Jump to content

Nespresso smart cards can be exploited for unlimited coffee


Recommended Posts

Nespresso smart cards can be exploited for unlimited coffee

 

nespresso-smart-cards-can-be-exploited-f

 

Let us imagine that your Nespresso smart card had no limit to how much coffee you can buy with it. A little too convenient, isn’t it? Except, a security researcher, Polle Vanhoof explains a vulnerability that actually makes this possible.

 

 

The problem lies with the Nespresso Pro machines which have been equipped with a smart card reader whose smart cards are still relying on the MIFARE Classic chip.

 

This is not exactly something that a company should overlook considering how security researchers reverse-engineered the chips, being able to clone and manipulate the date of the chip in 2008, and published their findings.  

 

nespresso-smart-cards-can-be-exploited-f

Nespresso smart card (Image source: Polle Vanhoof)

 

After this publication, the MIFARE Classic series was deemed unsafe and the company introduced a safer alternative, MIFARE Plus, which relies on more robust encryption (AES-128).

 

By the use of an NFC card reader, the nfc-mfclassic command, and mfoc (a software that cracks the encryption of MIFARE Classic chips), Vanhoof was able to access, view, and make changes to the card binaries.

 

By making a purchase with the card, Vanhoof identified which binaries change since the value of the card was stored on the card itself, and not on a third-party server.

When the binaries were compared after purchase, Vanhoof noted that the card used three bytes to represent the total value.

 

“Therefore, the maximum possible amount of money in one of these cards is 167,772.15 euros,” explained the researcher.

 

One would simply have to make use of a hex editor, modify the file and encode it to the card. Indeed, the machine detects that the aforementioned balance is present and allows the user to buy coffee. One coffee would be worth one euro and that equates to 167,772 coffees, which is one coffee a day for 459 years.

 

nespresso-smart-cards-can-be-exploited-f

Image source: Polle Vanhoof

 

Vanhoof, in his post, advised Nespresso to upgrade its smart cards and more importantly, to store monetary value on a remote server rather than on the smart card itself. “After talking to Nespresso, it seems they already offer both of these options,” he said.

 

 

Source: Nespresso smart cards can be exploited for unlimited coffee

Link to post
Share on other sites
  • Replies 0
  • Created
  • Last Reply

Top Posters In This Topic

  • mood

    1

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

Nespresso smart cards can be exploited for unlimited coffee     Let us imagine that your Nespresso smart card had no limit to how much coffee you can buy with it. A little too con

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...