A hacker enticed by the payment method used by the vending machines located on a university campus found a way to get free credit after looking at the inner workings of the machine’s accompanying mobile app.
The vending machines are from Argenta, a popular provider of coffee services in Italy, now acquired by the Selecta Group B.V.. The machines are used all over the country for automated sales of all sorts of products, from refreshing drinks to cigarettes.
They support Bluetooth Low Energy (BLE) and Near Field Communication (NFC) technologies to allow a user to connect to them and make payments with their smartphone.
Finding a vulnerability
Searching for a weak spot, Matteo Pisani, an Italian hacker and CTO at Remoria VR, decompiled the Argenta mobile app that interacts with the vending machines and made it debuggable. He then repackaged an installed it on a smartphone and monitored its activity for anything that could be manipulated.
Soon enough, he found references to RushOrm, a tool for Android that maps Java classes to SQL tables, which means that it works with databases; and databases always hold precious information.
Poorly protected database
Pisani was thus able to determine that the mobile app used a database called ‘argenta.db,’ which he located and extracted on his laptop. Opening it, though, was protected by a password.
Turning back to the source code of the app, the hacker discovered the RushOrm configuration file and noticed that it used the phone’s IMEI (International Mobile Equipment Identity) code to restrict access to the database.
The database contained multiple tables, but the one that caught Pisani’s attention was ‘UserWallets,’ which came with an editable ‘walletCredit’ field.
As the name suggests, this entry tells the app how much credit the user can spend at Argento vending machines. To make things easier, he developed an Android tool that automated the interaction with the database and ran wallet-related changes.
Pisani says that there was no need for initial credit to change its value. In support of this, he published a picture showing an inflated credit of EUR 999.
“With a macro inspection of all the reversed sources I found huge portion of clean code — without obfuscation — that meant no great counter-measures adopted to protect user data and make the App secure at all,“ Pisani notes.
About a month before making them public, the hacker disclosed his findings to the company that developed the app.
“I gently suggested them to toss the current architecture and develop a better and secure one from scratch,” the hacker says.
Pisani video that demonstrates the validity of his findings, which he filed under Comedy on YouTube: