Company left rewards system vulnerable to hackers looking to sip & sup for free.

Free beer!

Now that we have your attention, we’d like to tell you about the fallout from the hack of, well, free beer.

It could mean safer rewards systems that companies use to try to keep you as a regular customer, so someone else doesn’t get free stuff that doesn’t belong to them.

But it may take a while.

‘Purely for fun’

It started with a Polish researcher and software developer named Kuba Gretzky, whose wife showed him an app to earn rewards points for eating or drinking at restaurants in his home country.

“It was purely for fun,” he said.

One beer equals one points. Five points equals a free beer.

“The idea of the application is great,” Gretzky told Archer News. “We usually eat in the same places anyway, so why not get extra things while we do it?”

But Gretzky works in the world of security. And the question crept into his mind. Just how secure is this app?

Not secure enough, as it turns out.

EatApp

Gretzky calls the rewards program app by a pseudonym in his post about the hack.

To earn points with the ‘EatApp,’ you first drink or dine at your favorite hangout. Then, an employee waves a small, mouse-sized device over your phone. Bingo! The device, called a beacon, verifies that you are there so you can get the points.

Beacon device. Photo credit: jnxyz via Foter.com / CC BY

But through trial-and-error, Gretzky discovered that the beacon devices send out the verification keys in a way that hackers could intercept them. 

“Broadcasting authorization keys over the air is never a good idea,” he said.

He was able to obtain the PIN, and add points to his account without actually buying the beer.

“Jackpot!” he wrote. “Enjoy your free points!”

No free beer

Though some hackers might say he deserves a cold one after his long technical journey, Gretzky himself said he did not cash in.

“Felt wrong in some way to do it like this,” he wrote. “It felt good though to know that I could get unlimited amounts beer if I ever wanted to though ;).”

“I earned some points to confirm that the tool I wrote works and that was it,” he added. “My job was done and the biggest reward for me was that I just can exploit it, but I don’t have to.”

Beer is not the goal in this exercise.

“My goal is to give you an idea of what flaws similar applications may have, how to find them and how to better secure such applications,” he said.

Beer hack research image from Kuba Gretzky post.

Fixing the problems

If you’re a restaurant owner, you probably want to cut off the flow of free suds and grub. If you’re a customer who likes the reward program, you might want to stop malicious hackers from draining the restaurant’s loyalty budget and shutting the program down.

And if you are the app developer, you may want to find solutions to the program’s insecurity.

Gretzky said he talked with the CEOs of the app and beacon companies to help improve the system.

Beacon & beer

 CEO Jakub Krzych of Estimote, the beacon device company, said app developers can use a secure UUID (universally unique identifier), rather than a public one, like the one employed by EatApp. The secure UUID broadcasts a harder-to-steal encrypted ID.

“First of all congratz on the nice hack and the free beer : ) Thank you also for this detailed article and your contribution to more secure IoT [Internet of Things],” wrote Krzych to Gretzky.

Gretzky suggested that EatApp also verify more information about the customer’s account before giving him or her rewards points.

EatApp will indeed implement these security plans, the researcher said. But it will take some time, as the company will need to replace the 600 beacons it has already deployed to restaurants, according to Gretzky.

Until then, you may see a surge in tipsy hackers in Poland. As Gretzky wrote, tongue-in-cheek, “Now it’s time to enjoy the spoils of hard work. Cheers!“

Poaching points

Hackers have targeted rewards programs before.

Customers reported thieves draining their bank accounts through their Starbucks rewards app last year. The attackers used the app’s automatic reload feature to move money from the customer’s credit card into the Starbucks account, then transfer the money to a gift card.

In 2014, a researcher found that the Starbucks app stored your name and password in a way that made it too easy for attackers to get in. Starbucks updated the app to fix the vulnerability.

Hilton Honors customers reported crooks stealing their rewards points in 2014, as did frequent flyers on American Airlines and United Airlines.

This year, prosecutors said a former student from Florida International University masterminded the American Airlines flyer miles theft, using them to book plan flights, hotel rooms and rental cars, one of which he allegedly crashed, according to the Miami Herald. The airline company said he was caught through the rewards program alert system, which sends notices to customers if the e-mail address on their accounts change.

A final note

In comparison, the free beer hack may seem minor.

But Gretzky hopes his research will help improve security in rewards apps.

And he encourages other security researchers to treat app developers with more respect.

“There are too many situations where I see researchers calling developers ‘idiots,’ just because they managed to find some security flaw,” Gretzky said.

“I’ve developed many applications before and I know how complicated and exhausting the process can be,” he explained. “It is great if someone finds a flaw in software, but that doesn’t entitle them to be a–holes about it. People make mistakes.”