I have been reading about the new medical marijuana vending machines in Los Angeles that are meant to go-live today.
The security discussion has been amazingly sparse. So here is a quick review of what I have noted:
- Anytime Vending Machines (AVM) have been deployed to meet a requirement for 24/7 secure and automated dispensaries of medical marijuana
- AVM locations will approve a prescription, take your fingerprint, and provide a prepaid credit card loaded with dosage (3.5 or 7 grams, with a max of 1oz a week) and one of five strain options
Watching the video by a CBS station revealed many of the physical security measures, but also shows a cord running across the floor from the vending machine (look at the bottom left of the machine). That made me wonder about data transmission from this thing. Where is it going to/from and how often? Does it fail to vend if it can not connect to a database, and then what integrity controls are in place…?
That would be a more interesting attack vector than the usual tubular lock weakness. The fact that a human guard is said to be deployed at all times with the vending machine makes me think there is implicit recognition of weakness. I also wonder about the paper trail and whether video is integrated into the box.
The pin pad sure looks exposed, doesn’t it? Must be hard to hide your key-code when it’s setup in such a big spread open to plain view. Maybe only one person can be in the room at a time with the machine.
And finally, I have to say this definitely “high” security. Sorry, couldn’t resist.