Redbox easily reverse-engineered to reveal customers’ names, zip codes, rentals

Since Redbox went bankrupt, many have wondered what will happen to those red kiosks and DVDs. Another question worth examining is: What will happen to all the data stored inside the Redboxes?

Redbox parent company Chicken Soup for the Soul filed for Chapter 7 bankruptcy in June and is in the process of liquidating its assets. Meanwhile, stores with Redboxes are eager to remove the obsolete hardware. And tinkerers have reported getting their hands on Redbox kiosks and doing all sorts of things with them, including running Doom.

But Redboxes falling into technologists' hands can seemingly also result in the uncovering of customer data from kiosks' hard drives. As spotted by Lowpass today, programmer and expert reverse-engineer Foone Turing reported via Mastodon that she was able to retrieve records for 2,471 transactions from the disk image of a Redbox hard drive. Turing told Ars Technica that she got the image from a Discord channel:

[The Redbox] logged lots of information, including debugging information from the transaction terminal, and they left old records on the device. This probably saved them some time on QAing software bugs, but it exposed all their users to data being leaked.

Data went back "to at least 2015," Turing said on Mastodon. She told Lowpass the data included "records for when stuff is rented," including customers' email addresses and zip codes, as well as names of rented discs and when they were rented. Turing was also able to retrieve some numbers of customer credit cards.

“The device talks to a secure payment transaction device (so there's no logs of full credit info) but it logs a bunch of stuff that it really shouldn't: We've got the first 6 and last 4 [digits] of each credit card used, plus some lower level transaction details,” Turing told Lowpass.

The information available was enough for Turing to determine the name of a person who rented The Giver and The Maze Runner in Morganton, North Carolina, on May 23, 2015, at 6:43 p.m, she claimed (Ars is unable to verify the accuracy of this claim).

Lowpass suggested that the Redboxes only stored data on local hard drives if there was an Internet outage so that rental transactions could continue taking place. That would mean that data for only a very small portion of Redbox transactions was likely stored locally.

Customer data wasn’t hard to retrieve

Turing told Ars that finding customer data wasn't hard or time-consuming and that she was able to crack the hard drive image with common free tools:

The device has a lot of logs, and customer data was scattered throughout several of them—usually fragmentary, but it's not too hard to cross reference them with other logs. It's not super straightforward to directly access the data. Most of it is held in an old database format that's not easy to manipulate, but anyone with basic hacking skills could easily pull data manually out of the files with a hex editor. .... With access to the whole hard drive, it's easy to search for things like email addresses and credit card numbers.

Turing noted the inherent insecurity of data in a Redbox storing customer data locally.

"The root issue is that this is a machine that has to boot by itself, with no chance for a human to enter a decryption password or something. That means that the machine has to be able to decrypt itself," she said.

Worse, it seems like industry experts were aware that improper removal of Redboxes could result in customer data being exposed. As Lowpass pointed out, a court filing [PDF] from August 28 and by Automated Kiosk Advisors LLC emphasized legal and financial pitfalls that it believed could come from "failure to properly remove and destroy the internal data storage and payment information" in Redboxes. The filing noted that Redbox "hard drives must be securely and properly reformatted as these may contain sensitive personal identifying information ... including, but not limited to, private customer information including credit/debit card data, email addresses, zip codes, customer names, and associated movie rental history."