Security News > 2021 > February > Nespresso smart cards hacked to provide infinite coffee after someone wasn't too perky about security

Nespresso smart cards hacked to provide infinite coffee after someone wasn't too perky about security
2021-02-04 06:40

Some commercial Nespresso machines in Europe that incorporate a smart card payment system can be manipulated to add unlimited funds to purchase coffee, thanks to reliance on technology that's been known to be insecure for more than a decade.

In a coordinated vulnerability disclosure published this week, Polle Vanhoof, a security researcher, describes a vulnerability affecting unspecified Nespresso Pro machines equipped with a smart card reader: the problem? Some rely on outdated Mifare Classic smart cards.

As Vanhoof explains, Mifare Classic smart cards have not been a particularly smart choice since 2008, when security researchers from Radboud University Nijmegen reverse engineered the chip on the cards and published their findings.

Some of Nespresso's coffee cards nonetheless have been based on the insecure Mifare Classic technology.

Vanhoof, in his post, advised Nespresso to upgrade its smart cards and to store monetary value on a remote server rather than on the smart card itself.

We asked Nespresso to clarify which of its machines might still rely on Mifare Classic cards, but we've not heard back.


News URL

https://go.theregister.com/feed/www.theregister.com/2021/02/04/nespresso_cards_hacked/