IoT coffee machine hacked to demand ransom

Your morning brew could be disrupted by a lack of encryption and a reverse engineered firmware update

Coffee beans made to look like a skull and crossbones

A security researcher has managed to reverse engineer an IoT coffee maker to the point where ransomware could be uploaded to the machine. 

Martin Hron, a researcher with security firm Avast, conducted an experiment on the £179 Smarter Coffee Maker (version 1) to prove that hacking IoT devices is more than just accessing them via weak routers. 

Security issues within the Smarter brand of coffee machines, and its iKettle, have previously been highlighted. London-based security firm Pen Test Partners found that they could recover Wi-Fi encryption keys used in the first version of the Smarter iKettle in 2015. These same flaws were also spotted in the first version of the coffee maker. 

Hron managed to turn that same coffee maker into a ransomware machine. After tinkering with the IoT device, he found that when connected to the user's home network, the coffee maker's functions all went off simultaneously and a pre-programmed ransom message endlessly bleeped across the display. 

His experiment was so successful that the only way to stop the machine from going haywire was to pull the plug. 

"I was asked to prove a myth, call it a suspicion, that the threat to IoT devices is not just to access them via a weak router or exposure to the internet, but that an IoT device itself is vulnerable and can be easily owned without owning the network or the router," Hron wrote in a blog post.

"We thought this would be enough to freak any user out and make it a very stressful experience. The only thing the user can do at that point is unplug the coffee maker from the power socket."

Hron was able to access the coffee machine through a firmware update because of the unencrypted connection to its corresponding smartphone app. He uploaded the Android app's latest firmware version to a computer and reverse engineered it using an interactive disassembler, and also took the coffee machine apart to learn what CPU it used.

With all that information, he then wrote a Python script that mimicked the coffee maker's update process. His modified firmware and lines of script caused the machine to go haywire and demand a ransom. 

Related Resource

BIOS security: The next frontier for endpoint protection

Today’s threats upend traditional security measures

How to stop breaches at BIOS level - whitepaper from DellDownload now

This is by no means an easy hack and it has its limitations, as an attacker would need to find the coffee maker within Wi-Fi range. It can be triggered by hacking someone's router, but that would potentially require access to more than just a coffee machine. 

"A very limited number of first-generation units had been sold in 2016 and although updates are no longer supported for these models, we do review any legacy claims on a per customer basis in order to provide continued customer care," a Smarter spokesperson told IT Pro

But the implications of this kind of hack are concerning for the wider IoT industry, according to Hron, as smart gadgets could be rendered incapable of receiving patches to fix such a weakness. He also suggests that this type of vulnerability might be exploited in devices that no longer receive support. 

"With the pace of IoT explosion and bad attitude to support, we are creating an army of abandoned vulnerable devices that can be misused for nefarious purposes such as network breaches, data leaks, ransomware attack and DDoS."

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Recommended

How can you protect your business from crypto-ransomware?
Security

How can you protect your business from crypto-ransomware?

20 Apr 2021
Best ransomware removal tools
ransomware

Best ransomware removal tools

9 Apr 2021
Geico data breach leads to stolen driver’s license numbers
data breaches

Geico data breach leads to stolen driver’s license numbers

21 Apr 2021
UK’s IoT security regulation will also include smartphones
Internet of Things (IoT)

UK’s IoT security regulation will also include smartphones

21 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
REvil threatens to release Apple’s hardware schematics
ransomware

REvil threatens to release Apple’s hardware schematics

21 Apr 2021