Redbox is dead, but the old movie rental service is leaving customers a last Christmas present in the form of lasting privacy implications. If you’ve ever opted to rent a movie through a Redbox kiosk, your private info is out there waiting for any tinkerer to get their hands on it. One programmer who reverse-engineered a kiosk’s hard drive proved the Redbox machines can cough up transaction histories featuring customers’ names, emails, and rentals going back nearly a decade. It may even have part of your credit card number stored on-device.
Redbox’s owners, Chicken Soup for the Soul, declared bankruptcy in July. Since then, the now-defunct kiosks have become collectors’ items for anybody who wants a piece of physical media history. This past week, one of those tinkering with the old kiosks, a California-based programmer named Foone Turing, managed to grab an unencrypted file from the internal hard drive containing a file that showed the emails, home addresses, and the rental history for either a fraction or the whole of those who previously used the kiosk.
If you ever decided to rent Demolition Man 10 times in a row, somebody out there with enough know-how might know it. On Mastodon, Foone said the image for those records stored on the hard drive data she accessed goes back to “at least 2015” with a total of 2,471 transactions. Foone said he doesn’t even have a machine on hand but accessed the software after it was uploaded to the internet. It appears the original machine was based in Morganton, North Carolina, as the programmer claimed she managed to find an individual who rented The Giver and The Maze Runner nine years ago based on his name and zip code.
Gizmodo reached out to the programmer to see if she was using a physical drive or if she found the hard drive data online. Turing told Lowpass that the Redbox stored some financial information on those drives, including the first six and last four digits of each credit card used and “some lower-level transaction details.” The devices did apparently connect to a secure payment system through Redbox’s servers, but it stored other details “it really shouldn’t,” the reverse engineering aficionado told reporters.
The machines were apparently running on Windows 7, an OS that’s been officially defunct since 2020. While you can access and reverse engineer the software, those machines won’t do much other than fail to connect to a now-dead server. It’s currently unclear if every Redbox stored the same information, or if this data stored on the kiosk was every single transaction the machine handled.
Turing said she only found 2,500 transactions on the machine, which seems low considering how long the machine was apparently operational. It’s possible it only stored user info when it was unable to connect to the Redbox server, for whatever reason. However, that customer count isn’t too far off when you consider the population of Morganton, North Carolina is only around 17,500 people.
Turing heavily criticized Redbox’s code as “enterprise as fuck.” She told Ars Technica the data was in an old database format, but “anyone with basic hacking skills could easily pull data manually out of the files with a hex editor.” Simply put, anybody with access to a machine and enough time on their hands could pull this info off a Redbox kiosk hard drive.
One useful thing about the machines is that they can run Doom just fine since they’re all on Windows 7. Each hard drive has a database that lists the location of every previous Redbox machine, according to the programmer.
“This is the kind of code you get when you hire 20 new grads who technically know C# but none of them has written any software before,” she wrote.
The worst part is these kiosks are all up for grabs, and Chicken Soup for the Soul isn’t making any real effort to collect or wipe its 24,000 machines found in front of drug stores and 7-Elevens throughout the U.S. People are simply asking their local store owners if they can take away the old Redbox machines, and some shops are letting them, according to a report this month from The Wall Street Journal.
+ There are no comments
Add yours