“Hitting and kicking” the bundled App of their widest European distribution company.
------------------------------------------------------------------------------------

### PREFACE

Indisputably, **Vending** **Machines** are objects of cult. Delicious morsels of **Hackers**, always. In the beginning they worked offline with **coins** only, then, **NFC- keys/cards** models started spreading. If I say “**COGES**” I’m sure that better times will come to someone’s mind. But… In a bunch of years things changed radically. You distract and a moment after, find the world superseded by things connected to the internet…

### **STORY**

One day I decided to interrupt seasoning myself in the bat-cave and direct to my hometown to get some sunlight, so I went to the University to salute an old professor.

_“Go to have a coffee!”_ — he said— and we started chit-chatting while walking through the main corridor.

> Once arrived…

> _Me:_ “let me pay, I have coins!”.  
> _Him:_ “wait wait! let me use the Vending Machine’s App to pay, the coffee will be cheaper”.

![](https://hackernoon.com/hn-images/1*0IhRq3VZ_y6UEdXGsFTpWQ.jpeg)

> **BLE + NFC**

> _Brain:_ “Mmm… Virtual wallets are cool stuff…”.

> Excellent.

![](https://hackernoon.com/hn-images/1*QJ1uHDRH5vpAFUPGNZbslw.gif)

### HOT-POT

> _Soul:_ “I dare you to **Hack** into that!”

![](https://hackernoon.com/hn-images/1*586-M4hn8bEBfjvuFKgNUg.png)

> _~$_ **_White Hat_** _inner_ _voice:_ “just pats on the shoulder if no bug bounty reward”.  
> **_~_**_$_ **_Grey_** **_Hat_** _inner voice:_ “ok, I’ll do that for educational purposes only”.  
> **_~_**_$_ **_Black_** **_Hat_** _inner voice:_ “c’mon man, let’s screw that HEAP, great Jupiter!”.

> Later in that day…

![](https://hackernoon.com/hn-images/1*Be-aPV23MfQLWmGE7AhryA.gif)

> Pwnie express.

![](https://hackernoon.com/hn-images/1*wfvoRWP0NKRTZKy4UOIqow.jpeg)

### ANALYSIS

Needless to say that I picked up my dirty rooted **Android** smartphone (with **USB Debugging Enabled**), installed the targeted **App** from the **Play Store** and dumped the original **\*.apk** to my laptop via **adb**.

**\# adb pull /data/app/com.sitael.vending-1/base.apk ./Argenta.apk**

I decompiled the **\*.apk** with [**apktool**](https://ibotpeaches.github.io/Apktool/)

**\# apktool d ./Argenta.apk -o ./Argenta**

and extracted **Java** sources with [**jadx**](https://github.com/skylot/jadx)

**\# jadx ./Argenta.apk** 

Firstly, I made the **\*.apk** debuggable by editing the **AndroidManifest.xml** file by adding `**android:debuggable="true"**` property to the `**application <tag>**`

![](https://hackernoon.com/hn-images/1*JJUYIStIk9rVRHK8yPSbiw.png)

Then, I rebuilt the **\*.apk**

**\# apktool b ./Argenta**

created a new **key** with **keytool**

**\# keytool -genkey -v -keystore Argenta.keystore -alias Argenta -keyalg RSA -keysize 2048 -validity 10000**

signed the **\*.apk** with **jarsigner** using the generated **key**

**\# jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore Argenta.keystore Argenta.apk Argenta**

lastly, I **zip-aligned** it to make it runnable

**\# zipalign -v 4 Argenta.apk Argenta-signed.apk**

and I installed the final **\*.apk**

**\# adb install ./Argenta-signed.apk**

I ran the App on the smartphone and I started looking at logs with **logcat** by filtering them via its **package name**

**\# adb logcat --pid=\`adb shell pidof -s com.sitael.vending\`**

![](https://hackernoon.com/hn-images/1*UzzfYiAahYkHd3OdQOxoJw.png)

Nothing special found, so I started to comb through the source codes seeking for **juicy** information.

Looking better at `**AndroidManifest.xml**` file, I found references to [**RushOrm**](http://www.rushorm.co.uk/)

![](https://hackernoon.com/hn-images/1*IGvWHhpKc45MTuNp2q_bhg.png)

So, first keyword search was `**db_name**`

![](https://hackernoon.com/hn-images/1*Y5SA6QJZyVVm4s5zn5TdgA.png)

Cool. I booted up the **Root Explorer** on the phone seeking for `**argenta.db**`

![](https://hackernoon.com/hn-images/1*b57pAUQZPj4c1-2b4EqstQ.png)

Found. So I pulled it to my laptop with **adb**

**\# adb pull /data/data/com.sitael.vending/databases/argenta.db ./**

and tried to open it with a [**DB Browser for SQLite**](https://sqlitebrowser.org/)

![](https://hackernoon.com/hn-images/1*Ws7mD6YYW4CJuJcsHEGwnQ.png)

obviously, it was password protected

![](https://hackernoon.com/hn-images/1*JXzmAnMcLoa6jOB-TNFD8A.png)

### REVERSE-ENGINEERING

Step back to the source codes, looked at `**RushAndroidConfig.java**`

![](https://hackernoon.com/hn-images/1*bbEWAWDdaCo6FzOWYgGGQg.png)

where I found the methods used to configure the database.  
My attention was caught by `**this.encryptionKey = getDeviceId(context);**`

I moved to its definition and…

![](https://hackernoon.com/hn-images/1*C3vQ4-ca8Ds1KtdL8CpDlQ.png)

Found that the targeted **App** used the phone’s **IMEI** `**(*#06#)**`as **encryption key** for the **SQLite** **database**.

> Abracadabra.

![](https://hackernoon.com/hn-images/1*8feV_FTZ-xcYEDZZ6uyBVg.png)

> Boom baby.

![](https://hackernoon.com/hn-images/1*Ss_BBhXPriPtB1t3igg7Xw.gif)

![](https://hackernoon.com/hn-images/1*md4LFjKE3O2vNVY-JWuHEQ.png)

After a couple of seconds of inspection, I opened to the `**UserWallets**` table

![](https://hackernoon.com/hn-images/1*xyeVDuV2jqH7BbuQmOT-CA.png)

and edited the `**walletCredit**` field writing changes

![](https://hackernoon.com/hn-images/1*EymI07rqG_uCa9aBP7ctpQ.png)

then I pushed the database with **pumped credit** back to the phone

**\# adb pull ./argenta.db /data/data/com.sitael.vending/databases/argenta.db**

### VERDICT

In the meantime, while I felt like _“Robin Hood”_ (nostalgic and explicit reference to **Age Of Empires** cheat code for **+1000 gold**) I developed an **Android** utility to quickly **dump**/**restore**/**tamper** the targeted **App**’s database on the fly.

![](https://hackernoon.com/hn-images/1*ttBa1pLhrky8dSy-SX4mCA.png)

then I went back to my University again to finally test the **Hack**

> Dear diary…

![](https://hackernoon.com/hn-images/1*tmWKTALK7y43ejTlv5lSbg.jpeg)

### CONCLUSION

From **zero-credit account**, I could:

\> Inflate the App’s credit.  
\> Buy stuff.  
\> Get the remaining credit updated.  
\> Go back to zero-credit state.  
\> Inflate the credit again.  
\> Start over.

With a **macro** inspection of all the **reversed** sources I found **huge** portion of **clean** code — **_without obfuscation_** — that meant **no great counter-measures adopted to protect user data and make the App secure at all**.

> A month ago…

The **White Hat** inner voice of me picked up the phone and called the [company](http://www.sitael.com/internet-of-things/vending-machines/) behind this **shame** to report the vulnerability. I gently suggested them to **toss** the current architecture and develop a better and secure one from scratch.

> Hocus bogus.

![](https://hackernoon.com/hn-images/1*W9tswl9ixLY9TnORLe3dxA.png)

BUNCH

Read My Stories

Too Long; Didn't Read

Cassandra Forward a free Cassandra-focused community event

How I hacked modern Vending Machines

Too Long; Didn't Read

Companies Mentioned

@matteo.pisani.91

RELATED STORIES