Skip to content
Naked Security Naked Security

CIA contractors fired for stealing from hacked IoT snack machines

Some things really, really shouldn't be turned into IoT devices - including vending machines

FreedomPay: it’s the kind of vending machine technology that makes paying for snacks “faster, simpler, safer, and smarter”, the company says.

Handy for, say, CIA agents who feel a hankering for a lunch of peanuts and Pepsi.

Here’s how it works, and here’s how a bunch of contractors working for the US Central Intelligence Agency (CIA) got themselves some free goodies… And got caught red-handed… And got fired.

The story was initially reported by BuzzFeed reporters who filed a Freedom of Information Act lawsuit in 2015. That enabled them to get their hands on a report from the Office of Inspector General (OIG) Investigations Staff.

According to that report, a FreedomPay network cable hooked the CIA’s vending machines to the CIA’s Agency Internet Network. From there, the machines could communicate with the FreedomPay controlling server.

The way it’s supposed to work is that you’d slide a funded FreedomPay card to buy your stuff. No pesky coins that somebody might stick a piece of chewed gum to and fish right back out; no masking tape stuck to the back of a bill that could then be dragged out. So smart! So cashless!

Safe, too, right? FreedomPay says it uses “PCI Validated P2PE and tokenization” to fill the security gaps left exposed from credit card transactions, “protecting data in transit and at rest in the merchant’s environment”.

Sounds good. But what happens, you well might ask, if somebody simply reaches down and yanks on that cable?

…as did the contractors, who then used an unfunded FreedomPay card to steal their candy?

So IoT!

According to the declassified report, the thefts started in the autumn of 2012, but the pilfering accelerated and continued through March 2013. That’s when the CIA reported the thefts and the OIG launched an investigation.

The OIG advised the CIA to install surveillance cameras near the most theft-plagued vending machines. (The irony of advising the CIA on how to conduct surveillance is duly noted.) Multiple perps were captured on video, all of them “readily identifiable as Agency contract personnel”.

They admitted their misdeeds, handed in their badges, were marched to the exit, and subsequently fired by their contractor companies. The loss of vending machine sales is estimated to have been $3,314.40.

The OIG referred the matter to the US Attorney’s office for Eastern District of Virginia for prosecution, but the Department of Justice decided not to press charges.

One has to wonder about the tendency to overlook what should be obvious security mishaps with IoT gadgets, as in, all the Internet of Things stuff.

…As in, the urge to internet-enable everything under the sun without properly securing said things, thereby introducing risks to gadgets that range from the absurd – internet-enabled kettles? Really? – to the life-threatening, in the case of medical devices.

We can’t lay the blame for the security glitch on FreedomPay. That would be like blaming the IoT kettle for running out of water and burning down the house, right?

And it’s not like the CIA needs our help with security or surveillance, I’m sure, Operation Sticky Fingers notwithstanding. But for the rest of us who have to deal with IoT devices and their oft-shaky security, this story is a good reminder to be aware that gadgets that rely on internet connectivity to ensure security can be pwned when you snip that connectivity.

Need more help with securing the IoT? Of course you do – we all do!

Here are some security tips, dispensed free of charge, no masking tape required!


I’m not at all surprised CIA agents were able to break in. But, it bothers me that they kept doing it. They should have reported it up the chain.

And, I don’t know about you, but I seem to have waited an awfully long time for an article on a moderately secure IoT device. Has there EVER been one?


That’s actually a good question – I’ll see if I can get one of our writers to try and answer it in a piece!


Maybe Sophos should offer a blue ribbon or something to the first IoT device designed with security in mind. :)


Jim, please take note that the sweets-swipers were NOT CIA agents, but contracted employees.

I would certainly like to know what factored into the decision not to prosecute the thieves. Sounds like the classic slam-dunk case to me.


True, but it seems to me that even contractors should think properly on this front. This is America, and I would hope that even our spies would hold to a higher standard when not specifically targeting something or someone (as part of an operation).


Well, they had badges, unless handing them in was just metaphorically speaking.


I presume the line about turning in their badges referred to employee badges at the company they worked for that was under contract with the CIA.


I figured they were the badges they needed to show in order to get on site.

In other words they were locked out of the premises.


That might be. It’s just when I hear “handed in their badges” I think officers/agents of some kind. I mean, I had “badges” at some places I’ve worked, but they where just ID not really badge badges. But maybe it’s just me, am not a native speaker so maybe “handed in their badges” is used in a broader context than I think of.


So just what would it take to install a webcam in those IoT vending machines to photograph the customer, in an airport say, or other places to run through their facial recognition software?
I guess Privacy really is a thing of the past.


If you cannot trust contractors not to steal sweets, then you cannot trust them to work at the CIA. The element of trust within any organisation that deals with sensitive information must be paramount.


And yet this is exactly who we are asked to trust every time someone claims that if you have nothing to hide you have nothing to fear.


I’m uncertain if the LAN cable was yanked repeatedly (per transaction then reconnected) or once, and the machine was left offline for months–but either way the bad implementation should’ve been caught in beta. It should’ve phoned home for inventory control, retained purchase card serial numbers and transaction records, been reported as offline (“though we’ve refilled it since the last contact”). Maybe FreedomPay should’ve called themselves Foresight Design.

At least the designers of SMTP couldn’t possibly foresee one day the existence of email accounts in the billions, and the lack of email auth is understandable (annoying but understandable).

I realize every single case of cyber theft can be very generally summarized with the phrase “wasted talents,” but this is a bit too amusing. It’s enough to give me the Snickers.


This highlights a problem with the machine. If it loses connection then it should have shutdown and gone out of order. The central server should also have pinged a problem the instant it lost connection with the IoT device.


The fact the article is just a commercial for “Freedom Pay” is kind of lost on people. Bryan is the one that brings up excellent points. Yet if you think about it, security companies are catching up to the notion that you should just “black box” penetration testing with a bunch of hackers and let them go at your network. The problem here is obvious, when you write a piece focusing on the CIA contractors instead of the flaw in the system because lack of beta testing it takes the focus on that this product was being driven by marketing and no was listening to the developers.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!