Let us imagine that your Nespresso smart card had no limit to how much coffee you can buy with it. A little too convenient, isn’t it? Except, a security researcher, Polle Vanhoof explains a vulnerability that actually makes this possible.
The problem lies with the Nespresso Pro machines which have been equipped with a smart card reader whose smart cards are still relying on the MIFARE Classic chip.
This is not exactly something that a company should overlook considering how security researchers reverse-engineered the chips, being able to clone and manipulate the date of the chip in 2008, and published their findings.
After this publication, the MIFARE Classic series was deemed unsafe and the company introduced a safer alternative, MIFARE Plus, which relies on more robust encryption (AES-128).
By the use of an NFC card reader, the nfc-mfclassic command, and mfoc (a software that cracks the encryption of MIFARE Classic chips), Vanhoof was able to access, view, and make changes to the card binaries.
By making a purchase with the card, Vanhoof identified which binaries change since the value of the card was stored on the card itself, and not on a third-party server.
When the binaries were compared after purchase, Vanhoof noted that the card used three bytes to represent the total value.
“Therefore, the maximum possible amount of money in one of these cards is 167,772.15 euros,” explained the researcher.
One would simply have to make use of a hex editor, modify the file and encode it to the card. Indeed, the machine detects that the aforementioned balance is present and allows the user to buy coffee. One coffee would be worth one euro and that equates to 167,772 coffees, which is one coffee a day for 459 years.
Vanhoof, in his post, advised Nespresso to upgrade its smart cards and more importantly, to store monetary value on a remote server rather than on the smart card itself. “After talking to Nespresso, it seems they already offer both of these options,” he said.