Back in the day, I wanted a smart home (I’ve said that before somewhere in here). I even bought a number of X-10 modules for alerts and lights along with a module to hook up to my then ancient PC. To control and manage various kinds of stimuli (e.g., door/window opens, day to night, break-ins, date or time-based events) and commands.
Examples include shutting the garage door, dim the lights at bed time, turn EVERYTHING on if I hear loud BANGS in the middle of the night. But my idea was it being self-contained in all things but still controlling everything.
And then the Internet popped up and now, ‘Net connection is being pushed down to smaller and smaller devices as the computer resources that can drive them have gotten smaller and smaller and REAL cheap. My idea of doing a smart home was put off to the side simply because of LIFE! Funny, I’d still like to do so but not now
I’m not talking just about computer devices – PCs, laptops, tablets, phones. Almost every kind of consumer goods manufacturer wants to be able to proclaim “WE CONNECT TO THE INTERNET!!”.
Well, goody for you. Because now that you do TMEW might not get her morning coffee. NOT a good place to be! She desires few things – her morning coffee, however, is non-negotiable. I can tell you what her outlook would be if this happened to her coffee maker (I hate coffee so it wouldn’t affect me other than I love my wife and a no-coffee wife means headaches ahead (reformatted, emphasis mine):
This Hacked Coffee Maker Demands Ransom and Demonstrates a Terrifying Implication About the IoT
It’s no secret that the Internet of Things (“IoT”) is full of insecure gadgets. All you need is one high profile incident to be flooded with terrifying headlines about how everything from robotic vacuum cleaners to smart sex toys can be hacked to spy on you. However, apparently some devices like Smarter’s IoT coffee machine can also be reprogrammed to go haywire and demand ransom from unsuspecting users.
This week, Martin Hron, a researcher with the security firm Avast, reverse engineered a $250 Smarter coffee maker as part of a thought experiment to potentially uncover an important flaw in the infrastructure of smart devices.
“I was asked to prove a myth, call it a suspicion, that the threat to IoT devices is not just to access them via a weak router or exposure to the internet, but that an IoT device itself is vulnerable and can be easily owned without owning the network or the router,” he wrote in a blog post detailing his methods.
His experiment was a success: After a week of tinkering, he effectively turned the coffee maker into a ransomware machine. When the user tries to connect it to their home network, it triggers the machine to turn on the burner, spew hot water, endlessly spin the bean grinder, and display a pre-programmed ransom message while beeping incessantly. The only way to get it to stop? Unplugging your now seemingly possessed coffee maker entirely.
I would have called out either one of the SIG brothers or Mr. Mossberg and made very quick work of such rebellion. Of course, then I’d have to face TMEW – immediately make some “manual” coffee and plan to go visit the store to get Coffeemaker 0.1 (pre-Internet).
Now, think of the FUN you’d have if every one of your devices, of which you were very proud and show off what you had done in setting them. Imagine you’re having a dinner party with a number of your friends, who all know of your IoT hobbyist bent, and then every single device decides to act up and make your brattiest kid look like an angelic being. Liquids there, heat there competing with the airconditioning, clothes being spat out, lights going off and on, your cars start getting updates and then go dead in the middle of it, your robotic mower heads to your beloved rose gardens, your irrigation system starts aiming at your guests, and your in-house sauna decides that the WHOLE house needs to be full of steam.
You get the picture or should I continue (or better yet, give me some more examples in the Comment section!). Anyways – wtch for the pointy head to start blinking:
“It was done to point out that this did happen and could happen to other IoT devices,” Hron said in an Ars Technica interview. “This is a good example of an out-of-the-box problem. You don’t have to configure anything. Usually, the vendors don’t think about this.”
No, and why should they? They believe that their work is fool-proof, right?
Hron discovered that the coffee maker acts as a wifi access point and uses an unencrypted connection to link to its corresponding smartphone app, which is how the user interacts with their machine and hooks it up to their home wifi network. The app also pushes out firmware updates, which the machine received with “no encryption, no authentication, and no code signing,” pers Ars Technica, providing an easy exploit.
Upon learning this, he uploaded the Android app’s latest firmware version to a computer and reverse engineered it using IDA, an interactive disassembler and staple in any reverse engineer’s toolkit. The process also required disassembling the coffee maker to learn what CPU it used. Armed with this information, he wrote a python script that mimicked the coffee maker’s update process to implement the modified firmware and lines of script that actually trigger it to go haywire. Programming the machine to demand ransom wasn’t Hron’s first idea, though, as he wrote in the blog:
And if you want more (and there is more at the link), go here.
If you’re interested in more details about the experiment, Hron has written more than 4,000 words detailing his methodology in a blog post, which you can check out here.
Update: 10/1/2020; 6:32 p.m.: To reassure customers who may be worried about the security of their own Smarter coffee maker, Smarter highlighted the fact that Hron was working with a first-generation model for this experiment (which has since been discontinued) and provided the following statement to Gizmodo:
“Smarter is committed to ensuring its smart kitchen range has the highest levels of security safeguards at its core, and all connected products sold since 2017 are certified to the UL 2900-2-2 Standard for Software Cybersecurity for Network-Connectable Devices.