Polle Vanhoof, a Belgian cybersecurity researcher discovered there a flaw in the older Nespresso prepaid coffee machine smart cards and exploited the vulnerability to acquire virtually limitless free drinks.
The world's most advanced processor in the desktop PC gaming segment Can deliver ultra-fast 100+ FPS performance in the world's most popular games 12 cores and 24 processing threads, bundled with the AMD Wraith Prism cooler with color controlled LED ... read more
AMD's fastest 6 core processor for mainstream desktop, with 12 processing threads Can deliver elite 100+ FPS performance in the world's most popular games Bundled with the quiet, capable AMD Wraith Stealth cooler 4.6 GHz Max Boost, unlocked for overc... read more
Vanhoof revealed the vulnerability in Nespresso coffee machine smart cards back in September 2020 and he openly lauded the efforts of Nespresso for managing the issue and now with Nespresso’s approval, he has published his article regarding the flaws in the payment system. Nespresso is unperturbed that other coffee vendors can use this vulnerability to their advantage because this hacking method can only be applied on the older payment cards that have a network connection.
Modus operandi of this hack
Nespresso payment system operates on ‘stored-value wireless payment card’, it is identical but different from how the modern credit card works. Here wireless refers to the card which uses Near Field Communication (NFC), NFC is used by credit cards, modern door security cards, and nearly in every passport issued in the past decade.
When someone waves an NFC card close to the NFC reader, the card begins to power up due to the electromagnetic emissions from the reader (which needs to be attached to the power supply), the card powers up due to the antenna present on it in the form of a metal coil that produces electricity as it moves via a magnetic field. The electrical energy which is left in the charged-up card is utilized for a short, wireless exchange of cryptographic data with the NFC reader. It means that NFC cards do not require a battery so they can be tiny, flat, light, and cheap.
Vanhoof disclosed that older Nespresso cards operate on the Mifare Classic NFC chip and this chip does not have strong enough cryptography which makes the NFC cards vulnerable. NFC cards require a delicate balance of low power consumption with high cryptographic power and in the case of Mifare classic, this balance is more in the favor of the attacker. Mifare Classic runs on a stripped-down 48-bit cipher called Cryptol instead of a well-acknowledged and publicly documented algorithm called AES-128.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.