CIA contractors fired for stealing from hacked IoT snack machines

FreedomPay: it’s the kind of vending machine technology that makes paying for snacks “faster, simpler, safer, and smarter”, the company says.

Handy for, say, CIA agents who feel a hankering for a lunch of peanuts and Pepsi.

Here’s how it works, and here’s how a bunch of contractors working for the US Central Intelligence Agency (CIA) got themselves some free goodies… And got caught red-handed… And got fired.

The story was initially reported by BuzzFeed reporters who filed a Freedom of Information Act lawsuit in 2015. That enabled them to get their hands on a report from the Office of Inspector General (OIG) Investigations Staff.

According to that report, a FreedomPay network cable hooked the CIA’s vending machines to the CIA’s Agency Internet Network. From there, the machines could communicate with the FreedomPay controlling server.

The way it’s supposed to work is that you’d slide a funded FreedomPay card to buy your stuff. No pesky coins that somebody might stick a piece of chewed gum to and fish right back out; no masking tape stuck to the back of a bill that could then be dragged out. So smart! So cashless!

Safe, too, right? FreedomPay says it uses “PCI Validated P2PE and tokenization” to fill the security gaps left exposed from credit card transactions, “protecting data in transit and at rest in the merchant’s environment”.

Sounds good. But what happens, you well might ask, if somebody simply reaches down and yanks on that cable?

…as did the contractors, who then used an unfunded FreedomPay card to steal their candy?

So IoT!

According to the declassified report, the thefts started in the autumn of 2012, but the pilfering accelerated and continued through March 2013. That’s when the CIA reported the thefts and the OIG launched an investigation.

The OIG advised the CIA to install surveillance cameras near the most theft-plagued vending machines. (The irony of advising the CIA on how to conduct surveillance is duly noted.) Multiple perps were captured on video, all of them “readily identifiable as Agency contract personnel”.

They admitted their misdeeds, handed in their badges, were marched to the exit, and subsequently fired by their contractor companies. The loss of vending machine sales is estimated to have been $3,314.40.

The OIG referred the matter to the US Attorney’s office for Eastern District of Virginia for prosecution, but the Department of Justice decided not to press charges.

One has to wonder about the tendency to overlook what should be obvious security mishaps with IoT gadgets, as in, all the Internet of Things stuff.

…As in, the urge to internet-enable everything under the sun without properly securing said things, thereby introducing risks to gadgets that range from the absurd – internet-enabled kettles? Really? – to the life-threatening, in the case of medical devices.

We can’t lay the blame for the security glitch on FreedomPay. That would be like blaming the IoT kettle for running out of water and burning down the house, right?

And it’s not like the CIA needs our help with security or surveillance, I’m sure, Operation Sticky Fingers notwithstanding. But for the rest of us who have to deal with IoT devices and their oft-shaky security, this story is a good reminder to be aware that gadgets that rely on internet connectivity to ensure security can be pwned when you snip that connectivity.

Need more help with securing the IoT? Of course you do – we all do!

Here are some security tips, dispensed free of charge, no masking tape required!