SHIoT HAPPENS: Hacked Vending Machines Snack on Your Data

By Joe Lea, VP of Product

Vending machines have been around for more than 100 years. You can find them everywhere selling anything from newspapers, to soda, to sandwiches, or even actual full-sized automobiles. With modern technology, though, organizations may find their vending machines doing more than just spitting out chips and candy bars.

In recent years, vending machine manufacturers have been adding IoT sensors to vending machines, and operators have been connecting the machines to local networks to transmit real-time data. This “IoT-ification” of the vending machine solves real problems: the owner of the machine can monitor things like inventory and temperature remotely. This allows the operator to cut costs by avoiding needless trips to the vending machine to restock it when it was not yet empty.

However, any time you connect a device — even a vending machine — to a network, you expose the network to risks and cyber threats. If the vending machine can communicate over the network to share diagnostic results and operational information, it is also susceptible to attackers. The technology that monitors inventory and activity can also be hijacked for more nefarious tasks. Without comprehensive visibility and the right security controls, a network-connected vending machine can be a weak point that attackers can exploit to gain a foothold on a network.

Compromised Vending Machines

The risk posed by connected, IoT-enabled vending machines is not purely theoretical. There are real-world examples of situations where vending machines have been used in cyber attacks.

  • Vacationland Vendors, a company that manages vending machines at theme parks, issued a notice of a data breach affecting approximately 40,000 customers who visited Wilderness Resorts water parks between December of 2008 and May of 2011. The data breach notice did not say exactly how the attack was perpetrated, but experts say the breach was probably the result of hacking the machine’s payment network.
  • Avanti Markets designs and maintains food and drink self-checkout kiosks found in company break rooms throughout the United States, and has over 1.5 million customers. In July of 2017, Avanti announced that a “sophisticated malware attack” had allowed attackers to obtain customer names, email addresses and credit card information.
  • In 2017, CSO reported that over 5,000 network-connected vending machines and light bulbs at an American university were commandeered, leading to a network outage that impacted most of the students and faculty. The outage was caused when the commandeered vending machines were used to generate hundreds of DNS lookups every 15 minutes that effectively took the university network down.

Visibility and IoT Security

The risk posed by connected devices is real. IoT technologies in manufacturing facilities, public utilities, and healthcare environments may pose a higher threat to safety and human lives, but even something as seemingly innocuous as a connected vending machine can have a real-world impact if it has been compromised and exploited by a cyber attack.

Traditional security tools are not able to protect you from the threats posed by IoT devices. They were not built with IoT devices in mind. Organizations need a next-generation security platform that can provide comprehensive visibility and the ability to inventory, assess, monitor, and protect all devices on the network—especially unmanaged and IoT devices that are not able to run agents or locally-installed security tools.