Want Your Coffee Machine Back? Pay a Ransom
Research Highlights Danger of Insecure Firmware in Line of Coffee Machines
Avast infected the Smarter Coffee machine with ransomaware. (Source: Avast)
An internet-connected coffee machine is the latest IoT device to show security problems. The security firm Avast infected the Smarter Coffee machine with ransomware that causes uncontrollable spinning of its grinder and dispensing of hot water. The only option to stop it? Unplug the machine.
The research augments longstanding warnings about IoT: Device manufacturers are paying little attention to security while pushing devices to the market too soon and may not provide support for very long (see Not the Cat’s Meow: Petnet and the Perils of Consumer IoT)
Avast Senior Researcher Martin Hron describes his reverse-engineering adventure with the second version of the Smarter Coffee machine, made by Smarter Applications Ltd.
Hron found that he could tamper with the firmware without touching the actual device. He could also rig the device to cause its grinder to run uncontrollably and dispense hot water when a user tries to connect it to the home network.
The issues stem from the device’s firmware, which can be replaced without any authorization or authentication. The bug, CVE-2020-15501, affects Smart Coffee machines before the second generation, which are no longer produced.
“Even if we were to contact the vendor, we would likely get no response,” Hron writes in a blog post. “According to their website, this generation of coffee maker is no longer supported. So users should not expect a fix.”
Smarter Applications did not immediately reply to a request for comment.
Firmware Not Encrypted
The Smarter Coffee machines come with a mobile app that can be used to remotely trigger the process to make coffee.
The device allows people to start making coffee with the app, which is where the problems start. Smarter Coffee creates its own local Wi-Fi network using its ESP8266 chip, and that network has a very simple communication protocol, according to Avast.
“As expected, it’s a simple binary protocol with hardly any encryption, authorization or authentication,” Hron writes. “Communication with machines takes place on TCP port 2081.”
Anyone who has access to the network can communicate with the Smarter Coffee machine, and there is no security that prevents anyone who can reach the IP address of the machine to communicate with it, Hron writes. Also, anyone who is within range of the machine can talk to it even if the machine has not yet been connected to the local Wi-Fi network.
Hron found that the firmware is stored within the mobile app. The firmware isn’t encrypted, and the plaintext firmware is uploaded to the flash memory of the device, he says.
Hron found the firmware for the coffee machine as well as another Smarter product within the mobile app. (Source: Avast)
“What is so surprising here is that the update procedure doesn’t use any encryption or signature of the firmware,” Hron writes. “Everything is transmitted in plaintext over an unsecured Wi-Fi connection. The only check is CRC at the end.”
Avast’s initial goal was to infect the Coffee Machine with a cryptocurrency miner. But its processor, an ARM Cortex M0, runs at 8MHz, which makes it unlikely to successfully mine virtual currency.
“We decided to turn the coffee maker into a ransomware machine where a certain trigger initiates the ransom message,” Hron writes. “It looks completely innocent and operates normally until the trigger is hit by an attacker, making it even more surprising.”
Unused memory at the end of the firmware provided a place to put malicious code. Using an ARM assembler, the researchers wrote ransomware that would be triggered when someone tries to connect a machine to the local network.
The Smarter Coffee machine then delivers a surprise. Hot water begins spewing from the machine and the bean grinder starts turning. It also begins beeping while flashing an image of a devil’s head, and a bit.ly URL leads to the ransom message, according to a demo video in the blog post.
A message no coffee machine should ever display (Source: Avast)
“We thought this would be enough to freak any user out and make it a very stressful experience,” Hron writes. “The only thing the user can do at that point is unplug the coffee maker from the power socket.”
There are a couple of minor differences between different Smart Coffee machine versions. Older ones don’t require any interaction by a user to update the firmware, but for newer versions of the firmware, someone needs to push the start button to update it. But the barrier could likely be overcome with social engineering, Hron writes.
Hrom writes that devices such as this coffee machine may still work if they’re no longer getting the required security updates, but there are long-term impacts (see Smart Devices: How Long Will Security Updates Be Issued?)
“We are creating an army of abandoned vulnerable devices that can be misused for nefarious purposes such as network breaches, data leaks, ransomware attack and DDoS,” he writes.