tune in for how to "hack" a liquor store using only a .357 and ski mask.
Got you beat there. I can hack a liquor store with a baseball bat and a surgical mask. Perhaps a sharp piece of metal and pair of sunglasses next?
This sort of arms race is very boring when the stakes are small. But when you get people who are playing for small change using other people's lives as tokens, that is when it gets interesting from a security point of view.
I mean, threaten to murder someone over $20? Really now? But it happens every day. At its most ridiculous extreme, you get bored guys with AK-47 rifles standing outside the gas station and/or the grocery store. Sometimes they get shot, sometimes they shoot first. Welcome to the developing world.
Add insurgents with bombs and stir. Makes you nostalgic for the punks who knock over the liquor stores.
>Give Bruce a break. It's clearly been a slow >security-news day.
Study the concepts and the applications will take care of themselves.
This is like the informal -yet very informative - serial which always began with the protagonist passing on a coin to a member of the service industry as a tip, but lo; the coin was attached to a piece of string and the protagonist in question retained the coin and still purveyed an air of style. Although why the man in question unflinchingly accepted a tip from a yellow cat in a purple hat and waistcoat always confounded me!
@scosol: It's quite easy to pass over articles which don't interest you.
http://jesus007.free.fr/Prehacking.htm is a French website explaining how to make free phone calls with blue boxes, how to abuse ID-Caller, ...
I found it with the request google with keywords telephone site:free.fr sms ligne japon roumanie, as I was wondering if they were normal non-free phone numbers linked to a free SMS router.
If you want to read English instead of French, go to http://en.wikipedia.org/wiki/Blue_box which also says : "Some of the more famous pranksters were Steve Wozniak and Steve Jobs, founders of Apple Computer."
Back at uni some folks would squirt salt water down the coin slot. The machine would then spit out every single can (over 300). Apparantly you could get a electric shock too so you had to be carefull.
It was fixed in a unusual way. When you squirt them, it releases lots of cans at once. So they put a very strong flap down the bottom, when a few cans came down it would jam. Sometimes you could keep it open, but not often.
Latter they had the electronics potted in epoxy, with moving contacts placed in different locations.
Thats a pretty standard hacking technique (for software at least) to induce some sort of an error (disk full, thumbdrive removed, critical .dll deleted after startup, etc) and exploit poorly written/tested error handlers.
I think a fairly cheap fix for this would be install a webcam and a display. Just have it perpetually display what it sees, so people see their own face in the display as they approach and they will be more honest. Kind of like those radar speed displays (just displays, not actual ticket issuing machines) they move from place to place in residential areas. People actually slow down when they see them, even though the other 358 days per year they intentionally speed in that same area.
I remember in my last workplace they installed a candy vending machine which won't refund the money in such cases. But I used that bug to create a DoS attack on that machine: http://kousik.blogspot.com/2004/07/...
When I was in high school, a coke cost 40 cents in the machine. Two nickels could be hammered thinner but wider so the machine accepted them as quarters. You got a coke, and two new nickels...
I think we only did this for a few weeks, I don't remember if we got bored with the trick or they removed the machine.
in college we had a soda machine that gypped me out of a quarter. we prepped another with super glue and a length of thread, used it to refund my money, and then continued to take out "punitive damages" until the thread broke.
the next day we found a humorous note from the vending machine op, saying, "silly children, that old trick doesn't work anymore." had he bothered to balance his machine, he would have noticed it was about $10 short...
Oddly, shortly after reading this article, I went downstairs to get a soda. Paid my dollar, and two sodas were dispensed instead of one! I guess the previous patron only watched the first half of the video :-)
A friend at my workplace discovered this video not long ago. Out of curiosity I decided to risk my thirst and give it a go.
The same as Alan mentioned several posts up, I lost my money to the vending machine, but whoever got the next drink was probably happy.
Now, stealing is bad, but stealing from your next is even more awful. This is a "hack" only an asshole will perform. If you must steal, at least steal from the big company but not from another user of a vending machine.
On the other hand, in the candy machine at work one time they had allowed some peanut butter cups to melt in the truck prior to installing them (and then resolidify into a disgusting mass). I bought one, it was gross, I placed it in the "this is defective, I want a refund" bin, and a week later I got my $.50 back.
So I bought another one. Same thing. Hmmm, I see a pattern here. So this time, in addition to the note asking for a refund I suggested that the whole stack be replaced or at least examined (palpating the package would disclose the invalid shape within rather quickly). I received a note in return that said he was not allowed to do that by company policy.
So for the rest of the summer, 1ce a week I would buy a package of peanut butter cups, open them, put them (untouched) in the recycle bin, receive my money back and repeat until we went through the entire stack of 20 or so that the machine had been serviced with.
The relevant part:
I suspect profit is an externality to the guy who actually puts the stuff in the machine. In fact I have often postulated that they put unpopular items in the machines just to decrease their own workload.
The fix for this (in the next iteration of the machine) is simple. Whenever the machine errors on a "drink not dispensed" condition, you run the conveyor to a pre-determined point and run the belt backward, dropping the un-vended drink in a holding area for the tech to clear later. You could even set it to re-set the drink back into the vending area (from the rear) to prevent DoS attacks from stuffing the holding bin with a lot of drinks.
I hacked the vending machine at work a few years ago.
The credit was stored on RF smartcards.
If you kept the smartcard a the right distance from the machine where it can barely power it, the machine would dispense beverages but would be unable to debit the card afterwards.
Of course they fixed it by implementing a transactionnal protocol.
good point Andrew 2:
In the video the drink was deemed "out of stock" after the refund, a simple DoS.
several people have 'earned' Darwin-Awards for attempted Vending Machine freebies. Was it accidental that major drink vendors made their soda machines very heavy and unbalanced, likely to tip-over when shaken to get gratis fizzy sugar flavored water?
Of course, at work we accidentally discovered that a torn banknote would pass thru' the reader, credit the machine, yet be returned when the next note was input. It was the vending machine itself that tore the first note, so its likely that it *wanted* to offer free products. s 'security' professionals we tried it a second time to confirm the flaw, then immediately forgot about it as disclosure or use could surely threaten being arrested for DMCA or terrorism
im gonna hack the coke machine @ krogers and change p/w if ican, i bet they take out machine if i do
I have a used Pepsi bottle and can dispensing machine that I bought from a friend of mine. The money box has been removed from this machine but I want it to dispense by just pressing what type of drink you want. (It's in my shop) I have been told it has a by-pass switch but I can't find it. Any help?
I paid for my food at sonic with My AMA card which has no money on it. i dont know if that counts but it worked.=]
Yeah, me and my friend did this once. It only works for a maximum of 3 for 1, i.e. We got 3 drinks with the standard $1.25
A mate told me this trick.
first find a vending machine with the power switch accesible. turn it off then wait for someone to use it. of course it won't won't work but it will chew up their money. when they walk away without checking the power is on, which is very common, switch the machine back on and their credit amount they put in the machine will still be in there. simply press a button to dispense the drink of your choice or press the refund button to get a little "pocket money"
I remember once I was with a friend in elementary school, and he put in a dollar twenty five to order a bottle of flavored water. The machine started spitting all of its change out of the coin return, and gave him his drink. I remember him saying something along the lines of "jackpot" or "I think I won". I wish I could figure out how to make school vending machines do that.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.