October 23, 2020

When Coffee Machines Demand Ransom, You Know IoT Is Screwed


With the name Smarter, you might expect a maker of network-connected kitchen appliances to be, well, smarter than companies selling conventional appliances. But in the case of the Smarter’s internet-of-things coffee maker, you’d be wrong.


This story originally appeared on Ars Technica, a trusted source for technology news, tech policy analysis, reviews, and more. Ars is owned by WIRED’s parent company, Condé Nast.

Security problems with Smarter products first came to light in 2015, when researchers at London-based security firm Pen Test partners found that they could recover a Wi-Fi encryption key used in the first version of the Smarter iKettle. The same researchers found that version 2 of the iKettle and the then-current version of the Smarter coffee maker had additional problems, including no firmware signing and no trusted enclave inside the ESP8266, the chipset that formed the brains of the devices. The result: The researchers showed that a hacker could probably replace the factory firmware with a malicious one. The researcher EvilSocket also performed a complete reverse engineering of the device protocol, allowing remote control of the device.

Two years ago, Smarter released the iKettle version 3 and the Coffee Maker version 2, said Ken Munro, a researcher who worked for Pen Test Partners at the time. The updated products used a new chipset that fixed the problems. He said that Smarter never issued a CVE vulnerability designation, and it didn’t publicly warn customers not to use the old one. Data from the Wigle network search engine shows the older coffee makers are still in use.

As a thought experiment, Martin Hron, a researcher at security company Avast, reverse engineered one of the older coffee makers to see what kinds of hacks he could do with it. After just a week of effort, the unqualified answer was: quite a lot. Specifically, he could trigger the coffee maker to turn on the burner, dispense water, spin the bean grinder, and display a ransom message, all while beeping repeatedly. Oh, and by the way, the only way to stop the chaos was to unplug the power cord. You can see it for yourself here.

“It’s possible,” Hron said in an interview. “It was done to point out that this did happen and could happen to other IoT devices. This is a good example of an out-of-the-box problem. You don’t have to configure anything. Usually, the vendors don’t think about this.”

When Hron first plugged in his Smarter coffee maker, he discovered that it immediately acted as a Wi-Fi access point that used an unsecured connection to communicate with a smartphone app. The app, in turn, is used to configure the device and, should the user choose, connect it to a home Wi-Fi network. With no encryption, the researcher had no problem learning how the phone controlled the coffee maker and, since there was no authentication either, how a rogue phone app might do the same thing.
That capability still left Hron with only a small menu of commands, none of them especially harmful. So he then examined the mechanism the coffee maker used to receive firmware updates. It turned out they were received from the phone with—you guessed it—no encryption, no authentication, and no code signing.

These glaring omissions created just the opportunity Hron needed. Since the latest firmware version was stored inside the Android app, he could pull it onto a computer and reverse engineer it using IDA, a software analyzer, debugger, and disassembler that’s one of a reverse engineer’s best friends. Almost immediately, he found human-readable strings.

“From this, we could deduce there is no encryption, and the firmware is probably a ‘plaintext’ image that is uploaded directly into the FLASH memory of the coffee maker,” he wrote in this detailed blog outlining the hack.

To actually disassemble the firmware—that is, to transform the binary code into the underlying assembly language that communicates with the hardware, Hron had to know what CPU the coffee maker used. That required him to take apart the device internals, find the circuit board, and identify the chips.

With the ability to disassemble the firmware, the pieces started to come together. Hron was able to reverse the most important functions, including the ones that check if a carafe is on the burner, cause the device to beep, and—most importantly—install an update.