Skip to main content

Chaos in a cup: When ransomware creeps into your smart coffee maker

When the fledgling concept of the Internet of Things (IoT) was beginning to excite the world almost a decade ago, perhaps no coffee lover at that time would've imagined including the coffee machine in the roster of internet-connected devices—even in jest. True, the simple, utilitarian coffee machine may not be as popular now as it used to back in the day, but its continued availability within office premises and private home kitchens, plus inherent risks—much like any IoT device—may be in equal footing with your smart speaker, smart doorbell, or smart light bulb.

Cybersecurity issues surrounding internet-connected coffee machines are further punctuated by the latest news about how Martin Hron, a reverse engineer from Avast, tinkered his Smarter coffee maker to not only beep and spew out hot water but also deprive you of a nice, morning brew and display a short ransom note.

Courtesy of Dan Goodin, Ars Technica

Yes, Hron turned his coffee maker into a ransomware machine by directly modifying its firmware.

Your bedlam before breakfast

Simply put, firmware is software that allows users to control the electronic hardware they're using. Typically, firmware has no encryption or any form of protection, making it a likely and easy target to hit by malicious hackers and spy agencies.

"My colleagues often hear me say that 'firmware is a [sic] new software.' And that software is very often flawed," writes Hron in a blog post detailing his coffee machine tinkering exploits, "The weakened state of IoT security is due in large part to the fact that, nowadays, it is more convenient and cheap to place a processor inside a device […]. This solution is not only cheap, but has also one important property—it can be updated."

When it comes to breaking into smart coffee makers to explore vulnerabilities in smart devices, this isn't Hron's first rodeo. He also made a ransomware machine out of the coffee maker he hacked in June 2019 to make it do things we've seen in the above video. Not only that, he demonstrated that smart devices, in general, can be used as a gateway into private networks, allowing threat actors to do as they please within this space. From snooping on every device connected to the same network the coffee machine is connected to, to intercepting communication between and among users, to downloading sensitive data, to uploading malicious software.

Unfortunately, the latter was what happened to one company when ransomware was suddenly introduced in their system via a compromised coffee machine.

Coffee, connectivity, and a ransom note

A Reddit user who went by the handle C10H15N1—they admitted to the alias being a throw-away one to maintain anonymity—realized first-hand how a small mistake in setting up IoT devices in the workplace could cause panic and potentially massive problems if not dealt with early on.

Three years ago, they recounted in a post, they were faced with a problem when an operator of a local factory control system reported that all four computers with monitoring software installed were down and showing an error message, which we later on find out is actually a ransomware message. As a programmable logic controllers (PLC) expert, C10H15N1 assisted the operator to find out what's wrong and come up with a solution. First, the operator described to him what sounded like a ransomware infection—something that wouldn't happen given that the affected computers, which were still running on an outdated version of Windows XP, were not connected to the internet.

C10H15N1 then instructed the operator to restart the computers and reinstall a fresh image. It worked for a while, then one-by-one, the computers started showing the same error again, leaving C10H15N1 stumped. While in the middle of figuring out why the computers got reinfected, the operator went off to get coffee, only to come back empty handed because he couldn't get a cup as the coffee machines were displaying the same error message.

At the end of the day, no human or machine were harmed during the attack. They eventually realized that malicious actors used the coffee machines as a platform to infect other computers within their network. Normally, smart coffee machines are connected to their own, isolated Wi-Fi; however, the third-party personnel who installed the percolators connected them to the control room network via a cable.

Nevertheless, C10H15N1's company sent out a scathing letter to their coffee machine supplier about what happened.

What can you do to protect yourself from troubles your smart coffee machine may cause you?

While it is true that IoT ransomware is no longer a theory but a reality—albeit rare—this doesn't mean that it's alright for organizations and consumers alike to keep their guard down. Now that we have a real-world scenario, coupled with multiple feats of security researchers successfully hacking into smart percolators [1][2][3][4][5][6][7], IoT ransomware must be on every enterprise's and private citizen's radars. They should already be thinking of ways to better protect themselves. Let's start with these:

  • Ensure that your smart percolator is not connected to a network that is also connected to by systems with sensitive information. Also avoid connecting to a network where sensitive communication within your organization (or home) takes place.
  • Update your smart percolator's firmware ASAP.
  • Secure your network. Instead of using your router's default password, change it to a more complex one.

When it comes to whether you should get an IoT device or not, the general rule is to first ask yourself this question: Do I really need my light bulb/coffee pot/washing machine/doorbell/other household items to be smart?

If your answer is "no", then you should keep using the items and appliances you are using. However, if having an IoT in the home is unavoidable—you really need to replace that broken TV, and no shop is selling the same make and model anymore—then by all means buy that smart TV, and that smart coffee maker, too, while you're at it. But please make sure that you do everything you can to stay protected. Remember that your supplier has their part to play in the security of things. You have your part, too.

Happy International Coffee Day! Keep that coffee flowing and, as always, stay safe!

The post Chaos in a cup: When ransomware creeps into your smart coffee maker appeared first on Malwarebytes Labs.



from Malwarebytes Labs full article here

Popular posts from this blog

A week in security (December 10 – 16)

Last week on Labs, we took a look at some new Mac malware , a collection of various scraped data dumps , the protection of power grids , and how bad actors are using SMB vulnerabilities .   Other cybersecurity news Millions affected by Facebook photo API bug: An issue granted third-party apps more access to photos than should normally be granted, including images uploaded but not published. (source: Facebook) Bomb threats may be a hoax: An email in circulation urging ransom payments in Bitcoin lest bombs across the US be detonated may well be a fake , according to US law enforcement. (source: The Register) Man jailed for fraud offenses: A man in the UK has been jailed for taking part in fraudulent activities. The main point of interest is surely the spectacular device he built. (source: Met Police) Another Google Plus bug: For six days, developer were able to access profile data not made public by the users. (source: Google) Windows 10 data collection: Reddit use...

Skimmer acts as payment service provider via rogue iframe

Criminals continue to target online stores to steal payment details from unaware customers at a rapid pace. There are many different ways to go about it, from hacking the shopping site itself, to compromising its supply-chain. A number of online merchants externalize the payment process to a payment service provider (PSP) for various reasons, including peace of mind that transactions will be handled securely. Since some stores will not process payments on their own site, one might think that even if they were compromised, attackers wouldn't be able to steal customers' credit card data. But this isn't always true. RiskIQ previously detailed how Magecart's Group 4 was using an overlay technique that would search for the active payment form on the page and replace it with one prepped for skimming. The one we are looking at today adds a bogus iframe that asks unsuspecting customers to enter their credit card information. The irony here is that the s...