Hacking Vending Machines
Last updated
Last updated
When you think of hacking, the usual suspects probably come to mind โ bank networks, corporate servers, social media accounts. But vending machines? Yes, those toys that dispense snacks and drinks can be part of the hacking adventure, thanks to the rise of the Internet of Things (IoT).
Todayโs vending machines arenโt just mechanical snack dispensers. Theyโre IoT devices, connected to the internet, often relying on communication protocols like MQTT to send and receive data. When these machines arenโt properly secured, hackers can sneak in, as I did.
Vending machines may look simple, but behind the snack selection lies some pretty cool technology. Hereโs a quick breakdown:
Product Selection: You pick your snack using buttons or a touch screen.
Payment: You pay using cash, card, or a contactless payment method.
Product Delivery: The machine checks your payment, and if everything is good, it dispenses your snack.
Data Communication: Modern vending machines often communicate with a remote server, sending data about inventory levels, payment transactions, and system diagnostics. This is typically done using IoT protocols like MQTT or similar communication protocols.
So what happens if a vending machineโs communication system is exposed to the internet? Letโs find out.
is the go-to protocol for many IoT devices, including vending machines, because itโs lightweight and perfect for transmitting small amounts of data. Think of it as a messaging service where devices (like vending machines) send updates to a broker, and subscribers (like servers) receive those updates. To get deep into hacking MQTT, have a look at this p post.
Itโs efficient for vending machines that need to report stock levels or transaction data to a central server without consuming much bandwidth. The only problem? Some machines expose these MQTT communications to the open internet. Without proper security, thatโs where hackers like me come in.
With a simple query, we were able to pinpoint exposed vending machines that were using MQTT:
To begin vending machine hacking journey, we turned to , an incredible search engine for internet-connected devices. Itโs like Google, but for finding devices like webcams, industrial control systems, and in this case, vending machines.
Now that we had some potential targets, it was time to dive deeper into what these vending machines were up to. we used Moxie, a tool built for MQTT reconnaissance and pentesting, which makes it easy to scan, check, and even brute-force MQTT services. You can check out Moxie on .