lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAKueL6ddPm5PQK0gYDKdVzxk_KzD91f_rzRqrQywzuj6GEBRFw@mail.gmail.com>
Date: Tue, 9 Dec 2014 13:04:20 -0500
From: Kenneth Buckler <kenneth.buckler@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Keurig 2.0 Genuine K-Cup Spoofing Vulnerability

*Overview*


Keurig 2.0 Coffee Maker contains a vulnerability in which the authenticity
of coffee pods, known as K-Cups, uses weak verification methods, which are
subject to a spoofing attack through re-use of a previously verified K-Cup.


*Impact*


CVSS Base Score: 4.9

Impact Subscore: 6.9

Exploitability Subscore: 3.9


Access Vector: Local

Access Complexity: Low

Authentication: None


Confidentiality Impact: None

Integrity Impact: Complete

Availability Impact: None


*Vulnerable Versions*

Keurig 2.0 Coffee Maker


*Technical Details*


Keurig 2.0 is designed to only use genuine Keurig approved coffee K-Cups.
However, a flaw in the verification method allows an attacker to use
unauthorized K-Cups. The Keurig 2.0 does verify that the K-Cup foil lid
used for verification is not re-used.


Step 1: Attacker uses a genuine K-Cup in the Keurig machine to brew coffee
or hot chocolate.

Step 2: After brewing is complete, attacker removes the genuine K-Cup from
the Keurig and uses a knife or scissors to carefully remove the full foil
lid from the K-Cup, ensuring to keep the full edges intact. Attacker keeps
this for use in the attack.

Step 3: Attacker inserts a non-genuine K-Cup in the Keurig, and closes the
lid. Attacker should receive an "oops" error message stating that the K-Cup
is not genuine.

Step 4: Attacker opens the Keurig, leaving the non-genuine K-Cup in the
Keurig, and carefully places the previously saved genuine K-Cup lid on top
of the non-genuine K-Cup, lining up the puncture hole to keep the lid in
place.

Step 5: Attacker closes the Keurig, and is able to brew coffee using the
non-genuine K-Cup.


Since no fix is currently available, owners of Keurig 2.0 systems may wish
to take additional steps to secure the device, such as keeping the device
in a locked cabinet, or using a cable lock to prevent the device from being
plugged in when not being used by an authorized user.


Please note that a proof of concept is already available online.


*Credit: *

Proof of concept at http://www.keurighack.com/

Vulnerability Writeup by Ken Buckler, Caffeine Security
http://caffeinesecurity.blogspot.com

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ