Security News > 2021 > February > Free coffee! Belgian researcher hacks prepaid vending machines

Free coffee! Belgian researcher hacks prepaid vending machines
2021-02-04 15:27

Simply put, Vanhoof relied on the fact that many older Nespresso setups rely on what's known as a stored-value wireless payment card, something that's similar to but importantly different from a modern credit card.

Wireless in this case means that the card uses NFC, short for Near Field Communication, the same underlying technology that's used by credit cards, many modern door security cards and almost all passports issued in the past 10 years.

Stored value, in the case of the Nespresso cards, means that any credit left in the account is saved on the card itself, so that the system works on coffee machines with no internet connection.

As Vanhoof explains in the paper, he figured out very easily that the stored value in the card, for Dutch coffee machines at least, was a 3-byte unsigned integer representing the coffee credit left in cents.

If you're a prepaid vendor of any product, don't use Mifare Classic cards.

Upgrade to newer cards, such as the Mifare Plus card, which can operate like a Classic card while using AES-128 internally.


News URL

https://nakedsecurity.sophos.com/2021/02/04/free-coffee-dutch-researcher-hacks-prepaid-vending-machines/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Free 9 0 3 1 3 7