A computer science student with no prior NFC security experience reverse-engineered a commercial laundry payment card in under an hour using Claude Code, Anthropic's AI coding assistant, and a Flipper Zero hardware device. The target was a Mifare Classic 1K card operated by CSC ServiceWorks, the largest commercial laundry operator in North America with over one million machines deployed across 127,000 apartment buildings and 1,300 universities. The student, writing on their blog at hanzilla.co, documented how Claude Code handled serial communication scripting over the Flipper Zero's USB interface, analyzed raw card data layout, and identified a structural architectural flaw — all without consulting a single datasheet or NFC specification.
The vulnerability itself is not new. The Mifare Classic cipher was publicly broken in 2008, and the specific flaw the student identified is a design separation problem: the reload machine computes a cryptographic "balance certificate" that the washing machine can verify but never recompute, because the washer lacks the signing key. Every balance deduction is trivially reversible — a user can restore the card to its last-reloaded state indefinitely, and the washer accepts it because the certificate remains valid. The exploit requires only a Flipper Zero or NFC-capable phone. The student disclosed the vulnerability to CSC ServiceWorks before publishing.
The timeline is the story. Work that would have required expert-level knowledge of NFC protocols, sector layouts, and value block encoding took a non-specialist one hour. The student pushed further that same week, bypassing a client-side paywall in a Chrome extension with five million users in minutes using the same AI-assisted approach. The Hacker News thread that followed surfaced a familiar observation: systems historically protected by the obscurity of specialized knowledge are increasingly exposed as <a href="/news/2026-03-14-grief-and-the-ai-split-how-ai-coding-tools-are-exposing-a-long-hidden-developer-divide">AI makes that knowledge broadly accessible</a>.
CSC ServiceWorks has been here before. In May 2024, TechCrunch reported that UC Santa Cruz students Alexander Sherbrooke and Iakov Taranenko had spent five months trying to disclose a separate CSC API vulnerability — one that allowed arbitrary credit injection — before going public after CSC failed to respond, including never opening a CERT Coordination Center portal notification. CSC only patched the flaw and established a formal vulnerability disclosure program after press coverage. The company also disclosed a 2023 data breach in August 2024, roughly eleven months after the intrusion began, affecting at least 35,340 individuals whose Social Security numbers, bank account details, and health information were exfiltrated. CSC announced a modernization partnership with PayRange in mid-2025. The student's March 2026 writeup confirms Mifare Classic cards are still active in at least some residential deployments — which means the migration, whatever its pace, isn't finished yet.