Readers will know we like our technology here at Bartalks, even if we can’t always get it to work. It appears Nespresso has their struggles as well after Polle Vanhoof, a security researcher loaded his Nespresso smart card with €167,772.15 without spending a cent.
The hack does involve some technical skill so it’s out of reach for many of us, but IT unethical IT geeks will be paying attention.
The hack works simply by changing the value on the card using free sofware such as nfc-mfclassic that Vanhoof modified. The data uses weak encryption which the software can then crack, and since there is no validation of the card back to a central location, nobody is the wiser.
Vanhoof observed what binary elements changed on the card after making a purchase. Once he had that information, it was simply a case of changing that binary code to represent a bigger number – in this case €167,772.15.
At the time the findings were made public, the smart card manufacturer, NXP Semiconductor advised customers to adopt its Mifare Plus cards, which rely on the more secure encryption (AES-128)
We are working on the assumption that the value of the card is kept on the card itself rather than on some centralized server,” said Vanhoof. “This is a much simpler and cost effective design, requiring less hardware and software to implement, making it a likely choice for anyone developing such a system unaware of the security weaknesses of the Mifare Classic.
