Even Coffee Makers Are Vulnerable To Ransomware As IoT Explosion Brews Security Complacency
Some people may say, “Don't talk to me until I have had my coffee,” but what if they could not have coffee because of a ransomware attack? According to a researcher at Avast, IoT devices, such as smart coffee makers, can be vulnerable to attacks.
Security researcher Martin Hron remarks “firmware is a new software,” and that software can be exploited. Typically, smart IoT devices have firmware onboard that is used with an API, while users expect that not too much harm can come from the API and firmware. This is not the case, as Hron states “We used to trust that hardware, such as a common kitchen appliance, could be trusted and could not be easily altered without physically dismounting the device. But with today’s “smart” appliances, this is no longer the case.”
As with his coffee maker example, it was vulnerable after some poking around. The coffee maker creates a WiFi network with little to no encryption, such as other IoT devices. Using reverse engineering and some experimentation, it was found that “EVERYTHING is transmitted in PLAINTEXT over an UNSECURED WiFi connection.” After this was found, tweaking firmware and reuploading was no problem. He was able to change the "Missing Carafe" warning to "Mining Monero."Looking at a map from wigle, there are nearly 570 smart coffee makers from the brand Hron tested that are not using smart features. As it turns out, owners not using the smart features “have unintentionally made it easier to hack their devices.” This is only a small subset of smart IoT devices, though. There are likely many more insecure “smart” devices beside coffee makers (fridges, TVs, and more). There could be millions of devices with similar vulnerabilities and tracking every single one would be incredibly daunting.
As devices come and go, vulnerabilities and exploits will remain. If a company stops support for a device and an exploit is found for a perfectly fine smart device, what would you do? Would the device have to be discarded in favor of safety, or do you disconnect the smart features and lose what you paid for? Also, while Hron did some harmless things, IoT devices could be used for DDoS attacks, ransomware attacks, or whatever a hacker can dream of. When considering new smart devices, one should consider the company they are buying from and their track record for support, because we are beginning to live in a hacker’s paradise.
(Images courtesy of Martin Hron)