A researcher from cybersecurity company Avast was able to hack a smart coffeemaker and plant ransomware in its firmware. In a post on Decoded Avast.io, cybersecurity expert Martin Hron revealed the possibility that WiFi-connected coffee machines can be hacked.
According to Hron, this specific machine by Smarter creates its own network to which users should connect to set it up. Users have the option to operate it manually or using its companion application on a mobile phone.
Hron observed that the companion app allows devices to create a network composed of devices from the manufacturer. These devices can connect to the home network so that users can control the coffee machine.
The application also shows important information about the machine including its firmware version. It can also deploy updates when available.
Upon checking the app, Hron noticed that the protocol used by the appliance is “a simple binary protocol with hardly any encryption, authorization or authentication.” The device also communicates using a simple command.
The cybersecurity researcher explained that this system does not implement any form of security. This allows any device to connect to the coffeemaker’s network and control it.
Hron also noted that devices do not need to connect to the home network in order to communicate with the appliance.
When trying to exploit the coffee machine with malicious intent, the researcher performed a variety of processes including reverse-engineering the firmware and forcing an update on the device.
By modifying the firmware to create ransomware that can only be activated when the attacker triggers the action. When triggered, the appliance would make endless beeping noises and display a ransom message.
It will also heat the hotbed, dispense water, or heat through the water dispensing component and spin the grinder. This would render the machine useless and create a racket unless the ransom is paid. Users can also unplug the coffeemaker and purchase a new one.
Hron clarified that the machine has not been supported by the manufacturer since 2017 after the company transitioned to a more secure platform. This means that even if Smarter is made aware of the issue, no fix would be implemented.
Forbes reached out to Smarter which responded saying, “Smarter is committed to ensuring its smart kitchen range has the highest levels of security safeguards.” It also emphasized that all products since 2017 are up to standard.
Aside from deploying ransomware, the researcher also discovered that the machine could be used to mine cryptocurrency, but at an extremely slow speed.