Keurig 2.0 Authentication Bypass

Type packetstorm
Reporter Kenneth Buckler
Modified 2014-12-09T00:00:00


Keurig 2.0 Coffee Maker contains a vulnerability in which the authenticity  
of coffee pods, known as K-Cups, uses weak verification methods, which are  
subject to a spoofing attack through re-use of a previously verified K-Cup.  
CVSS Base Score: 4.9  
Impact Subscore: 6.9  
Exploitability Subscore: 3.9  
Access Vector: Local  
Access Complexity: Low  
Authentication: None  
Confidentiality Impact: None  
Integrity Impact: Complete  
Availability Impact: None  
*Vulnerable Versions*  
Keurig 2.0 Coffee Maker  
*Technical Details*  
Keurig 2.0 is designed to only use genuine Keurig approved coffee K-Cups.  
However, a flaw in the verification method allows an attacker to use  
unauthorized K-Cups. The Keurig 2.0 does verify that the K-Cup foil lid  
used for verification is not re-used.  
Step 1: Attacker uses a genuine K-Cup in the Keurig machine to brew coffee  
or hot chocolate.  
Step 2: After brewing is complete, attacker removes the genuine K-Cup from  
the Keurig and uses a knife or scissors to carefully remove the full foil  
lid from the K-Cup, ensuring to keep the full edges intact. Attacker keeps  
this for use in the attack.  
Step 3: Attacker inserts a non-genuine K-Cup in the Keurig, and closes the  
lid. Attacker should receive an "oops" error message stating that the K-Cup  
is not genuine.  
Step 4: Attacker opens the Keurig, leaving the non-genuine K-Cup in the  
Keurig, and carefully places the previously saved genuine K-Cup lid on top  
of the non-genuine K-Cup, lining up the puncture hole to keep the lid in  
Step 5: Attacker closes the Keurig, and is able to brew coffee using the  
non-genuine K-Cup.  
Since no fix is currently available, owners of Keurig 2.0 systems may wish  
to take additional steps to secure the device, such as keeping the device  
in a locked cabinet, or using a cable lock to prevent the device from being  
plugged in when not being used by an authorized user.  
Please note that a proof of concept is already available online.  
*Credit: *  
Proof of concept at  
Vulnerability Writeup by Ken Buckler, Caffeine Security