Avast security researcher reverse-engineered an IoT coffee machine to upload ransomware and mine Monero coin.
Smart appliances have always remained a risky option for consumers, specifically when it comes to coffee machines. Back in 2015, Pen Test Partners researchers discovered security flaws in the first version of the Smarter iKettle brand of coffee machine with which they could recover its Wi-Fi encryption keys.
Similar flaws were identified in the second version of this coffee machine, and now it appears that there are issues in its latest version as well. This should not come as surprise as in 2017 Hackread.com exclusively reported how a coffee machine infected a factory’s entire computer network with ransomware.
Now, Martin Hron, a senior researcher at security firm Avast, hacked the iKettle coffee maker’s third version without compromising the network or router. Hron experimented on the £179 coffee machine to demonstrate that hacking an IoT device is possible without accessing unprotected routers.
His experiment was quite successful as he had to pull the plug to stop the machine’s malfunctioning. Later he wrote about his findings in a blog post published on Sep 25, explaining that:
“The threat to IoT devices is not just to access them via a weak router or exposure to the internet, but that an IoT device itself is vulnerable and can be easily owned without owning the network or the route.”
Hron could access the coffee maker via a firmware update since unencrypted connection corresponded to its Android smartphone app.
When he switched it on, the researcher noted that the machine served as a Wi-Fi access point facilitating an unsecured/unencrypted connection to the android app.
After probing further, Hron learned that the firmware update mechanism was also unencrypted and didn’t involve any authentication process or code-signing.
Then, Hron uploaded the app’s latest firmware version to a computer and performed reverse engineering with an interactive disassembler.
Hron also took apart the appliance to identify the CPU installed inside. Initially, he tried to convert it into a cryptocurrency miner but found that the CPU wasn’t efficient enough.
After obtaining the necessary details, Hron wrote a Python script, which replicated the machine’s update process. He also modified its firmware and script lines to make the machine malfunction and demand a ransom after connecting to a user’s home network.
Watch how it happened:
However, Hron clarified that it isn’t as easy to hack the coffee maker as it sounds to be. The hacker will have to remain within the machine’s Wi-Fi range. Still, it is concerning that smart appliances could be exploited in such a way.
“With the pace of IoT explosion and a bad attitude to support, we are creating an army of abandoned vulnerable devices that can be misused for nefarious purposes such as network breaches, data leaks, ransomware attack, and DDoS,” Hron wrote.