Thanks, I think this is the route I am going to take. If I can get the coin box out then it will allow me to reprogram the machine and I've found the manual online. Or at the very least it will allow us to get our money back. Star Coins Hack; Coin Machine Hacks; Ronald coded them in such a way that it was possible to hack a slot machine with the help of simple actions. The system was extremely simple. Harris's accomplices inserted the coins in the appropriate order. Coin Master Hack Free Coins and Spins. Welcome, to an epic adventure where we will take you to the.
Blog #01: Security Review
How to hack a vending machine with a coin and string Things to prepare: dental floss; coin with a hole ( see my previous post on where i got this coin from ) String to coin 18 inches in length. Attach the string to the coin with a hole and have it at least about 18 inches in length so that the coin can reach inside the coin mechanism. For those who don't know the inside of a coin laundry machine, when the coin tray is pressed in all the way a arm pushes the timer spring loaded lever back and allows the tray to move the timer forward engaging the machine. Simply removing the coin part would allow me to do the same function with out the need for the coins.
I love paying for laundry in my own home, for which I pay rent along with utilities. – No One Ever
Such is the situation I find myself in. Both the washer and dryer in the basement of my off-campus abode are coin-operated, demanding $1.25 and $1, respectively. My main objection to this scheme is that I believe it is a negative-sum game. I find it likely that my inconvenience in having to scavenge quarters outstrips the meager gains, which I've estimated at around $40/month, our landlord realizes when he comes around each month to collect his takings. Negative-sum games are evil, and one ought to subvert such a game when coerced into playing.
Threat Model
We should first define the goals of the attacker and what relaxations of these goals are tolerable given their cost and risk. Broadly, the optimal solution here can be said to be the one that minimizes the time and monetary costs of performing the attack as often as needed for the rest of the semester, while also minimizing risk. Risk is a key factor that cannot be ignored as it is in most computer network scenarios, given that gaining such unauthorized access to the machine likely violates the terms of our lease, and any evidence of the attack, successful or not, could likely be traced to the source without much difficulty.
A first approximation to this system consists solely of the attacker and the machine. Attacker wants the machine to execute a wash cycle. For our purposes, the machine has a single physical switch, and no matter who or what flips that switch, the cycle will execute. Access to this switch is mediated by the coin-based authorization protocol and the sturdy physical constructions surrounding these mechanisms, deterring unauthorized access. We can model this attacker's resources to include physical access to the machine at any time of day for any duration without increased risk. The property manager only comes on a monthly basis, which does not practically restrict the time window for an attack. It is also convenient to assume access to and willingness to spend some modest amount of money equal to the sum to be spent on laundry in the absence of a successful attack, times perhaps a factor of two to account for the thrill of subverting the system. We'll call this model Phe vs. Machine (PvM).
Coin Machine Locations
A second approximation affords the attacker the ability to interact with any external parties, for example the landlord and vendors of relevant machinery. This suggests a set of attacks that still contains those from PvM, with the important addition of a set of attacks predicated on Social Engineering, in which external parties with greater privilege relating to the target system are induced into conferring pieces of that privilege to the attacker.
Authorization: Mechanism and Products
The target machine is a Whirlpool Coin-Operated Top-Load Washer (which is actually no longer listed on the linked product page due to old age) with a Greenwald Industries Coin Chute and Greenwald Industries Money Box. The following is a model for the coin-based authorization process that I've pieced together from Greenwald Industries' website, as well as poking around I've done around the target machine.
Coin-based Activation Sequence:
- 5 quarters are placed in the slots of a Coin Chute.
- The chute is pushed forward, and only when all coins are present will they drop from the chute.
- On the way down, the coins activate a Coin-Activated Starter, which flips the switch mentioned earlier to initiate the cycle.
- The coins drop into the Money Box below the coin chute.
The chute and the starter are both accessible through the Service Door, an opening in the rear of the payment mechanism secured with a tubular lock as illustrated below. Most money won in vegas.
The money box is secured with a traditional pin tumbler lock, with key-lock combinations uniquely identified by a numeric code of length varying by model. Relevent to our second model, according to Greenwald Industries' policy, replacement money box keys can be ordered if the order lists the proper key code as a form of authentication as the party originally issued the key. A complete listing of key models and their code specifications is provided here.
Attack Analysis
With the process outline above, we can start to enumerate possible attack vectors. There are three different levels of system penetration in which we can operate.
- No penetration. All we can manipulate is the coin chute from the outside.
- Service door penetration.
- Money box penetration.
Coin-Chute Attacks
If we only have access to the coin chute, we can look at the Greenwald Industries product listing for potential exploits (emphasis added):
Thick hardened front plate to protect slides from direct attack. Sliding stainless steel gates protects from tampering and rusting. Stainless steel sizing dogs provide superior protection from direct slide forcing. Hardened steel V notch coin sizing block means greater rejection of slugs, tile and foreign coins.
Immediately, we are presented with the possibility of inducing the mechanism to accept invalid currency as payment, either by brute force or using cheaper replicas. The latter carries less risk of discovery, and there are ample household materials and cheap substitues to use for manufacturing thin metal disks. Bottle caps and washers come to mind here. Another coin-chute attack is the fabled Coin-on-a-String Trick.
All of the attacks listed here carry a high risk of damage to the coin chute mechanism, which is likely not designed to degrade gracefully in the face of objects behaving improperly while interacting with the switches governing currency acceptance. The risk of irreparable damage increases with the force applied, so the potential cost of a failed attempt is on the order of hundreds of dollars, depending on the extent to which components of the washer itself are damaged.
Service Door Attacks
Coin Washer Machine Hack
The Service Door is the means by which maintainenence of the system is performed by licensed workers. This means it provides access to the Coin Chute, the Coin-Operated Starter, and the interface between the Coin Chute and Money Box. Two attacks come to mind here, both resulting in a reduced price for executing a cycle. The applicability of these attacks will depend on the configuration of the target, but they look to cover most possible configurations of Coin-Chutes and Coin-Activated Starters.
- Change the number of coins demanded by the Coin-Chute. This is documented for all of Greenwald Industries' Coin-Chute models (G4, V5, V7, V8) except the V13, and appears to be easily executed provided a set of thin ‘buffers' used to jam slots that we don't require be filled with coins. Low-cost substitutes for the buffers look to be very viable.
- Change the number of coins demanded by the Coin-Activated Starter. This is also documented.
In the event that neither the Coin-Chute nor Starter are manually configurable in this way, this line of attack might fall on hacking the circuit board acting as the Starter, which carries a very high risk of permanent damage given the sensitivity of ancient electronics. The previous two attacks carry a much lower risk of damage given that one has full access to the internals of the mechanism in case of a jam and both operations are well-documented and supported by the apparatus. Discovery is also unlikely because maintenance is only performed in the event of a problem; paying with foreign coins is likely to be punished, given that the money box is emptied periodically and that the subversion is easily attributable to the tenants of our house.
Gaining Service Door Access
The Service Door Attacks seem promising. Gaining this access requires picking the tubular lock, as the proper key code is required to request replacement keys for the Service Door lock as well. This has been demonstrated both with custom picking tools and with a ballpoint pen. In my efforts, I was able to file down a BIC pen cap to fit properly in the entryway (seen below), but was unsuccessful in turning the tumbler. More work to follow.
The Service Door is the means by which maintainenence of the system is performed by licensed workers. This means it provides access to the Coin Chute, the Coin-Operated Starter, and the interface between the Coin Chute and Money Box. Two attacks come to mind here, both resulting in a reduced price for executing a cycle. The applicability of these attacks will depend on the configuration of the target, but they look to cover most possible configurations of Coin-Chutes and Coin-Activated Starters.
- Change the number of coins demanded by the Coin-Chute. This is documented for all of Greenwald Industries' Coin-Chute models (G4, V5, V7, V8) except the V13, and appears to be easily executed provided a set of thin ‘buffers' used to jam slots that we don't require be filled with coins. Low-cost substitutes for the buffers look to be very viable.
- Change the number of coins demanded by the Coin-Activated Starter. This is also documented.
In the event that neither the Coin-Chute nor Starter are manually configurable in this way, this line of attack might fall on hacking the circuit board acting as the Starter, which carries a very high risk of permanent damage given the sensitivity of ancient electronics. The previous two attacks carry a much lower risk of damage given that one has full access to the internals of the mechanism in case of a jam and both operations are well-documented and supported by the apparatus. Discovery is also unlikely because maintenance is only performed in the event of a problem; paying with foreign coins is likely to be punished, given that the money box is emptied periodically and that the subversion is easily attributable to the tenants of our house.
Gaining Service Door Access
The Service Door Attacks seem promising. Gaining this access requires picking the tubular lock, as the proper key code is required to request replacement keys for the Service Door lock as well. This has been demonstrated both with custom picking tools and with a ballpoint pen. In my efforts, I was able to file down a BIC pen cap to fit properly in the entryway (seen below), but was unsuccessful in turning the tumbler. More work to follow.
BIC cap tubular lock pick
Money Box Attacks
Obviously, if you have access to the money box, you win. The cost of a load of laundry is borrowing $1.25 for the amount of time it takes for you to put the quarters in the Coin-Chute and then fish them out of the money box. This is clearly the Holy Grail of attacks here.
Gaining Money Box Access
Getting access to the money box requires bypassing Greenwald Industries' prize lineup of locks. Nothing about this lock prohibits the standard techniques of lockpicking, and once I obtain the proper tools, I will give it a shot. The second way of bypassing the lock is to obtain a key. Short of stealing the key from the landlord, a short section in the Whirlpool Service Tips suggests the potential for a one-time bypass via lockpicking leading to persistent, convenient access to the money box:
If the key is lost and the number is not recorded:
Coin Laundry Machine Hack
- The key number may be viewed using a mechanics inspection mirror inserted through the money acceptor opening in the front metercase into the money box. Obtain the key number off of the label inside the money box and call the money box manufacturer to request a replacement key.
In some washer models, accessing the money box once is enough to demonstrate that one is a party authorized to access the box indefinitely! This has the potential for a fantastic adventure in social engineering, as the deal must be closed by interacting with a Greenwald Industries' representative. Whether this tip holds true for all money boxes remains to be seen, but I certainly hope it does. Note that should the tip hold, we can also use access to the Service Door as a source of weak Money Box access, providing only the visual described in the tip to obtain the Money Box key code. Thus, the potential for a persistent, convenient quarter exfiltration attack exists provided either Money Box access or Service Door access. Either way, a lock must be picked!
Coin Machine Near Me
Enough Talk
The lowest risk, lowest cost solution seems to be to try to pick the lock on the Money Box. For even moderately skilled practitioners of the craft, lockpicking has proven an incredibly successful approach to bypassing the majority of locks, and given the age of this particular lock, I don't expect the challenge would be insurmountable. Should the lock be successfully bypassed, the decision to pursue a replacement key via social engineering would be made given the time cost of the lock picking job, which would only have to be performed every few weeks to be effective. As a final strategic note, the profit from a well-executed persistent attack should be minimal. An empty money box will surely bring the hammer down from property management, so skimming just enough to cover free laundry and pool at the GCB is likely the optimal move for an attacker with Money Box access in the long term.
