How I hacked Vending Machine

In our day's many things trying to be "smart". In that article, I wanna share an interesting story about smart vending machines. In order to use it, you need to register an account and link a credit card. Once I accidentally managed to open the menu of the operating system of one "smart" vending machine screen. It was just basic windows submenu with a swipe from the right of the screen.

Actually, it was a Windows 10.

You might think — well what’s wrong with that. What’s the impact of that?
But in fact, with the ability to open the Windows menu opened a huge number of vectors to attack. The user privilege level at this terminal was quite high.

It was possible to:

  1. Install Mimikatz and find out the password when rebooting the terminal for the next login. I did not do this. But it was the simplest and most obvious.
  2. Use the installed TeamViewer application, it was possible to secretly monitor user activity and collect information about taste preferences. I’ve checked this vector of the attack on one of the company’s employees. Data was cached in my TeamViewer session.

3. Install the modification on the fingerprint scanner and collect employee fingerprints. This feature works only for those users who have access to the refrigerator without an identification card. This attack vector was not exploited, but the information from the device list allowed the attack to be executed.

4. Set the redirection of all traffic in the connection settings. This attack has not been verified. Probably traffic is going over https.
5. Redirect the user to the login page with a corporate/facebook account on the phishing site. The level of trust of that device is high if it's installed in the office. And it is likely that a large number of users will expose accounts as is regularly done on legitimate network printers within the companies.

Reward: 10 Euro

Timeline:

30–11–2018 — Discovered bug, reported to Redacted.com without any technical details.
03–12–2018 — Bug confirmed without having any details about that issue ?!
04–12–2018 — Reported technical details to Redacted.com
11–12–2018 — Bug confirmed and already planned with next updates.
28–01–2019 — Requested update
20–02–2019 — Reported to a new person in Redacted.com again about that issue
28–02–2019 — Redacted.com fixed the bug with new application screen locker
18–03–2019 — Reward amount was transferred to my vending machine card

PS: In the process of checking the amount on my card, I discovered the possibility of an attack on a user through CSRF + XSS vector in the user’s personal account in the web app. Many things could be possible with that attack vector — account information disclosure, account takeover, etc. This situation surprised me greatly. Because that services linked real payment cards with all users accounts.

Due to the complexity of communication, I tried to find the security engineer of the main company and inform him about the problems existing in the subsidiary company.

This story ended much faster and the total reward for all the problems found was revised.

Reward: 300 Euro Amazon gift voucher

Timeline:

20–03–2019 — Made contact with security engineer in Linkedin from redacted-main.com
20–03–2019 — Reported technical details to Redacted-main.com
20–03–2019 — Bug confirmed.
22–03–2019 — Informed about revising reward and planned fixes.
25–03–2019 — Reward amount was transferred.