How A Coffee Machine Infected Factory Computers with Ransomware

Although it is unclear which ransomware hit the system, based on the timing, it’s more likely that the culprit could be WannaCry ransomware.

It’s no surprise that the Internet of Things (IoT) devices are highly vulnerable to cyber attacks but who would know a time would come when these devices will become a security threat to institutions? This case involves a coffee machine and a ransomware attack.

A few months ago researchers exposed life-threatening vulnerabilities in IIoT (Industrial Internet of Things) devices specifically Industrial robots. In their findings, robots could be hacked, but in this case, we are about to discuss a smart coffee machine or an Internet-connected coffee machine.

The incident took place in June 2017 and was shared by a chemical engineer on Reddit who goes by the handle of “C10H15N1.” He works as a PLC (Programmable Logic Controllers) expert in a company that has multiple petrochemical factories making chemicals in Europe.

According to C10H15N1, he received a call from one of the factory operators informing him that something has hit the local control system and all computer systems are down and showing an error. However, upon analyzing the problem remotely, C10H15N1 didn’t find any issue other than the monitoring system which crashed even when it wasn’t connected to the Internet.

It was then C10H15N1 suspected that something is seriously wrong since the system was running on Windows XP. Here, it must be noted that a couple of months ago, millions of devices running on Windows XP were severely infected by WannaCry ransomware and Petya wiper attack around the world.

Therefore, C10H15N1 asked the operator what’s happening on the computer screen and his reply sounded like the company was under a ransomware attack.

“As I’m part of the team working on the monitoring software I’ll take over the call, while my college will keep monitoring the situation. I asked the operator what was happening on his screens, and he starts describing something that sounds very similar to an infamous ransomware attack. Which is problematic, because the computers running the monitoring software are not connected to the internet,” C10H15N1 wrote on his Reddit post.

Although it is unclear which ransomware hit the company’s system, based on the timing, it’s more likely that the culprit could be WannaCry ransomware since the same ransomware also infected Honda Motors plant in Japan and traffic cameras in Australia in June 2017.

However, describing the situation, C10H15N1 revealed that his company couldn’t update their operating system due to local laws implemented by the government. Therefore, they were left with no option but to use outdated Windows XP on their system.

“We cannot update the monitoring software on those machines because it’s then no longer validated by local government. We cannot update those machines because as soon as we update them, monitoring software crashes due to a race condition that is not in the older version of the operating system.

Local government can only validate the new version of monitoring software when the factory is down, and the factory is normally only down when all our clients are down. All our clients are normally only down when all the factories are having their planned big maintenance stop. Which is normally once every 5 years.

So because of this stupid bureaucracy, we cannot update those computers, and because of that they are not connected to the internet, and also have no accessible USB ports. They are only on an Internal network which can reach the PLC’s,” C10H15N1 wrote.

Now, to tackle the issue, C10H15N1 asked the operator to pull the power plug on the computers powering the monitoring system, and then power them back on, and press the key combination to start reinstalling from a network image.

Once the operator finished re-imaging the system; C10H15N1 thought the nightmare was over but little did he know it was just the beginning. Suddenly, one by one the targeted system started to get infected and displaying the same error message again.

The operator asked C10H15N1 if he can get some coffee and went straight for the coffee machine but came back empty-handed and revealed that he couldn’t get coffee because the coffee machine was displaying the same error message as the computers.

It was then when C10H15N1 realized what’s going on and explained that:

“So long story short, the coffee machines are supposed to be connected to their own isolated WiFi network. However, the person installing the coffee machine connected the machine to the Internal control room network, and then when he didn’t get internet access remembered to also connect it to the isolated WiFi network. The operator contacted us about his monitoring system not working but forgot to mention the Coffee Machines were showing the same error.”

Hence it was discovered that it was the mistake of the external company responsible for managing their coffee machine. C10H15N1 wrote a scathing letter to the company who was quick to fix the issue.

This is a lesson for those working at sensitive installations to always check which device is connected to which connection. And to be honest, who needs an Internet-connected coffee machine? But then when we have smart dildos then why blame smart coffee machines anyway?

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Related Posts