First of all, I want to state that this issue was reported to a facility representative.
I was recently back in California again, and I had some laundry I had to take care of at the hotel (more on this next week). Laundry, being the mindless task it is, gave me some time to watch Apetor on YouTube. I laughed a bit, then noticed a Coke machine. I was down, but sadly it was empty:
It was also powered down and… unlocked. This presents an interesting situation since newer machines have a really sweet communication protocol called Multi-Drop Bus (MDB). This is the nervous system of the machine. (I actually ran a vending business for a year, which I wouldn’t recommend getting into). This is what allows the bill validator and coin counter to notify the control board that cash was inserted, change was made, as well as set prices for products and track dispenses. On this machine, there also exists a card reader. I cannot speak to how card numbers are transmitted to the radio (if this hits the MDB bus or not), however it would be trivial to emulate this. As a matter of fact, there exists a cheap CAN Bus Shim that enables plug-and-play odometer fraud that you can buy on e-Bay. So, it is easy to conceptualize how this is relevant here too.
This vending machine was emptied (no product or currency that I spotted), however the company should have went further by keeping their assets locked down to prevent the addition of components that could easily:
- Modify inventory records
- “Test Dispense” products
- “Test Dispense” coin returns
- Modify product prices
- Potentially MiTM credit card data (I cannot verify this is true, but I also cannot verify it isn’t)