Stunning Snacks

by lowtec

Stunning Snacks

Vending machines are very interesting and can range from purely mechanical to modern computer controlled devices. These machines that provide drinks, snacks, newspaper, cigarettes, copies and other services (you could consider an arcade game or a payphone a vending machine for providing services) have been the target of many attacks since their introduction into society. While the main objective of most of these attacks is to obtain free goods, services, or money from the machines, there are many more interesting things to be discovered, such as debug menus and status reporting functions. Here I’ll make a very brief summary of most of the security issues with vending machines that I have read about or seen. Be warned that by trying any of these methods on a machine that is not yours, without permission will get you into trouble. I do not condone or approve of stealing from vending machines.

First there is the use of slugs, or coins on a string. I’m sure this worked at one time or another, but today’s machines are more advanced and coins must pass tests based on weight, shape and size; coins with a string attached to them won’t roll properly or pass through trap doors. Creating a slug the same weight, shape, and size as a coin seems like a lot of work and doesn’t seem practical. There are some foreign coins which are very similar to US currency which could be used, and I’m sure you could find a website that provides comparison charts (this, as following methods is probably covered under counterfeiting laws). This method is possible but seems a little far fetched unless you have a collection of Indochina pennies or something.

Then there is the similar dollar bill tape method which although it has been known to work, requires a strong dollar and the tape must be very near the trailing edge of the bill for new machines. I have heard that you need a very long (and strong) piece of tape on new machines and they are quick to reject bills if the alignment is even slightly off. Scanners on the machine need to be able to recognize the bill so tape can not be covering any of the printing on the bill. This method seems shoddy at best and you have to carry around your taped up dollar which would be very suspicious.

Another method involves short circuiting the machine by squirting conductive fluid, usually salt water into the machine through any openings, usually the bill or change slot. In unprotected machines, this would cause unpredictable results which might include spitting out a coke or whatever the machine is dispensing. Also sensitive electronic components of the machine would probably be destroyed. In new models this problem has been fixed by shielding all sensitive exposed contacts. Some people will try to tell you that this will make the machine spit out bills, and while I have not tried this, it seems impossible because the bills, like the change are stored in a box which only allows coins and cash to enter (unless the machine makes change in which case there is most likely a separate ‘bank’ of coins for making change). The coin box on most vending machines has an extra level of security so that the coins are never exposed once inserted into the machine. If you have ever seen a parking meter being emptied there is a metal case that is pulled out and must be inserted into the large collection safe and twisted in order for the coins to be collected. The main reason for this extra level of security is to prevent theft by employees. Using salt water is an easy method, but is becoming obsolete and is messy.

An interesting method that I haven’t confirmed is manipulating bills by putting the Mylar strip from a five (or higher) dollar bill on a one dollar bill, using the one dollar bill in a machine and spending the five dollar bill at a register (most cashiers won’t check for the Mylar strips). This has been rumored to work on some change machines seen in arcades. Manipulating US currency like this is most certainly illegal and could get you in trouble with the Secret Service (yes, they handle counterfeiting, credit card fraud, and protect the president). Anyway, just using the strip for verifying the denomination of the bill seems like a weak security system, not to mention it would be difficult to get that little thing out and attach it to another bill (maybe use superglue?).

Color photocopying, or possibly even a black and white copy of a bill could work on old machines; again I haven’t tested this because reproducing currency is illegal except when it is ridiculously out of scale and one sided. However, as any counterfeiter will tell you, matching the paper used is the hardest obstacle to overcome when printing fake money. Also, machines that use scanners to check for the Mylar strips will probably not be fooled by a copy.

A less well known method of getting free games at arcades is to take any coin (usually a penny) and flicking it up through the change return slot. I heard about this method from the temple of the screaming electron (http://www.totse.com), and while I can’t say that I understand why this would work, I haven’t had the chance to look inside an arcade game. The article also suggested banging your knee into the coin box for free credits (ouch!). I have tried flicking pennies up the change return slot with no luck, but I did notice that there are ‘bumps’ on the back of the change return area that probably were there to prevent me from doing just that.

One more method I found while browsing through the temple of the screaming electron is cutting a piece of aluminum foil to the same size as a dollar bill and inserting it shiny side up. The author says that this may cause the laser to be reflected onto the template the machine uses to compare any bill to. I haven’t been able to test this, but I am doubtful that it will work because I think the scanner the machine uses counts on certain areas of the bill to be reflected (light and dark areas) and then compares those areas to its stored copy. Also, what if the machine accepts $1 and $5 bills? This is something to look into.

You’ll notice all of these attacks are non invasive and require almost no special equipment to carry out. It is trivial to break into one of these machines with the proper set of tools; that is not what is being addressed. Also you’ll notice I’ve left out lock picking mainly because it requires special skills and tools, although when considering security it should not be overlooked. Without a strong lock, a thief could easily saw through or chisel off a lock. Each situation demands its own security analysis, for example snack machines could be tilted forward to dump all their snacks if they are not bolted to the wall.

[I will say one quick thing about lock picking; some people have suggested getting some kind of quick drying clay and forcing it into the keyhole for a tubular key saying that this will give an impression of the key. Whoever said this has no clue about how locks work. The clay would get an impression of all 7 or 8 pins (depending on the lock); no information about the key could be obtained. But, with the right tool (a tubular lock pick) tubular locks are very simple to pick. But that is another article....]

On to the very shocking exploit that gives this article its name. While most vending machine manufactures have at least taken some aspect of preventing fraud into their design, few have done much shielding of electrical contacts on the keypad, most are concentrated around the money collection areas, and even those have been fairly recent improvements. I must give credit to Adrian Lamo for informing me of this exploit. It is possible to use a normal self defense stun gun to cause some machines to make sporadic electrical connections which can yield unpredictable results, including the machine vending its product. The machines which are most notably vulnerable are the snack machines with the flush clear-button keypad. Holding a stun gun up to the keypad firing it, and moving it around usually causes the machines to vend several snacks. This exploit is probably not unique to only snack machines, but by manipulating voltage levels and using sparks to close gaps that control vending operations. Similar results could probably be obtained by using other devices such as a HERF or EMP device. This is a working exploit, at least on some machines, very easy to carry out, although it does require some special equipment and determination. However, stun guns are easily obtained through internet orders, or schematics can be found online.

People have become extremely lazy with all of our great technology these days and they want to be able to know how what their vending machine is up to without having to go check the cash box. Computers in vending machines can dial up to the internet (or connect through a network) and email their owners all the information they could ever want (amount and type of product sold, product remaining, money in machine, usage statistics, etc). Sometimes menus like these are available locally through a special combination of buttons, with a key, or with special hardware. One widespread example is on most Coca Cola ® machines by imagining the button on top to be #1 and numbering down (or across on new machines) then press the buttons in order - 4, 2, 3, 1, a menu system will come up on the 4 character display that allows you to view some information about the machine (credit to ch0pstikninja from the phonelosers.com forums). Once you have accessed the menu system you can navigate through it using the buttons as follows 1 – previous menu, 2 – up, 3 – down, 4 - enter. Now some people will say, “Ok, so how do I use that to get free cokes?” the answer is, you don’t. It’s just a neat little menu that was hidden from you before. As one of the posters to the phone losers’ forum said, this could be useful to thieves deciding if a machine is worth breaking into. Note that this should work on all machines made by Coca Cola ® (Fruitopia ©, Dasani ©, etc). Similar menus can be found on many other machines with a quick Google™ search, a call to the manufacturer, or some smart finger hacking (try patterns, etc.).

One particularly interesting feature present on some machines (usually at universities) is a card based accounting system. Machines that use some sort of card access whether it is magnetic stripe cards, smart cards, or some other proprietary identification / accounting method can be very fun to play with. Some people may be familiar with the Campus Wide system that Acidus and Virgil were prevented from giving a talk about at interz0ne. These systems are almost always wide open, although they do require some technical knowledge to exploit.

Playing with vending machines can be fun and occasionally rewarding, but be considerate to others and don’t damage the machines; leave them as you found them. After you’re finished playing with a debug or admin menu, return the machine to normal mode. Some machines will go back to normal mode after a minute or two but just be sure. Use good judgment when exploring and have fun.

©2004 DIG Magazine || Terms
DIG Magazine: #1

Into the Underground
Into the Underground
by lowtec
Explorations in Connected Technologies
Explorations in Connected Technologies
by Astral
An Analysis of Smartcards
An Analysis of Smartcards
by lowtec
Thoughts on EZ Pass / Speedpass
Thoughts on EZ Pass / Speedpass
by lowtec
Explicit Anarchy
Explicit Anarchy
by Dreg Nihilist
Stunning Snacks
Stunning Snacks
by lowtec
Scan of 1-800-326-XXXX
Scan of 1-800-326-XXXX
by NO CARRIER
Buffer Overflow Challenge
Buffer Overflow Challenge
by matrix
Conscience of a Hacker
Conscience of a Hacker
by the Mentor
DIG #1