🦸
PEN TESTING BOOK
  • 📘PENETRATION TESTING BOOK
  • ☮️PENTESTING PROCESS
    • 1️⃣Pre-Engagement
    • 2️⃣Intelligence Gathering / Reconnaissance
    • 3️⃣Threat Modeling
    • 4️⃣Vulnerability Assessment
    • 5️⃣Exploitation
    • 6️⃣Post-Exploitation
    • 7️⃣Reporting
  • 🪟Windows Privilege Escalation
    • 🛠️Windows Exploit Suggester
    • 🏄‍♂️Windows-Privilege-Escalation
  • 🐧Linux Privilege Escalation
    • 🏄‍♀️LInux-Privilege-Escalation
  • 🐧Linux Exploit Development Tools
    • 🔧Exploit Development Tools
  • 🕸️Web Application Pentesting
    • 📈graphql injection
    • 🐱cross site scripting
    • 💉Command Injection
    • 🗃️file upload vulnerability
    • 🍶flask
    • 🦕idor
    • 📂local file inclusion
    • 🚛Sensitive Data Exposure Cheat Sheet
    • 🐴wordpress pentesting
    • ❌xxe attack
    • 🔓Authentication Bypass
    • 🕸️Webshells
    • 🏂SSRF
    • 🐈‍⬛Git Exposure
    • ✖️XSS WAF Bypass
    • XPath Injection
  • 🔁Reverse Engineering
    • 🐲intro to ghidra
  • 🦹‍♂️Network Pentesting 101
    • ☢️Router Setup
      • Vyatta Router VM Setup Guide
    • 🔢Enumeration
      • 22, 161, 162 - SSH, SNMP
    • 🧙Brute Force Attacks
      • Brute Forcing Cheat sheet
    • 🛂Post Exploitation
    • Firewall Pentesting
  • 🔅Internet of Things
    • 📳Enumerating IoT Devices
    • 😷Dissecting Embedded Devices
    • 👨‍💻Exploiting Embedded Devices
    • 🎮Dynamic Analysis with Emulation
    • ☮️Firmware Analysis
      • Firmware Analysis
      • Bootloader testing
    • Drone Pentesting
      • Common Attacks
      • Threat Categories
    • Hacking Vending Machines
  • 🚔Automotive Pentesting
    • 🔌Virtual CAN
      • Dump Traffic
  • 🗳️Container Pentesting
    • 🐳docker pentesting
    • 🐋docker container escape
    • 🐋Docker CVE's
    • ☸️kubernetes pentesting
  • 🌆SMART CITY PENTESTING
    • ♾️Protocols
      • LoRa-WAN
  • 🪦ACTIVE DIRECTORY PENTESTING
    • 🌌Active Directory Post Exploitation
  • ☄️Command and Control
    • 🌩️C2 In The Cloud
    • 🔁C2 HTTP Redictor
    • ☸️Havoc C2
    • ⛎Sliver C2
  • 🦋PENTESTING CISCO DEVICES
    • 🔦Cisco-Torch : Enumeration
    • 🔓Password Attack (Type 5)
  • RED TEAMING
    • 🦕Initial Access
      • ⚔️Weaponization
Powered by GitBook
On this page
  • Introduction
  • How Vending Machines Work
  • MQTT Protocol
  • Using Censys to Find Exposed Vending Machines
  • Reconnaissance
  • REFERENCES

Was this helpful?

  1. Internet of Things

Hacking Vending Machines

Introduction

When you think of hacking, the usual suspects probably come to mind — bank networks, corporate servers, social media accounts. But vending machines? Yes, those toys that dispense snacks and drinks can be part of the hacking adventure, thanks to the rise of the Internet of Things (IoT).

Today’s vending machines aren’t just mechanical snack dispensers. They’re IoT devices, connected to the internet, often relying on communication protocols like MQTT to send and receive data. When these machines aren’t properly secured, hackers can sneak in, as I did.

How Vending Machines Work

Vending machines may look simple, but behind the snack selection lies some pretty cool technology. Here’s a quick breakdown:

  • Product Selection: You pick your snack using buttons or a touch screen.

  • Payment: You pay using cash, card, or a contactless payment method.

  • Product Delivery: The machine checks your payment, and if everything is good, it dispenses your snack.

  • Data Communication: Modern vending machines often communicate with a remote server, sending data about inventory levels, payment transactions, and system diagnostics. This is typically done using IoT protocols like MQTT or similar communication protocols.

So what happens if a vending machine’s communication system is exposed to the internet? Let’s find out.

MQTT Protocol

MQTT (Message Queuing Telemetry Transport) is the go-to protocol for many IoT devices, including vending machines, because it’s lightweight and perfect for transmitting small amounts of data. Think of it as a messaging service where devices (like vending machines) send updates to a broker, and subscribers (like servers) receive those updates. To get deep into hacking MQTT, have a look at this pblog post.

It’s efficient for vending machines that need to report stock levels or transaction data to a central server without consuming much bandwidth. The only problem? Some machines expose these MQTT communications to the open internet. Without proper security, that’s where hackers like me come in.

Using Censys to Find Exposed Vending Machines

To begin vending machine hacking journey, we turned to Censys, an incredible search engine for internet-connected devices. It’s like Google, but for finding devices like webcams, industrial control systems, and in this case, vending machines.

With a simple query, we were able to pinpoint exposed vending machines that were using MQTT:

(vending machine) and services.service_name=`MQTT`

Reconnaissance

Now that we had some potential targets, it was time to dive deeper into what these vending machines were up to. we used Moxie, a tool built for MQTT reconnaissance and pentesting, which makes it easy to scan, check, and even brute-force MQTT services. You can check out Moxie on GitHub.

REFERENCES

  • https://medium.com/@aravind07/the-art-of-hacking-vending-machines-2b65e34519ea

PreviousThreat CategoriesNextVirtual CAN

Last updated 4 months ago

Was this helpful?

🔅