Comments on: Security Review: Pop Machines http://cubist.cs.washington.edu/Security/2008/02/11/security-review-pop-machines/ Mon, 06 Oct 2008 13:49:39 +0000 http://wordpress.org/?v=2.6.2 By: Chad http://cubist.cs.washington.edu/Security/2008/02/11/security-review-pop-machines/#comment-1499 Chad Mon, 18 Feb 2008 06:15:21 +0000 http://cubist.cs.washington.edu/Security/2008/02/11/security-review-pop-machines/#comment-1499 Just the other day the chips I bought got stuck between the racks and the glass as they fell, taunting me as they hung precariously above the receiving tray. As I was looking for ways to get them out, I noticed that the exit hatch was designed so that if you open the main flap to the receiving tray, another flap closes, separating the receiving tray from the merchandise. As stated in the main review, this prevents people from reaching into the vending machine. However, I also noticed that on the very edge of the flap, there was a slight gap between the flap and the machine which is enough space for a coat hanger to be inserted. It would have been easy to make a "U" shape out of a coat hanger, opened the flap and inserted one branch of the wire horizontally while hanging on to the other branch. After the flap was closed again, the U could have been rotated so that in my case, the chips could be knocked free. I decided that this would take too much work considering that shaking the machine would have the same effect. That being said, if a hook was put at the end of the coat hanger, an adversary could potentially fish out snacks that weren't simply stuck. Just the other day the chips I bought got stuck between the racks and the glass as they fell, taunting me as they hung precariously above the receiving tray. As I was looking for ways to get them out, I noticed that the exit hatch was designed so that if you open the main flap to the receiving tray, another flap closes, separating the receiving tray from the merchandise. As stated in the main review, this prevents people from reaching into the vending machine. However, I also noticed that on the very edge of the flap, there was a slight gap between the flap and the machine which is enough space for a coat hanger to be inserted. It would have been easy to make a “U” shape out of a coat hanger, opened the flap and inserted one branch of the wire horizontally while hanging on to the other branch. After the flap was closed again, the U could have been rotated so that in my case, the chips could be knocked free. I decided that this would take too much work considering that shaking the machine would have the same effect. That being said, if a hook was put at the end of the coat hanger, an adversary could potentially fish out snacks that weren’t simply stuck.

]]> By: nekret http://cubist.cs.washington.edu/Security/2008/02/11/security-review-pop-machines/#comment-1064 nekret Sat, 16 Feb 2008 05:10:56 +0000 http://cubist.cs.washington.edu/Security/2008/02/11/security-review-pop-machines/#comment-1064 I almost forgot, in case anyone's interested here is a list of the IP's that belong to the vending machines in Mercer Hall 128.95.49.176 128.95.49.157 128.95.49.88 128.95.49.14 They likely can only be accessed on campus due to the default port blocking policy. I almost forgot, in case anyone’s interested here is a list of the IP’s that belong to the vending machines in Mercer Hall
128.95.49.176
128.95.49.157
128.95.49.88
128.95.49.14

They likely can only be accessed on campus due to the default port blocking policy.

]]> By: nekret http://cubist.cs.washington.edu/Security/2008/02/11/security-review-pop-machines/#comment-1062 nekret Sat, 16 Feb 2008 05:06:15 +0000 http://cubist.cs.washington.edu/Security/2008/02/11/security-review-pop-machines/#comment-1062 I think it's also worth mentioning the <a href="http://features.slashdot.org/features/03/04/14/1846250.shtml" rel="nofollow">Blackboard card scanners</a> that are installed in all the vending machines on campus. I've noticed that these are all hooked up by ethernet in the residence halls. A quick scan of the local subnet reveals that these things run a telnet server for remote configuration and some other (likely proprietary) service on port 9001. Since the 4 vending machines in my hall are all connected by a switch laying on the ground of the vending room, it would be trivial to set up an ethernet bridge and capture all the traffic to and from the vending machines. Hopefully somewhere along the line you could capture the password to configure the device at which point you could likely point the vending machine to your own blackboard transaction server which would circumvent the usual draw on your meal plan. I think it’s also worth mentioning the Blackboard card scanners that are installed in all the vending machines on campus. I’ve noticed that these are all hooked up by ethernet in the residence halls. A quick scan of the local subnet reveals that these things run a telnet server for remote configuration and some other (likely proprietary) service on port 9001. Since the 4 vending machines in my hall are all connected by a switch laying on the ground of the vending room, it would be trivial to set up an ethernet bridge and capture all the traffic to and from the vending machines. Hopefully somewhere along the line you could capture the password to configure the device at which point you could likely point the vending machine to your own blackboard transaction server which would circumvent the usual draw on your meal plan.

]]> By: mgklous http://cubist.cs.washington.edu/Security/2008/02/11/security-review-pop-machines/#comment-1027 mgklous Sat, 16 Feb 2008 03:08:48 +0000 http://cubist.cs.washington.edu/Security/2008/02/11/security-review-pop-machines/#comment-1027 you still haven't told me how to get a free soda! you still haven’t told me how to get a free soda!

]]> By: alpers http://cubist.cs.washington.edu/Security/2008/02/11/security-review-pop-machines/#comment-874 alpers Thu, 14 Feb 2008 21:47:05 +0000 http://cubist.cs.washington.edu/Security/2008/02/11/security-review-pop-machines/#comment-874 There's been a publicized method on the internet for 'hacking' the pop machine as well. Basically, after entering a sequence of button on a specific brand of dispensing machine, you can have access to a control panel. There's a default password of 1234 that is usually never changed, and then the crafty consumer or mob boss can reconfigure the machine - set up different prices, dispense the change, etc. I believe this has been pretty much phased out, but some of the pop machines remain around campus. :) There’s been a publicized method on the internet for ‘hacking’ the pop machine as well. Basically, after entering a sequence of button on a specific brand of dispensing machine, you can have access to a control panel. There’s a default password of 1234 that is usually never changed, and then the crafty consumer or mob boss can reconfigure the machine - set up different prices, dispense the change, etc. I believe this has been pretty much phased out, but some of the pop machines remain around campus. :)

]]>