Pierluigi Paganini November 09, 2015

The paradigm of the Internet of Things has dramatically enlarged our surface of attack, smart devices surrounding us are a privileged target for cyber criminals. What about your coffee machine? The coffee machines could become the entry point in your network, exactly as described in the past for smart kettles, hackers could hack them to gain access to violate your privacy.

Also in this case, the coffee machines could be controlled via a mobile app, you can have a steaming coffee by starting the device remotely. Clearly, the presence of a flaw could in the way the app exchange information with the coffee machine could open the doors to the hackers. The attackers could exploit the flaw to steal your WiFi password and sniff data in transit in your network.

Security experts at Kaspersky Lab issued a report that warns users of the possible risks when facing with connected coffee machines, and more in general, one of four wireless-enabled home devices analyzed by the experts.

The researchers analyzed four devices that are familiar to many users:

• a USB-dongle for video streaming (Google Chromecast);
• a smartphone-controlled IP camera;
• a smartphone-controlled coffee maker; and
• a home security system, also smartphone-controlled.

The experts discovered a number of vulnerabilities of varying severity, honestly some of them very difficult to exploit due to the necessary condition that must be satisfied to launch the hack.

When a connected coffee machine is turned on it opens a non-encrypted hotspot and listens to UPNP traffic. On the client side, the smartphone running the mobile app provided by the vendor of the coffee machines connects to the hotspot and sends a broadcast UDP request searching for UPNP devices. The Coffee machine establish the communication with the app exchanging several data including the SSID and the password to the home wireless network, unfortunately they are in clear text.

“As our coffee machine is such a device, it responds to this request. After that a short communication containing the SSID and the password to the home wireless network, among other things, is sent from the smartphone to the device.” states the report. “This is where we detected a problem. Although the password is sent in encrypted form, the components of the encryption key are sent through an open, non-protected channel. These components are the coffee machine’s Ethernet address and some other unique credentials. Using these components, the encryption key is generated in the smartphone. The password to the home network is encrypted with this key using 128-bit AES, and sent in base64 form to the coffee machine. In the coffee machine, the key is also generated using these components, and the password can be decrypted. Then, the coffee machine connects to the home wireless network and ceases to be a hotspot until it is reset. From this moment on, the coffee machine is only accessible via the home wireless network. But it doesn’t matter, as by then the password is already compromised.”

In order to hack the coffee  machines, the attackers would need to know exactly when the owner install them and be physically near the IoT device in a way to intercept the password. Clearly this scenario is not so easy to implement.

Kaspersky reported the security issued to the vendor of the coffee machines, which has acknowledged them and provided the experts with the following statement:

“Both user experience and security are extremely important to us and we continually strive to strike the right balance between the two. The actual risks associated with the vulnerabilities you mentioned during set-up are extremely low. In order to gain access, a hacker would have to be physically within the radius of the home network at the exact time of set-up, which is a window of only a few minutes. In other words, a hacker would have to specifically target a smart coffee maker user and be around at the exact point of set-up, which is extremely unlikely. Because of this, we do not believe the potential vulnerabilities justify the significant negative impacts it will have on user experience if we make the suggested changes. Though no definite plans to change our set-up procedure are in the works, we are constantly reevaluating and wouldn’t hesitate to make changes if risks become more significant. Should something change in the near future we will let you know.”

I partially agree with the above statement, anyway I remark the need to approach IoT paradigm with security by design.

To read the results of the tests executed on the other IoT devices give a look to the report.

Pierluigi Paganini

(Security Affairs – Coffee machines, hacking)