How I hacked modern Vending Machines
Indisputably, Vending Machines are objects of cult. Delicious morsels of Hackers , always. In the beginning they worked offline with coins only, then, NFC- keys/cards models started spreading. If I say “ COGES ” I’m sure that better times will come to someone’s mind. But… In a bunch of years things changed radically. You distract and a moment after, find the world superseded by things connected to the internet…
One day I decided to interrupt seasoning myself in the bat-cave and direct to my hometown to get some sunlight, so I went to the University to salute an old professor.
“Go to have a coffee!” — he said— and we started chit-chatting while walking through the main corridor.
Me: “let me pay, I have coins!”.
Him: “wait wait! let me use the Vending Machine’s App to pay, the coffee will be cheaper”.
BLE + NFC
Brain: “Mmm… Virtual wallets are cool stuff. Well…”.
Soul: “I dare you to Hack into that!”
~$ White Hat inner voice: “just pats on the shoulder if no bug bounty reward”.
~ $ Grey Hat inner voice: “ok, I’ll do that for educational purposes only”.
~ $ Black Hat inner voice: “c’mon man, let’s screw that HEAP, great Jupiter!”.
Later in that day…
Needless to say that I picked up my dirty rooted Android smartphone, installed the targeted App from the Play Store and dumped the original *.apk to my laptop via adb .
<strong># adb pull /data/app/com.sitael.vending-1/base.apk ./Argenta.apk</strong>
I decompiled the *.apk with apktool
<strong># apktool d ./Argenta.apk ./Argenta</strong>
and extracted Java sources with jadx
<strong># jadx ./Argenta.apk </strong>
Firstly, I made the *.apk debuggable by editing the AndroidManifest.xml file by adding
android:debuggable="true" property to the
Then, I rebuilt the *.apk
<strong># apktool b ./Argenta</strong>
created a new key with keytool
<strong># keytool -genkey -v -keystore Argenta.keystore -alias Argenta -keyalg RSA -keysize 2048 -validity 10000</strong>
signed the *.apk with jarsigner using the generated key
<strong># jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore Argenta.keystore Argenta.apk Argenta</strong>
lastly, I zip-aligned it to make it runnable
<strong># zipalign -v 4 Argenta.apk Argenta-signed.apk</strong>
and I installed the final *.apk
<strong># adb install ./Argenta-signed.apk</strong>
I ran the App on the smartphone and I started looking at logs with logcat by filtering them via its package name
<strong># adb logcat --pid=`adb shell pidof -s com.sitael.vending`</strong>
Nothing special found, so I started to comb through the source codes seeking for juicy informations.
Looking better at
AndroidManifest.xml file, I found references to RushOrm
So, first keyword search was
Cool. I booted the Root Explorer on the phone seeking for
Found. So I pulled if to my laptop with adb
<strong># adb pull /data/data/com.sitael.vending/databases/argenta.db ./db</strong>
and tried to open it with a DB Browser for SQLite
obviously, it was password protected
Step back to the source codes, looked at
where I found the methods used to configure the database.
My attention was caught by
this.encryptionKey = getDeviceId(context);
I moved to its definition and…
Found that the targeted App used the phone’s IMEI
(*#06#) as encryption key for the SQLite database .
After a couple of seconds of inspection, I opened to the
and edited the
walletCredit field writing changes
then I pushed the database with pumped credit back to the phone
<strong># adb pull ./argenta.db /data/data/com.sitael.vending/databases/argenta.db</strong>
In the meantime, while I felt like “Robin Hood” (nostalgic and explicit reference to Age Of Empires cheat code for +1000 gold ) I developed an Android utility to quickly dump / restore / tamper the targeted App ’s database on the fly.
then I went back to my University again to finally test the Hack
From zero-credit account , I could:
> Inflate the App’s credit.
> Buy stuff.
> Get the remaining credit updated.
> Go back to zero-credit state.
> Inflate the credit again.
> Start over.
With a macro inspection of all the reversed sources I found huge portion of clean code — without obfuscation — that meant no great counter-measures adopted to protect user data and make the App secure at all .
A month ago…
The White Hat inner voice of me picked up the phone and called the company behind this shame to report the vulnerability. I gently suggested them to toss the current architecture and develop a better and secure one from scratch.
- [译] 软件本地化中的 10 个常见错误
- 从根上理解order by limit分页数据重复问题
- MySQL/数据库 知识点总结
- 技术资讯 | 浅谈相似视频检索技术
- 对话 Oracle 吴承杨：我们是如何思考数据库这件事儿的
- Progress of anti-aging therapies by clinical trial stage
- Flink DataStream 关联维表实战