Why DRM'ed coffee-pods may be just the awful stupidity we need


#1

[Permalink]


#2

You said it. Now I need my morning coffee even more.


#3

Any early leaks on how it will work? We need to get started circumventing right away.


#4

Yep, its been pretty boring since John Steele and the Prendass Circus was in town.


#5

I’m going to start working on a system using modified inkjet refilling machines to refill used Keurig DRM Pods with fresh ground coffee, powered by a raspberry pi.


#6

obviously this DRM scheme would only be enforceable if the device has a way to call home. Otherwise, your circumvention of the DRM would go unnoticed. Simple solution, block the MAC address of the coffee maker on your WiFi access point / router. Then they would be forced to have the machines not work when there is no internet access. I’m guessing that would kill the product.


#7

These pods sound like an absurd idea and I have never met a person who actually uses them. Yet Green Mountain (Keurig) has been tremendously successful with them. What demographic is actually buying this stuff?


#8

My guess is some sort of QR code on the top of each cup that provides 2 numbers, a nonce and a privately signed version of that nonce. Keureg would own the private key, and the coffee machines would verify it with a burned-in public key, then store the nonce in an internal flash chip to prevent people from just reusing the same lid over and over again.

This would be the cheapest option I think, all it needs is a webcam in the lid and a bit of flash storage (flash is stupid cheap these days). The only complication I foresee is that the webcam might get steamed up and have trouble brewing more than 1 cup in a row.

There could be a whole community of people who take pictures of their lids so other people can print them out and stick them on aftermarket cups, but honestly that sounds like a lot of effort for a stupid cup of coffee.


#9

My office has a Keurig, and so did the office at my previous job. It’s kind of ideal for small offices with people who can’t be bothered to wash out a coffee pot.


#10

My parents have one. If you only have one person in the house who drinks coffee it is pretty handy for letting them make a single cup and not have any cleanup.


#11

No need to be that sophisticated. Just have a static barcode for each licensed vendor, and then sue the bajeebus out of anyone who sells unlicensed cups for duplicating their copyrighted barcode.

Unlike digital media, there’s no way to download pirate coffee cups off a website located abroad. Even if the DRM is trivial to break, they’ve still achieved their goal of outlawing the business of unsanctioned competitors, who need real factories and real trucks shipping real boxes on American soil.


#12

I’ve seen them in offices and salons, basically places where staff might offer a client a cup of coffee (tea, cocoa, cider, etc) but no one wants to do the washing up. I had a cup in a salon, and it was… adequately caffeinated, and better than gas station coffee, but you’ll recognize this as a pretty low bar. I’d say that the common thread is situations where convenience outweighs price or considerations of waste.

Sometimes I want only a single cup of coffee, and I’ve considered one of these, thinking it would be OK as long as I can use my own grinds. But, in the end, the little pour-over cone + filter I’ve had for twenty years makes the expense seem ridiculous. Of course, if I was buying it for my business, I’d call it a tax write-off and be done.


#13

I find it unlikely that a barcode would rise to the level of copyrightability. Works can only be copyrighted if they involve original, creative work. See Feist: http://en.wikipedia.org/wiki/Feist_v._Rural


#14

I’m torn on this. On one hand I like the idea of being able to do what you like with the gear you buy, on the other if you buy into a system that’s the system you buy into. It creates opportunities for other companies to manufacture an alternative to that…there are plenty of “open” systems for making coffee.

If people decide they don’t like the system they buy into…they have a choice to try something new.

Apple doesn’t inherently have to support Android apps on their phones and Android doesn’t have to support Windows phone apps or iOS apps…these are choices they make for competitive reasons. Now if there is a monopoly where all you could buy were one type of DRM coffee machine and one type of DRM pod…that would be a problem, but here we have a company that built an eco-system and now they want to protect it. If you don’t like it that’s what’s great about choice in the marketplace…don’t buy into their system…buy a real espresso machine or a regular coffee machine.

There’s always a lot of talk about “open” and “choice” here on boing…and yet when we don’t like something like this we simply say it should be forced to open up…when the real choice is simply going down to Bed Bath & Beyond, buying a non pod coffee machine and a grinder. What’s the big deal?


#15

That would be a little too easy to defeat with a simple refillable cup IMHO. The amount of computing resources necessary to do a simple crypto check is not big these days. It would probably add something like $1 to the cost of the device.


#16

How is this not a violation of the U.S. anti-trust regulations? Wasn’t it established in Control Data vs. IBM that a manufacturer had to supply interface information to a 3rd party supplier? My knowledge of this is a bit hazy so I’d appreciate anyone who knows more to chime in.


#17

I’ve most often seen them in offices and waiting rooms. At least where I work, it works well. Ease of cleanup is a big advantage in an office space where no one is ‘officially’ responsible for cleaning up. We have communal coffee makers in other parts of the building but diffusion of responsibility / freeloaders cause problems in the who-makes-coffee / who-cleans-coffee arrangements.

The k-cups also let us offer our meeting guests a much wider range of coffee and tea flavors than we would otherwise be able to stock and prepare without a lot of waste due to spoilage / dumped coffee pots.

As far as non-commercial users buying them, I’m not sure the argument is as compelling, unless it is a pure convenience thing or for people who only drink coffee on the weekends (the longer storage life of the pods might be worth the cost).

To my knowledge the one in our office comes with a support contract so I can’t imagine how ungodly expensive it is for my employer.


#18

My wife and I received a Keurig Vue setup for Christmas. It makes the best cup of coffee that I’ve ever made with a machine in my house. It’s simple and it always produces the same cup of coffee. Plus we have one of the Solo refillable cups so we use whatever coffee we like. She drinks a few cups a week, while I might have one a week, so it works well for us.


#19

No word that I’ve seen, and I must admit to being curious:

The obvious approach, from a cost standpoint, would be to use something similar to the existing design; but slap together a few standardized data fields(brew parameters, serial number, maybe some other stuff I’m forgetting), cryptographically sign that bundle of data and then print it as a QR, or other 2d bar code, on the pod.

That approach would allow ‘automagic’ configuration of temperature, time, volume, according to the type of beverage being infused(which people probably would think is neat); and would be impossible for a 3rd party to forge without access to a private key blessed by Keurig’s trusted root key. It would also be relatively cheap: production-line printers for spitting out serial numbers, expiration dates, etc. aren’t free; but that’s totally stock manufacturing and warehouse logistics hardware and ink is cheap, and a reader (probably a low-resolution linear CCD/CMOS strip that the pod gets rotated in front of? Maybe an epoxy-potted cheap and nasty cell camera?) wouldn’t add too much to the cost of the brew unit.

However, and this would be the kicker, while it would be computationally infeasible to create a new data bundle, because of the signature, the system would have zero defense against ‘replay’ attacks based on just buying the ‘blessed’ consumable with the brew profile closest to your product, then copying the code, verbatim, onto your pod. The signature will still check out, because you haven’t altered anything, and (worst case), you might have to buy another sample every few weeks to months if the data blob includes a manufacture date and/or an expiration date that causes old pods to ‘time out’ (Apropos of article image: “It’s an older code, sir; but it checks out, I was about to brew it.”). Still stopping by the store on the way to work once a week, or even once a day, for the smallest available pack of ‘real’ pods to secure this round’s ‘authentic’ code would not be much of a deterrent to cloners.

There would be two possible mitigations to replay attacks, both adding some cost: More plausibly, the brewer’s control system could log the serial number of each consumable on use, and reject duplicate serials. This wouldn’t do anything about duplicates on a broader scale; but it would mean that cloners would have to have enough legitimate samples(and package them to avoid confusion) to keep their customers from running into enough ‘dud’ unbrewable duplicate pods that they just give up. The onboard storage would be vulnerable to a hardware attacker willing to mod the brewer; but enough cheap, slow, flash memory to store approximately a zillion serial numbers would cost, what, a dollar?

Less plausibly, a network connection offers near-perfect resistance to cloners: If each serial is born unique, and each pod’s use is reported to HQ, HQ knows all outstanding serials at all times (also handy for market research and creepy individualized marketing, no? Synergy!), and the brewer merely need ask for permission before brewing an unknown serial. There would be a modest risk of ‘race condition’(if a cloner figured out a non-destructive method of reading the data tag, through the packaging say, they might be able to get ‘real’ data tags from genuine consumables still in the supply chain, in which case their clone pod might be the first to be brewed, leaving the eventual purchaser of the ‘real’ pod with a burned serial. Has happened to some games’ CD-key verification schemes from time to time).

That would be reasonably solvable merely by being a bit lax (especially if each machine has a unique ID, which it would, you could even choose between a blanket ‘eh, just let 3 activations per serial pass, keep the customers happy, then send Pinkerton Death Squads to…enhance operational security… for whichever franchisee sold the batch that got cloned the most this quarter’ policy or a more specific, per-machine ‘trustedness’ metric: “Good” customers, with profitable buying habits, or new customers who you want to encourage, would get a pass even on a certain amount of near-certain-fake-buying. “Bad” customers, with lots of clones in their history, well, no mercy for the misguided…) It’d be just like a credit score!

The more serious obstacle, of course, would be getting people to accept that the coffee machine doesn’t work without internet access (or, if you do an Amazon style ‘whispernet’ integrated cell link, the additional cost and trying to explain to a confused customer what possible reason there could be that the cell reception in their house, for the carrier you chose, quite possibly not even the one they can check by looking at their phone’s signal-strength meter, would affect the operation of the coffee machine.) And, of course, the nightmare scenario: If the office brewer loses connectivity before IT has had its morning coffee, IT won’t be able to restore connectivity due to lack of coffee; but the coffee supply will be offline because IT can’t restore the connectivity. Cry to the gods of a thousand dead pantheons for the mercy that will never come, cry!

The second alternative, much more robust against cloners; but no idea how it would do anything except crater the margins on the pods, would be IC-based. Your basic boring smartcard IC (also seen in SIM cards and some ‘dongle’ authentication systems that are basically a smartcard and USB reader in a single sealed case) has an internal private key(recoverable only by direct attack on the die, or atypically bad software flaw) and is thus functionally unforgeable at any economically relevant cost. A die-level attack to recover the key is doable, in most cases; but if it costs $50k to mount the attack, you’d probably be better off kissing Keurig’s pinkie ring.
However, the obvious problem here is unit cost: rough numbers (based on the cost of ISO 7816 contact smart cards, the bare IC should be cheaper, of course, but harder to get a quote for on short notice, has to be at least 20 cents a unit, maybe rather more. Full cards, with IC and surrounding plastic, are 50-60 cents each even at 5,000+ unit order quantities and no printing.) Spending that much probably erases much of the margin Keurig was hoping to turn into sweet, sweet, executive compensation, and they still have to deal with the potential of one or more of their ‘blessed’ cards being physically cracked and then cloned by the thousands (possibly new batches of coffee pods would also distribute revocation information for earlier pods known to have been cloned, as with AACS ‘recoverability’ or PS Vita games that include, and force, a ROM update? No architectural reason why you couldn’t…)

Honestly, Keurig is taking on an atypically nasty DRM problem here: unlike games/music/video, where the ‘clone’ goods are illegal just for existing, in virtually all jurisdictions, so it’s mostly about making noises for the rightsholders and (particularly with software, which has room to build in lots of annoying traps) maybe delaying the war3z kiddies long enough to preserve opening weekend; the hypothetical clone pods will be perfectly licit goods (and so, like generic toner, sold by companies that can invest in interoperability research and development if need be, and aren’t under any immediately clear legal threat just for existing. And then the value per pod, even on the highest-margin first-party ones, isn’t high enough to buy any really classy active cryptographic features without destroying the margins entirely, and passive consumables are trivially cloned unless the brewer is internet-connected and a revocation/validation server architecture is maintained.

I hardly pity them the ‘problem’ they’ve created for themselves; but I’d be shocked to see success(or drinkable coffee).


#20

My favorite part about these mini coffee brewers is that the “made for tv” crowd latched onto them… they started selling plastic refillable k-cups that you would scoop standard coffee grounds into.

The pitch was that it would save you money on your coffee because you wouldn’t have to spend money on the expensive one-offs.

Instead of just buying a traditional coffee brewer.