Vulnerable Coffee Makers - ThreatWire
Added 2020-09-29 18:53:49 +0000 UTCBy Shannon Morse, ThreatWire
Smarter branded products were found to be vulnerable to a series of attacks back in 2015, at which time researchers at Pen Test Partners in London showed how a malicious actor could get the WiFi encryption key for the Smarter iKettle version 1. Version 2 also didn’t have any firmware signing and the chipset used on the device, called the ESP8266, didn’t use a trusted enclave so the firmware could be replaced. EvilSocket researchers reverse engineered and completely took control of the device as well.
Smarter came out with iKettle version 3 and Coffee Maker version 2 around 2018, which had new, more secure chipsets. But the older ones are still in use to this day. So Avast security researcher, Martin Hron, decided to completely pwn one of these things to see just what he could do.
Hron was able to turn on the burner, dispense water, spin a bean grinder, and display a ransomware message on the screen. A user wouldn’t be able to fix it - they could only unplug it to stop the machine from going haywire.
So why does it happen? The older Smarter devices work like unsecured WiFi Access Points as soon as they’re first plugged in to connect to a smartphone app. There’s no encryption or authentication for the communication between the smartphone and the coffee maker. That included firmware updates - they’re updated through the phone app, completely unauthenticated, and saved in the app as well. Hron was able to pull the firmware into his computer to reverse engineer it, and found plenty to be human readable. He posits the firmware is uploaded in plaintext to the FLASH memory of the coffee maker.
Hron was able to physically take the coffee maker apart to find out what CPU it was using and based on his findings, he wrote a Python script to mimic the firmware and uploaded that to the machine. This could, in essence, be malware or ransomware if wanted.
So that Wifi AP shows up as an SSID when it’s first set up. Once it’s connected to a wifi network, that SSID is no longer used. But an attacker within range could send deauth packets to disassociate the coffeemaker from a wireless LAN and find that SSID once again, which would be obvious because it starts with Smarter Coffee and ends with the MAC address. The attack could only be done remotely if a local network was already hacked.
Device manufacturers should consider how their devices are first set up to a network and the importance of using encryption and authentication communications. Since appliances are used for more than a decade on average, software updates should also continually be made available for those devices, but that’s not profitable for vendors when they could just push out new products every 3-4 years and stop updating the older ones, making your network vulnerable and potentially allowing attackers to brick devices.
Ars Technica points out that setting up a virtual LAN with separate SSIDs and partitioning and isolating it on the data link layer of a computer network (which is OSI layer 2) can help protect your other devices in the event of an IoT vulnerability.
Watch on youtube: https://youtu.be/kxlgrj8snaM
Subscribe for more giveaways! https://youtube.com/shannonmorse
Join now for access to extra perks and to support ThreatWire! https://www.patreon.com/threatwire Coffee Maker Vulnerability: https://www.pentestpartners.com/security-blog/hacking-kettles-extracting-plain-text-wpa-psks-yes-really/ https://www.evilsocket.net/2016/10/09/IoCOFFEE-Reversing-the-Smarter-Coffee-IoT-machine-protocol-to-make-coffee-using-terminal/index.html https://arstechnica.com/information-technology/2020/09/how-a-hacker-turned-a-250-coffee-maker-into-ransom-machine/ https://decoded.avast.io/martinhron/the-fresh-smell-of-ransomed-coffee/ https://www.youtube.com/watch?v=bJrIh94RSiI
