Today we’re going to step into every little kid’s dream: getting free things out of a vending machine!
No, we’re not going to use the old coin-on-a-string trick. Our target is one of the more modern cashless vending machines that use RFID cards for paying.

The Cartadis TDA3, a cashless vending machine solution.

How does cashless paying work?

After seeing a cashless vending machine, the first thing I wondered was where your currency is stored. A security expert would expect it to be stored on a secured server, but there were no Ethernet cables attached to the machine. So it had to be stored locally.

I started reading the manual of the Cartadis TDA3, one of the solutions for cashless RFID payments.

As it turns out your currency is stored locally on the cards in what they call “wallets”, this was already a red flag for me. They read and overwrite the value every time you make a payment. So I took out my trusty NFC Reader to test everything out on one of my personal RFID cards.

They aren’t completely insecure

NFC Reader/Writer

After reading out my card, which was the first time I played around with RFID cards, I stumbled upon a roadblock: the data was encrypted. Thank god.

However, the encryption is broken. As published in a Black-Hat Presentation in 2014 by Márcio Almeida, cards can be copied easily to UID changeable cards (a piece of data which is normally read-only).

This means that even though there is encryption on the cards, it’s fairly useless as it depends on the UID as a form of authentication.

Putting it all together and exploiting the system

What we need:

  • NFC Reader/Writer (€40)
  • An empty UID Writable MIFARE card (€2)
  • Some starting money (€10)
  • The original card (Free)

What I did was actually very simple, and this is what bothers me the most. You need to charge your original card with your starting money, creating a €10 value card. We need to read the data on the card, including the UID, and then write it all to the empty card.

Now that we have two €10 value cards and knowing that the data is stored locally, we can easily pay with our self-made card and overwrite it again with the original card’s data when it’s empty. This way, we create an infinite amount of virtual money, thus, free drinks (once you’ve spent €52 on equipment).

DISCLAIMER: This blog post was made for research/educational purposes only. 
No actual harm was done on any systems nor do I encourage other people to
use this for malicious purposes.

Sharing is caring!