How I hacked Vending Machine

In our day's many things trying to be "smart". In that article, I wanna share an interesting story about smart vending machines. In order to use it, you need to register an account and link a credit card. Once I accidentally managed to open the menu of the operating system of one "smart" vending machine screen. It was just basic windows submenu with a swipe from the right of the screen.

Image for post
Image for post

Actually, it was a Windows 10.

Image for post
Image for post

You might think — well what’s wrong with that. What’s the impact of that?
But in fact, with the ability to open the Windows menu opened a huge number of vectors to attack. The user privilege level at this terminal was quite high.

It was possible to:

  1. Install Mimikatz and find out the password when rebooting the terminal for the next login. I did not do this. But it was the simplest and most obvious.
  2. Use the installed TeamViewer application, it was possible to secretly monitor user activity and collect information about taste preferences. I’ve checked this vector of the attack on one of the company’s employees. Data was cached in my TeamViewer session.

3. Install the modification on the fingerprint scanner and collect employee fingerprints. This feature works only for those users who have access to the refrigerator without an identification card. This attack vector was not exploited, but the information from the device list allowed the attack to be executed.

Image for post
Image for post

4. Set the redirection of all traffic in the connection settings. This attack has not been verified. Probably traffic is going over https.
5. Redirect the user to the login page with a corporate/facebook account on the phishing site. The level of trust of that device is high if it's installed in the office. And it is likely that a large number of users will expose accounts as is regularly done on legitimate network printers within the companies.

Reward: 10 Euro


30–11–2018 — Discovered bug, reported to without any technical details.
03–12–2018 — Bug confirmed without having any details about that issue ?!
04–12–2018 — Reported technical details to
11–12–2018 — Bug confirmed and already planned with next updates.
28–01–2019 — Requested update
20–02–2019 — Reported to a new person in again about that issue
28–02–2019 — fixed the bug with new application screen locker
18–03–2019 — Reward amount was transferred to my vending machine card

PS: In the process of checking the amount on my card, I discovered the possibility of an attack on a user through CSRF + XSS vector in the user’s personal account in the web app. Many things could be possible with that attack vector — account information disclosure, account takeover, etc. This situation surprised me greatly. Because that services linked real payment cards with all users accounts.

Image for post
Image for post

Due to the complexity of communication, I tried to find the security engineer of the main company and inform him about the problems existing in the subsidiary company.

This story ended much faster and the total reward for all the problems found was revised.

Reward: 300 Euro Amazon gift voucher


20–03–2019 — Made contact with security engineer in Linkedin from
20–03–2019 — Reported technical details to
20–03–2019 — Bug confirmed.
22–03–2019 — Informed about revising reward and planned fixes.
25–03–2019 — Reward amount was transferred.

Written by

I am a guy passionate about testing and security researching 👨‍💻 →

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store