Hacking vending machines has been around a long time–remember those globe candy machines? One method of absconding with the goods from this type of vending machine relied on Scotch tape or already-chewed gum. The tape or gum was stuck to the coin destined for the candy machine. If everything went right, the coin would stay in place, and several pieces of candy or gum could be had by carefully rocking the crank back and forth.

As vending machines become more intricate so have the hacks, except for the “brute-force” approach. That’s where someone–usually an irate customer deprived of their purchase–violently rocks the machine until what they are after drops out of the screw mechanism and can be jimmied out of the swinging door near the bottom.

Needless to say, that approach tends to draw attention to the perpetrator–not a good thing in highly-secured buildings. Besides, today’s vending machines are likely to be bolted to the floor or each other and are much more sophisticated–possibly containing machine intelligence, and belonging to the Internet of Things (IoT).

SEE: Ebook–IoT security: What you should know, what you can do (TechRepublic)

Hacking IoT vending machines

Hacking this kind of vending machine obviously requires a more refined approach. The type security professionals working for the US Central Intelligence Agency (CIA) might conjure up, according to journalists Jason Leopold and David Mack, who first broke the story A Bunch Of CIA Contractors Got Fired For Stealing Snacks From Vending Machines. In their BuzzFeed post, the two writers state, “Several CIA contractors were kicked out of the Agency for stealing more than $3,000 in snacks from vending machines according to official documents… .”

This October 2013 declassified Office of Inspector General (OIG) report is one of the documents referred to by Leopold and Mack. The reporters write that getting the records required initiating a Freedom Of Information Act lawsuit two years ago, adding that the redacted files were only recently released.

The OIG report states Agency employees use an electronic payment system, developed by FreedomPay, to purchase food, beverages, and goods from the vending machines. The payment system relies on the Agency Internet Network to communicate between vending machines and the FreedomPay controlling server. The OIG report adds the party hacking the electronic payment system discovered that severing communications to the FreedomPay server by disconnecting the vending machine’s network cable allows purchases to be made using unfunded FreedomPay cards.

SEE: Information Security Certification Training Bundle (TechRepublic Academy)

Smile, you are on candid camera

Apparently, the mastermind behind the hack told others how to circumvent the payment system. The ensuing increase in thefts warranted informing the OIG, which prompted the installation of security cameras. According to the OIG report, “Video footage recovered from the surveillance cameras captured numerous perpetrators engaged in the FreedomPay theft scheme, all of whom were readily identified as Agency contract personnel.”

The suspects, after being interviewed by OIG personnel, admitted to the crime. They surrendered their Agency badges and were escorted from the premises. The suspects were also fired by their contract employers. The matter was referred to the US Attorney’s Office for Eastern District of Virginia, but the Department of Justice declined to press charges.

Where is the logic?

One wonders at the logic of stealing from vending machines located at CIA headquarters, and like-minded BuzzFeed readers offer their opinions in the post’s comment section. Some suggest hiring the suspects: They have good hacking skills, something the CIA needs. Other readers opine: Contractors make decent money–what kind of logic jeopardizes a good job for a candy bar or a bag of chips?

“Hate to say it, but I probably would have joined in. It sounds like fun. It wasn’t for the free candy,” offered one BuzzFeed reader. This individual’s comment might be the most telling of all. Hacking has its roots in wondering what’s behind that locked door, whether it’s a physical one or digital.

More at stake

What does it mean when responsible parties at this premier intelligence-gathering agency were unaware of vulnerable network-connected vending machines? What else may have been overlooked by everyone except maybe the bad guys? The relatively ease at which vending machine (an IoT device) software was compromised might compel us to take a closer look at IoT firmware and software for potential security risks and to remind all employees, including contractors, about the company’s cybersecurity policy.

Something else to consider: Imagine how different this story would be if the contractor who discovered the weakness in the FreedomPay system had made a manager aware of the security risk?