I recently took a look at the Hi! vending payment system, which is being positioned as a successor to MiZiP. Together with someone from my community, I analyzed how the system works and whether it actually improves on the security issues seen in older setups.
Short answer: it improves some aspects, but still has fundamental weaknesses.
During the analysis, I focused on real transaction data and how payments are handled between the key and the vending machine. One interesting finding:
👉 Replay attacks still appear to be possible
Even though the system uses encrypted payment records, encryption alone is not enough. If there are no proper mechanisms like nonces, counters, or challenge-response protocols, previously captured valid transactions may be reusable.
In the video, I cover:
• how the Hi! system works on a technical level
• differences in MIFARE variants and security levels
• analysis of transaction dumps during real payments
• why encryption alone doesn’t guarantee security
• how a replay attack vector can emerge
• potential design improvements to mitigate these issues
A key takeaway from this research is something many of you probably already know:
Security is not just about crypto, it’s about how it’s implemented across the entire system.
These vending ecosystems usually involve multiple components: keys, readers, machines, backend systems. That complexity often introduces unexpected attack surfaces.
I’ve also reached out to the manufacturer with my findings. Still waiting for their response.
Video (German, but with English and French subtitles): https://youtu.be/hZqq-nUNU5M