Are Ammo Vending Machines a Hacker's Dream?

AP Photo/Rich Pedroncelli, File

Over the weekend we highlighted some relatively new additions to several grocery stores in Alabama and Oklahoma; self-service vending machines that will dispense boxes of ammunition to customers. 

While the machines offer customers convenience, however, it could come at a cost to your personal information and privacy. Just like with any other device that's online, the vending machines could be susceptible to a cyberattack by hackers

This convenience comes at potential expense of security, so American Rounds built in AI systems to make sure only people who can legally buy ammo can use the machines. Measures include card scanning and facial recognition software so the smart boxes can "meticulously verify the identity and age of each buyer" before spitting out a box of .45 caliber rounds.

That digital system is exactly what has cybersecurity expert Andrew Whaley worried. Whaley, a senior technical director at security software vendor Pronom, told the news site Business Insider that the idea that hackers would try to attack the AARM machines was a simple truth. It's just a broader "attack surface" for cybercriminals to aim at, just like any new digital service that retailers have embraced, Whaley said. 

Whaley says hackers could exploit bugs in the software to allow them to "theoretically deny legitimate transactions or, more dangerously, permit illegal ones"; exploiting any bugs in the software to bypass the AARM's facial recognition software, for instance. 

A famous example of this sort of error from early days of hacking is "phone phreaking," where hackers figured out how to reverse-engineer systems built into the phone network to get themselves free calls--only in the case of AARM this would translate to free bullets.

The thing to remember is that no digital security system is 100 percent perfect, and that cybersecurity is an ongoing journey, not a fixed destination: American Rounds will have to meticulously update security measures for the AARM machines to keep them protected from new cyber threats as they arise, and those threats pop up on a daily or even hourly basis, particularly in an era when we know groups of AIs can find and exploit digital security flaws faster than people.

The machines are only operational in a half-dozen locations at the moment, but American Rounds is hard at work expanding its footprint, so their Automated Ammo Retail Machine could soon be coming to a store near you. I confess that I'm not particularly concerned about criminals in Pell City, Alabama or Noble, Oklahoma hacking into the vending machines just so they can score some free ammo. That seems like an awful lot of work for something that can be purchased at any number of retailers, and without a background check (at least in California and New York). Anything's possible, of course, but it doesn't seem likely to me that hackers are going to hijack the machines in order to get what's inside when ammo is so readily available elsewhere. 

No, my main concern is the data collected by the vending machines that hackers could steal. In order to purchase ammunition from one of American Rounds' machines, you have to show your ID as well as your face so that your identity can be confirmed. It seems to me that hackers would be much more interested in the information on your driver's license than manipulating the machines to dispense ammo when it shouldn't. 

Of course, the same could be said for virtually any object that's connected to the Internet. Cyberattacks have become a ubiquitous feature of 21st-century life, right alongside identity theft. One hacker just released more than 10 billion passwords of users of various sites, and as Quartz reports, cyberattacks increased 70% between 2022 and 2023. 

In this case, however, hackers able to access customer information would also be able to compile a list of potential gun owners in the area. I doubt anyone's going to be hacking into the ammo vending machine to get a five-fingered discount on a box of 9mm, but the names and addresses of ammo buyers might very well prove valuable enough that hackers would see these machines as targets of interest. 

There's no real way to guarantee the safety and security of your personal information online, unfortunately. From private hospitals to the federal government, data breaches are endemic these days. These ammo vending machines might not be more susceptible to an intrusion by hackers, but like every other Internet-connected device, there's still a risk. 

As I said in our previous coverage of the ammunition vending machines, I actually like talking to the guys at my local gun shop, and I don't have any desire to replace that experience with a self-service vending machine that offers no human interaction whatsoever. Honestly, it's not the potential for hacking that would stop me from using these machines if one ever comes to Farmville, Virginia. It's the damage that the machine could do to local FFLs that would keep me away.