InfoSec Write-ups – Medium–

A somewhat detailed write-up of a thing I did 4000 YEARS AGO

the app showing a discounted Amla Candy priced at ₹1
to know how I got the price down from ₹80 to ₹1, we need to go back a few months

The 3rd of May 2020 “Lockdown Day 40”, inside the campus where I stayed at the time, in Gachibowli, Hyderabad. That night, after the meal, while walking around the campus I saw a smart vending machine on a wireless hotspot and that’s where this story begins.

Where’s the Wi-Fi?!

the vending machine

The vending machine is quite standard, but made “smart” by attaching an android tablet for doing things like accept cashless payment and sending telemetry data. The original inputs are disabled so we can ignore those for this writing. The tablet is running a shopping cart app which keeps inventory of the items and the other stuff I mentioned before. All this while being on a wireless hotspot created by the tablet itself.

Yay! No MAC filters!

Getting out of the app was simple with the usual android gestures. After that I went into the Settings app, got the name of the hotspot and password, successfully connected my phone to it and…

Fing uses their patented tech for device recognition… also they did not pay me to write this!

Did a quick scan of the network with Fing(like I usually do whenever I connect to a network) to get the Wi-Fi(which is the tablet acting as a router) and a Raspberry Pi to control the vending machine.


accessing the web server IP on firefox browser
went to my room and got the laptop for HACKERMAN vibes

Running a port scan on dot1 tells me that port 8080 is open and when I access it from a browser… I get an Android Debug Database page showing me all kinds of information without performing any authentication.

The “No Security by Default” Database

github description of android debug database
open source does not always mean secure

A quick google search pointed me to its GitHub repository, which says this database GUI [directly]interacts with shared preferences of the android environment. Awesome! So, it’s not only fetching data from the memory used by the android app… but I can add or delete stuff too, COMPLETE ACCESS to the database. More specifically…

editing the item prices in database to lower the value
putting these 2 in the same image took me an hour

And as for the Raspberry Pi from earlier, it is running SSH and VNC server on default ports for remote access, viewing sales analytics and managing the device remotely. Both password-protected, which I can have brute forced but it’s a good enough security measure to stop me from cracking it at 12:08 AM.

Internet of Things exists now, and so, basic access control mechanisms and authentication measures must be baked into the application software of these vending machines and other smart home devices, and also turned on by default during setup. This can prevent just about anyone from not only getting into your “smart” fridge and knowing how much yogurt you can consume in a day, but also move to other devices and go full-on Mr Robot on your smart home.

The photos I originally took during this hack were lost. Check my next post here to learn how I got them back.

HOW I HACKED YOUR VENDING MACHINE was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

View original article on InfoSec Write-ups – Medium

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s