This Blog has Moved!

This blog is moving to


Thank you for visiting! Content will remain here for archival purposes.

Keurig 2.0 Genuine K-Cup Spoofing Vulnerability

Hello Slashdot! I apologize if the blog runs slow under the heavy load! -Ken

Overview

Keurig 2.0 Coffee Maker contains a vulnerability in which the authenticity of coffee pods, known as K-Cups, uses weak verification methods, which are subject to a spoofing attack through re-use of a previously verified K-Cup.

Impact

CVSS Base Score: 4.9
Impact Subscore: 6.9
Exploitability Subscore: 3.9

Access Vector: Local
Access Complexity: Low
Authentication: None

Confidentiality Impact: None
Integrity Impact: Complete
Availability Impact: None

Vulnerable Versions
Keurig 2.0 Coffee Maker

Technical Details

Keurig 2.0 is designed to only use genuine Keurig approved coffee K-Cups. However, a flaw in the verification method allows an attacker to use unauthorized K-Cups. The Keurig 2.0 does not verify that the K-Cup foil lid used for verification is not re-used.

Step 1: Attacker uses a genuine K-Cup in the Keurig machine to brew coffee or hot chocolate.
Step 2: After brewing is complete, attacker removes the genuine K-Cup from the Keurig and uses a knife or scissors to carefully remove the full foil lid from the K-Cup, ensuring to keep the full edges intact. Attacker keeps this for use in the attack.
Step 3: Attacker inserts a non-genuine K-Cup in the Keurig, and closes the lid. Attacker should receive an "oops" error message stating that the K-Cup is not genuine.
Step 4: Attacker opens the Keurig, leaving the non-genuine K-Cup in the Keurig, and carefully places the previously saved genuine K-Cup lid on top of the non-genuine K-Cup, lining up the puncture hole to keep the lid in place.
Step 5: Attacker closes the Keurig, and is able to brew coffee using the non-genuine K-Cup.

Since no fix is currently available, owners of Keurig 2.0 systems may wish to take additional steps to secure the device, such as keeping the device in a locked cabinet, or using a cable lock to prevent the device from being plugged in when not being used by an authorized user.

Please note that a proof of concept is already available online.

Credit: 
Proof of concept at http://www.keurighack.com/
Vulnerability Writeup by Ken Buckler, Caffeine Security http://caffeinesecurity.blogspot.com

NOTE: There has been some question regarding the video and who made it. This is not the security researcher you're looking for. I am not the person who created the video, and only found the KeurigHack website after I discovered this vulnerability on my own. To whoever created the website, great job!

2 comments:

  1. DRM was such a lousy idea. It worked out so well for XBox One's publicity and the whole music industry. Seriously, enough is enough! I'm not a pirate, I'm a patriot. And stop infringing on our freedom you money-grubbing bastards!

    ReplyDelete
  2. With the introduction of version 2 cups Keurig and Green Mountain should be boycotted and put out of business - as well as all their partners! There is nothing worse than corporate greed. Now only the huge players can get a Keurig "pedigree" to market their products, and Keurig charges them plenty to play! Consumers and small business get screwed. As one of many small, local coffee roasters, I will be hung out to dry, and my customers will be forced to drink overpriced, intentionally stale coffee! Boycott these losers and buy a generic coffee machine - support local business!
    http://www.berwickcoffee.com/

    ReplyDelete