Jukebox Hero: Testing the TouchTunes Digital Jukebox

Presented at ToorCon San Diego 18 (2016), Oct. 15, 2016, 2 p.m. (50 minutes)

TouchTunes digital jukeboxes are installed in over 75,000 bars, restaurants, and social venues across North America and Europe. Various jukebox models exist and support cash, charge-card, and mobile-app payment. The talk will detail research into one jukebox model which required obtaining and analyzing decryption key storage hardware, reverse engineering drive decryption software, and decrypting and analyzing the protected operating system to identify vulnerabilities in network and OS configuration. Identified vulnerabilities expose secured upstream communications, allow for full shell access and control of potentially every active jukebox, and may permit an attacker to impersonate jukeboxes.


  • Matthew Braun
    Matthew Braun is currently a senior security consultant at NCC group. He graduated with a bachelors in Applied Science from Washington University in St. Louis and a masters in Computer Science from the University of Chicago. His background includes systems administration, financial modeling, commercial real estate finance and development, and application and network security. In his spare time he cooks, sails, and is rebuilding a 1980 Suzuki GS550 motorcycle.


Similar Presentations: