Jovan Zivanovic

Reverse Vending Machine (RVM) Security: Real World Exploits / Vulnerabilities

Security is often an optional, paid feature. Learn how this choice enabled researchers to print fraudulent cash receipts from a supermarket's reverse vending machines.

Reverse Vending Machine (RVM) Security: Real World Exploits / Vulnerabilities
#1about 3 minutes

The financial incentive for hacking reverse vending machines

Reverse vending machines present a security risk because they exchange returned bottles for money, creating an opportunity for financial exploits.

#2about 4 minutes

Understanding the bottle detection and refund process

RVMs use a combination of sensors like barcode scanners, weight sensors, shape detectors, and material analysis to validate and process returned bottles.

#3about 4 minutes

Categorizing common reverse vending machine attack vectors

Attacks on RVMs fall into three main categories: insider manipulation, tricking the bottle acceptance system, and misclassifying bottles for higher payouts.

#4about 4 minutes

Analyzing supermarket receipts to find security flaws

By collecting and comparing receipts from different supermarket chains, researchers identified patterns in barcode generation to find potential vulnerabilities.

#5about 4 minutes

Discovering a predictable and static barcode vulnerability

One supermarket chain used a static EAN-13 barcode on receipts where the refund amount was directly encoded, making it easy to forge.

#6about 2 minutes

Forging a valid receipt with a script and printer

A simple script and a thermal printer can generate a forged receipt with a custom refund amount that is accepted by the store's checkout system.

#7about 2 minutes

The vendor response to the disclosed vulnerability

The RVM manufacturer confirmed the vulnerability and stated that the secure, cloud-validated solution is an optional feature that customers must pay extra for.

#8about 3 minutes

Finding similar and new exploits in Finland's RVMs

An investigation in Finland revealed the same receipt forgery vulnerability, plus a new attack involving swapping barcode stickers on bottles to claim a higher refund.

#9about 2 minutes

Mitigating receipt fraud with a cloud validation system

The most effective way to prevent receipt forgery is to use a centralized data store that generates a unique ID for each receipt and invalidates it after one use.

#10about 9 minutes

Q&A on blockchain, pentesting, and ethical implications

The speaker discusses using blockchain for validation, the importance of early security involvement and pentesting, and the ethics of exploiting recycling systems.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Malware campaigns, cloud latency, and government IT theft
01:06 MIN

Malware campaigns, cloud latency, and government IT theft

Fake or News: Self-Driving Cars on Subscription, Crypto Attacks Rising and Working While You Sleep - Théodore Lefèvre

Crypto crime, EU regulation, and working while you sleep
01:15 MIN

Crypto crime, EU regulation, and working while you sleep

Fake or News: Self-Driving Cars on Subscription, Crypto Attacks Rising and Working While You Sleep - Théodore Lefèvre

Prompt injection as an unsolved AI security problem
07:39 MIN

Prompt injection as an unsolved AI security problem

AI in the Open and in Browsers - Tarek Ziadé

The security risks of AI-generated code and slopsquatting
05:55 MIN

The security risks of AI-generated code and slopsquatting

Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2

Preventing exposed API keys in AI-assisted development
03:45 MIN

Preventing exposed API keys in AI-assisted development

Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2

Comparing the security models of browsers and native apps
05:01 MIN

Comparing the security models of browsers and native apps

Developer Time Is Valuable - Use the Right Tools - Kilian Valkhof

Playing a game of real or fake tech headlines
04:17 MIN

Playing a game of real or fake tech headlines

WeAreDevelopers LIVE – You Don’t Need JavaScript, Modern CSS and More

Exploring bizarre headlines about IoT and robotics
00:38 MIN

Exploring bizarre headlines about IoT and robotics

Fake or News: Coding on a Phone, Emotional Support Toasters, ChatGPT Weddings and more - Anselm Hannemann

Featured Partners

Related Videos

See all videos
Getting under the skin: The Social Engineering techniques43:56

Getting under the skin: The Social Engineering techniques

Mauro Verderosa

Cracking the Code: Decoding Anti-Bot Systems!57:47

Cracking the Code: Decoding Anti-Bot Systems!

Fabien Vauchelles

Programming secure C#/.NET Applications: Dos & Don'ts33:29

Programming secure C#/.NET Applications: Dos & Don'ts

Sebastian Leuer

101 Typical Security Pitfalls28:41

101 Typical Security Pitfalls

Alexander Pirker

Cyber Security: Small, and Large!37:32

Cyber Security: Small, and Large!

Martin Schmiedecker

Automotive Security Challenges: A Supplier's View58:59

Automotive Security Challenges: A Supplier's View

Davor Frkat

What The Hack is Web App Sec?24:01

What The Hack is Web App Sec?

Jackie

Typed Security: Preventing Vulnerabilities By Design58:19

Typed Security: Preventing Vulnerabilities By Design

Michael Koppmann

Related Articles

View all articles
CH
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
DC
Daniel Cranney
Security Basics for Vibe Coders
Vibe coding has become a popular trend in the tech world. With so many tools now available for both developers and non-developers, it’s easier than ever to build projects using natural language, in some cases without touching a line of code along the...
Security Basics for Vibe Coders

From learning to earning

Jobs that call for the skills explored in this talk.