Pierluigi Paganini February 07, 2021

Some commercial Nespresso machines that are used in Europe could be hacked to add unlimited funds to purchase coffee.

Some Nespresso Pro machines in Europe could be hacked to add unlimited funds to purchase coffee. The attack is possible because the machines use a smart card payment system that leverages insecure technology, the MIFARE Classic smart cards.

The vulnerability was disclosed by the security researcher Polle Vanhoof.

The Mifare Classic smart card technology is known to be insecure since 2008, when security researchers from Radboud University Nijmegen performed reverse engineering of the chip and published their findings.

The experts demonstrated how to clone and manipulate the contents of a MIFARE Classic chip.

The chipmaker NXP Semiconductor tried to stop the publication of the research by requesting a preliminary injunction that was denied.

Then NXP Semiconductor recommended customers to use its Mifare Plus cards that use AES-128.

Vanhoof’s arsenal included an NFC card reader / writer, the nfc-mfclassic – MIFARE classic command line tool, and a version of mfoc MIFARE Classic offline cracker that he modified.

The researchers wrote a Python script that used to crack the weak encryption and dumped the card’s binary.

The researcher was able to crack the keys and dumping the smartcard.

“To start things off, we will want to crack any non-default keys present on the Nespresso card.” wrote the expert. We can easily do this using the mfoc tool. We run the following command:

mfoc -P 500 -O nespresso.dmp

“We see in the output below that the card uses default keys for most sectors except the last 4. It takes the tool a couple of minutes to break the remaining 4 keys and they are dumped to our screen.”

Then he was able to manually grab the keys that were found in the data dump.

In the second part of the attack, the expert attempted to find the field associated with the funds while purchasing a coffee. To do this he made different purchases with different amounts of money.

“We are working on the assumption that the value of the card is kept on the card itself rather than on some centralized server. This is a much simpler and cost effective design, requiring less hardware and software to implement, making it a likely choice for anyone developing such a system unaware of the security weaknessess of the MIFARE Classic.” Vanhoof added. “We charge our card with some value.”

Once identified the bytes on the card that were changing while purchasing the coffee (three bytes), Vanhoof demonstrated that by altering them he was able to manipulate the money amount to pay the coffee. He wrote a value of €167,772.15 on the card using the nfc-mfclassic tool.

The expert also provided potential mitigations to secure the payment process such as:

• Hardware upgrade: Upgrade the smartcards for future products and use more secure alternatives
• Software mitigation: Upgrade the machines to keep the money value on a backend server rather than on the card itself, only using the cards as a “Personal ID”

“After talking to Nespresso, it seems they already offer both of these options. Clients concerned with the security of their systems should look into these alternatives.” concludes the expert.

Below the disclosure timeline:

• 24 September 2020: Initial disclosure of findings to Nestlé Nespresso S.A
• 24 September 2020: The vendor was quick in communicating and setting up a meeting to discuss the vulnerability
• 09 October 2020: Full disclosure of technical details to vendor
• 02 February 2021: Nespresso confirmed they agreed with publishing this writeup

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Nespresso)

[adrotate banner=”5″]

[adrotate banner=”13″]