The Art of Hacking Vending Machines
I’m aravind0x7, a cybersecurity enthusiast and OT-IoT researcher. I’m passionate about discovering vulnerabilities in unconventional targets. In this blog, I’ll take you through an exciting journey of hacking vending machines.
Disclaimer: This blog is for educational purposes only. The goal is to understand vulnerabilities in IoT systems and stress the importance of ethical hacking. Always respect the law and use your hacking skills responsibly!
Peeking Into Vending Machines
When you think of hacking, the usual suspects probably come to mind — bank networks, corporate servers, social media accounts. But vending machines? Yes, those toys that dispense snacks and drinks can be part of the hacking adventure, thanks to the rise of the Internet of Things (IoT).
Today’s vending machines aren’t just mechanical snack dispensers. They’re IoT devices, connected to the internet, often relying on communication protocols like MQTT to send and receive data. When these machines aren’t properly secured, hackers can sneak in, as I did.
How Vending Machines Work (The Non-Hacker Version)
Vending machines may look simple, but behind the snack selection lies some pretty cool technology. Here’s a quick breakdown:
- Product Selection: You pick your snack using buttons or a touch screen.
- Payment: You pay using cash, card, or a contactless payment method.
- Product Delivery: The machine checks your payment, and if everything is good, it dispenses your snack.
- Data Communication: Modern vending machines often communicate with a remote server, sending data about inventory levels, payment transactions, and system diagnostics. This is typically done using IoT protocols like MQTT or similar communication protocols.
So what happens if a vending machine’s communication system is exposed to the internet? Let’s find out.
MQTT — The Backbone of IoT Vending Machines
MQTT (Message Queuing Telemetry Transport) is the go-to protocol for many IoT devices, including vending machines, because it’s lightweight and perfect for transmitting small amounts of data. Think of it as a messaging service where devices (like vending machines) send updates to a broker, and subscribers (like servers) receive those updates. To get deep into hacking MQTT, have a look at my past blog.
It’s efficient for vending machines that need to report stock levels or transaction data to a central server without consuming much bandwidth. The only problem? Some machines expose these MQTT communications to the open internet. Without proper security, that’s where hackers like me come in.
Using Censys to Find Exposed Vending Machines
To begin my vending machine hacking journey, I turned to Censys, an incredible search engine for internet-connected devices. It’s like Google, but for finding devices like webcams, industrial control systems, and in this case, vending machines.
With a simple query, I was able to pinpoint exposed vending machines that were using MQTT:
(vending machine) and services.service_name=`MQTT`
Censys returned several results of exposed vending machines, some with authentication enabled, but others completely open to the public internet. It was like hitting the jackpot! From this pool of machines, I identified a few juicy targets that didn’t require any authentication at all.
Reconnaissance with Moxie: My MQTT Recon Tool
Now that I had some potential targets, it was time to dive deeper into what these vending machines were up to. I used Moxie, a tool I built for MQTT reconnaissance and pentesting, which makes it easy to scan, check, and even brute-force MQTT services. You can check out Moxie on GitHub.
One vending machine caught my eye during my recon, this machine had no authentication set up on its MQTT service, making it an easy target.
After running a scan with Moxie, I subscribed to the machine’s topics and found the following:
- Inventory Data: I could see real-time updates on how much stock was left in the machine. Need a soda? I knew exactly which slots were full and which were empty.
- Payment Logs: Every transaction was broadcasted, showing which products were sold and how people paid (cash, card, or contactless). This info, while fun to see, could be a serious privacy concern.
- Health Status: The machine was sending regular system diagnostics — everything from temperature to maintenance needs. This would be gold for an attacker planning a denial-of-service attack or just looking to mess with the machine’s operation.
This wasn’t just about knowing who bought a candy bar — these vending machines were revealing much more than they should, all without any protection. On further pivotion, this can lead to more depth exploitation. To put it simple, i can create my own topis — which are simple commands to do a specific task.
You might be wondering why anyone would care about hacking a vending machine. It’s just snacks and drinks, right? But there’s more at stake than meets the eye. As you can see in the MQTT traffic, you can find a lot of exposing sensitive datas.
IoT devices like vending machines can be entry points into larger networks. If these machines are connected to corporate infrastructure, a hacker could potentially use the machine to access sensitive company data and customer data. Plus, exposed devices can be used in botnets or DDoS attacks, turning what seems like a harmless machine into a serious threat.
Closure Note
Always practice ethical disclosure and never exploit the vulnerabilities you find for malicious purposes.
Hacking vending machines might sound like something straight out of a movie, but with IoT devices everywhere, it’s more real — and more fun — than you might think. Just remember to snack responsibly! Hope you find this blog helpful. Let’s connect, catch me on LinkedIn. Have a great day !!!