

Indisputably, Vending Machines are objects of cult. Delicious morsels of Hackers, always. In the beginning they worked offline with coins only, then, NFC- keys/cards models started spreading. If I say βCOGESβ Iβm sure that better times will come to someoneβs mind. Butβ¦ In a bunch of years things changed radically. You distract and a moment after, find the world superseded by things connected to the internetβ¦
One day I decided to interrupt seasoning myself in the bat-cave and direct to my hometown to get some sunlight, so I went to the University to salute an old professor.
βGo to have a coffee!ββββhe saidβ and we started chit-chatting while walking through the main corridor.
Once arrivedβ¦
Me: βlet me pay, I have coins!β.
Him: βwait wait! let me use the Vending Machineβs App to pay, the coffee will be cheaperβ.
BLE +Β NFC
Brain: βMmmβ¦ Virtual wallets are cool stuffβ¦β.
Excellent.
Soul: βI dare you to Hack into that!β
~$ White Hat inner voice: βjust pats on the shoulder if no bug bounty rewardβ.
~$ Grey Hat inner voice: βok, Iβll do that for educational purposes onlyβ.
~$ Black Hat inner voice: βcβmon man, letβs screw that HEAP, great Jupiter!β.
Later in thatΒ dayβ¦
Pwnie express.
Needless to say that I picked up my dirty rooted Android smartphone (with USB Debugging Enabled), installed the targeted App from the Play Store and dumped the original *.apk to my laptop via adb.
# adb pull /data/app/com.sitael.vending-1/base.apk ./Argenta.apk
I decompiled the *.apk with apktool
# apktool d ./Argenta.apk -o ./Argenta
and extracted Java sources with jadx
# jadx ./Argenta.apk
Firstly, I made the *.apk debuggable by editing the AndroidManifest.xml file by adding android:debuggable="true"
property to the application <tag>
Then, I rebuilt the *.apk
# apktool b ./Argenta
created a new key with keytool
# keytool -genkey -v -keystore Argenta.keystore -alias Argenta -keyalg RSA -keysize 2048 -validity 10000
signed the *.apk with jarsigner using the generated key
# jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore Argenta.keystore Argenta.apk Argenta
lastly, I zip-aligned it to make it runnable
# zipalign -v 4 Argenta.apk Argenta-signed.apk
and I installed the final *.apk
# adb install ./Argenta-signed.apk
I ran the App on the smartphone and I started looking at logs with logcat by filtering them via its package name
# adb logcat --pid=`adb shell pidof -s com.sitael.vending`
Nothing special found, so I started to comb through the source codes seeking for juicy information.
Looking better at AndroidManifest.xml
file, I found references to RushOrm
So, first keyword search was db_name
Cool. I booted up the Root Explorer on the phone seeking for argenta.db
Found. So I pulled it to my laptop with adb
# adb pull /data/data/com.sitael.vending/databases/argenta.db ./
and tried to open it with a DB Browser for SQLite
obviously, it was password protected
Step back to the source codes, looked at RushAndroidConfig.java
where I found the methods used to configure the database.
My attention was caught by this.encryptionKey = getDeviceId(context);
I moved to its definition andβ¦
Found that the targeted App used the phoneβs IMEI (*#06#)
as encryption key for the SQLite database.
Abracadabra.
Boom baby.
After a couple of seconds of inspection, I opened to the UserWallets
table
and edited the walletCredit
field writing changes
then I pushed the database with pumped credit back to the phone
# adb pull ./argenta.db /data/data/com.sitael.vending/databases/argenta.db
In the meantime, while I felt like βRobin Hoodβ (nostalgic and explicit reference to Age Of Empires cheat code for +1000 gold) I developed an Android utility to quickly dump/restore/tamper the targeted Appβs database on the fly.
then I went back to my University again to finally test the Hack
Dear diaryβ¦
From zero-credit account, I could:
> Inflate the Appβs credit.
> Buy stuff.
> Get the remaining credit updated.
> Go back to zero-credit state.
> Inflate the credit again.
> Start over.
With a macro inspection of all the reversed sources I found huge portion of clean codeβββwithout obfuscationβββthat meant no great counter-measures adopted to protect user data and make the App secure at all.
A monthΒ agoβ¦
The White Hat inner voice of me picked up the phone and called the company behind this shame to report the vulnerability. I gently suggested them to toss the current architecture and develop a better and secure one from scratch.
Hocus bogus.
Create your free account to unlock your custom reading experience.