On a light note today, there has been a new vulnerability disclosed that affects the Keurig 2.0 Brewing System. The official report on seclists.org states that the “Keurig 2.0 Coffee Maker contains a vulnerability in which the authenticity of coffee pods, known as K-Cups, uses weak verification methods, which are subject to a spoofing attack through re-use of a previously verified K-Cup.
“Keurig 2.0 is designed to only use genuine Keurig approved coffee K-Cups. However, a flaw in the verification method allows an attacker to use unauthorized K-Cups. The Keurig 2.0 does not verify that the K-Cup foil lid used for verification is not re-used.”
The disclosure even goes on to explain the steps an attacker needs to take to successfully execute this type of attack, along with a proof-of-concept video that you can watch below.
There is currently no fix/patch for the vulnerability. As the original report jokingly advises, owners of the Keurig 2.0 might want to take additional precautions, including locking the device in a cabinet and using a cable lock that will “prevent the device from being plugged in when not being used by an authorized user.”
The question is, why did Keurig bother to even include this protection at all? It isn’t hard to bypass and it likely just costs extra money in the development process. Users compared it to the DRM protection in the music/software industry – and just like DRM, it has been cracked in no time.