Jovan Zivanovic

Reverse Vending Machine (RVM) Security: Real World Exploits / Vulnerabilities

Security is often an optional, paid feature. Learn how this choice enabled researchers to print fraudulent cash receipts from a supermarket's reverse vending machines.

Reverse Vending Machine (RVM) Security: Real World Exploits / Vulnerabilities
#1about 3 minutes

The financial incentive for hacking reverse vending machines

Reverse vending machines present a security risk because they exchange returned bottles for money, creating an opportunity for financial exploits.

#2about 4 minutes

Understanding the bottle detection and refund process

RVMs use a combination of sensors like barcode scanners, weight sensors, shape detectors, and material analysis to validate and process returned bottles.

#3about 4 minutes

Categorizing common reverse vending machine attack vectors

Attacks on RVMs fall into three main categories: insider manipulation, tricking the bottle acceptance system, and misclassifying bottles for higher payouts.

#4about 4 minutes

Analyzing supermarket receipts to find security flaws

By collecting and comparing receipts from different supermarket chains, researchers identified patterns in barcode generation to find potential vulnerabilities.

#5about 4 minutes

Discovering a predictable and static barcode vulnerability

One supermarket chain used a static EAN-13 barcode on receipts where the refund amount was directly encoded, making it easy to forge.

#6about 2 minutes

Forging a valid receipt with a script and printer

A simple script and a thermal printer can generate a forged receipt with a custom refund amount that is accepted by the store's checkout system.

#7about 2 minutes

The vendor response to the disclosed vulnerability

The RVM manufacturer confirmed the vulnerability and stated that the secure, cloud-validated solution is an optional feature that customers must pay extra for.

#8about 3 minutes

Finding similar and new exploits in Finland's RVMs

An investigation in Finland revealed the same receipt forgery vulnerability, plus a new attack involving swapping barcode stickers on bottles to claim a higher refund.

#9about 2 minutes

Mitigating receipt fraud with a cloud validation system

The most effective way to prevent receipt forgery is to use a centralized data store that generates a unique ID for each receipt and invalidates it after one use.

#10about 9 minutes

Q&A on blockchain, pentesting, and ethical implications

The speaker discusses using blockchain for validation, the importance of early security involvement and pentesting, and the ethics of exploiting recycling systems.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Examining IDOR vulnerabilities in major companies
22:44 MIN

Examining IDOR vulnerabilities in major companies

How to Cause (or Prevent) a Massive Data Breach- Secure Coding and IDOR

A practical demonstration of exploiting IDOR vulnerabilities
07:52 MIN

A practical demonstration of exploiting IDOR vulnerabilities

How to Cause (or Prevent) a Massive Data Breach- Secure Coding and IDOR

Understanding common intruder attack vectors
12:10 MIN

Understanding common intruder attack vectors

Securing Your Web Application Pipeline From Intruders

Vulnerabilities in keyless entry and vehicle data
07:45 MIN

Vulnerabilities in keyless entry and vehicle data

Cyber Security: Small, and Large!

How attackers exploit developers and packages
08:22 MIN

How attackers exploit developers and packages

Vue3 practical development

Securing against AI-driven supply chain attacks
09:25 MIN

Securing against AI-driven supply chain attacks

WeAreDevelopers LIVE: What's happening to React?, All-in-one editors, Fireships and Firebases & more

The current state of LLM security and the need for awareness
22:43 MIN

The current state of LLM security and the need for awareness

ChatGPT, ignore the above instructions! Prompt injection attacks and how to avoid them.

Why developers are a prime target for attackers
00:03 MIN

Why developers are a prime target for attackers

You click, you lose: a practical look at VSCode's security

Featured Partners

Related Videos

See all videos
Cracking the Code: Decoding Anti-Bot Systems!57:47

Cracking the Code: Decoding Anti-Bot Systems!

Fabien Vauchelles

Programming secure C#/.NET Applications: Dos & Don'ts33:29

Programming secure C#/.NET Applications: Dos & Don'ts

Sebastian Leuer

101 Typical Security Pitfalls28:41

101 Typical Security Pitfalls

Alexander Pirker

Cyber Security: Small, and Large!37:32

Cyber Security: Small, and Large!

Martin Schmiedecker

Getting under the skin: The Social Engineering techniques43:56

Getting under the skin: The Social Engineering techniques

Mauro Verderosa

Typed Security: Preventing Vulnerabilities By Design58:19

Typed Security: Preventing Vulnerabilities By Design

Michael Koppmann

Automotive Security Challenges: A Supplier's View58:59

Automotive Security Challenges: A Supplier's View

Davor Frkat

What The Hack is Web App Sec?24:01

What The Hack is Web App Sec?

Jackie

From learning to earning

Jobs that call for the skills explored in this talk.