A security researcher figured out a way to hack older Nespresso coffee machine smart cards in order to obtain virtually unlimited free drinks.
The hack, developed by Belgian security researcher Polle Vanhoof, offers a mechanism to meddle with commercial Nespresso coffee machines by dumping and modifying their custom stored-value cards.
The process of cracking the keys and dumping the contents of these prepaid cards is possible because of the inherent security shortcomings of the Mifare Classic smart card technology that comes paired with some Nespresso coffee machines.
Shot in the dark
These security shortcomings (PDF) have been understood since at least 2008, even though they’ve never previously been applied in this particular way.
Mifare Classic smart cards have long been replaced by more secure Mifare Plus cards.
Because of the inherent security weakness of Mifare Classic, however, it is possible to read and write arbitrary data to these cards after cracking any non-default keys.
RECOMMENDED CacheFlow: Malware hidden in popular browser extensions went undetected for years
This problem is compounded in the particular case of Nespresso because the coffee-maker uses these cards to store the loaded monetary value directly.
As a result, a hacker can overwrite the stored value and set the loaded currency to an arbitrary figure, as explained in Vanhoof’s technical write-up.
Remote caffeine execution
A more robust system would have the cards store only a unique identifier and have the Nespresso machines check what monetary value is associated with that value through a backend server.
This approach would only work if every Nespresso machine that accepted smart cards had a network connection.
Read more of the latest security research from around the world
It would also require the coffee machine vendor to provision a backend server to handle these lookups.
Nespresso told Vanhoof that it already offered this facility, as well as the option for customers to upgrade to more secure hardware tokens.
Vanhoof reported his findings to Nespresso back in September before a lengthy disclosure process that finally permitted him to go public with his findings earlier this week.
The Daily Swig asked Nespresso to comment on Vanhoof’s research. No word as yet, but we’ll update this story as and when more information comes to hand.
READ MORE Vulnerabilities in open source streaming platforms could lead to RCE