A hijacked IoT coffee maker that can torment its owner and demand a ransom typifies the huge risks associated with the rapidly increasing prevalence of internet-connected devices, according to the security researcher who found the flaw.
Martin Hron, a researcher at security firm Avast, revealed this week how he reverse-engineered a smart coffee maker and discovered a crucial weakness in the infrastructure of all IoT devices.
Hron, who detailed the process in a blog post, said after just a week of work he successfully transformed the Smarter IoT coffee maker into a ransomware machine.
When the user tried to connect the coffee machine to their home network, the machine would immediately turn on the burner, let loose hot water, continually spin the bean grinder and display a ransom message while beeping. The only way to make this whole mess stop would be to unplug the device, rendering it unusable.
Hron said he started to look at the coffee maker as a way of testing whether IoT devices themselves present security risks.
“I was asked to prove a myth, call it a suspicion, that the threat to IoT devices is not just accessing them via a weak router or exposure to the internet, but that an IoT device itself is vulnerable and can be easily owned without owning the network or the router,” Hron wrote.
“We often say that your home network, thought of as a chain of trust, is only as strong as its weakest link, but what if the same were true at the device level?”
The smart coffee machine is connected to the user’s local network through its smartphone app. When it is turned on for the first time, it operates in local mode and creates its own WiFi network that it connects to first in order to complete the setup process.
The smartphone app allows the user to create a network of a range of devices from the same provider, and connect them to the same home network. The app also allows the user to check for updates and initiate this process.
Hron turned the device into ransomware by inserting malicious code into its firmware after discovering that it runs on a “simple” binary protocol with “hardly any encryption, authorisation or authentication”.
“There is no security, so anyone who has access to the network and is able to reach the IP address of the coffee maker can control it,” Hron said.
The researcher retrieved the circuit board from within the coffee maker, and reverse engineered the entire firmware of the device.
“We knew exactly where every peripheral connects, how to control it, and all the commands that the coffee maker is able to perform,” he said.
He found that the updating process, where the coffee maker notes there is something ready to go and performs a reboot, doesn’t use any encryption or signature, with everything transmitted in plain text over an unsecured Wifi connection.
He was then able to trick the machine into updating itself with malicious code he had inserted into the unused memory space on it, turning the device into ransomware when triggered by the user.
While this sort of attack would likely require physical access to the smart device or to the wider network, it “demonstrates one of the most concerning issues with modern IoT devices,” Horn said.
“In the security domain, we used to consider software as an untrusted part of the ecosystem, while considering the hardware as secure and trusted. More and more often, we see how this trust is being broken,” he said.
“Unfortunately, many vendors make firmware attacks more viable by just leaving security behind and making it wide open to attackers. For cybercriminals this opens up the whole new world of attack surfaces to abuse.
“It may not be that easy to write and replace firmware, but the advantages of stealthiness and persistence you can achieve are just so tempting.”
No longer updating or providing security for legacy IoT devices is a disaster waiting to happen, Hron said.
“With the pace of IoT explosion and bad attitude to support, we are creating an army of abandoned vulnerable devices that can be misused for nefarious purposes such as network breaches, data leaks, ransomware attacks and DDoS,” he said.
There have been several examples of creepy and worrying hackings of internet-connected devices. In late 2018 two parents in Texas were woken up by a voice threatening to kidnap their child coming through their smart baby monitor.
After turning on the light, the voice told them to turn it off and then said he was going to kidnap their baby. But it turned out there was no-one in the baby’s room, and somebody had hacked the IoT device.
There have been multiple other incidents of smart baby monitors being hacked and hijacked.
The federal government recently unveiled its voluntary IoT Code Of Practice, outlining the security expectations for devices being sold in Australia. These included avoiding duplicated or weak passwords, a vulnerability disclosure policy and keeping software updated.