Back in 2015, experts from Pen Test Partners talked about a way to hack Wi-Fi networks through the smart iKettle, created by Smarter, and then discovered that the Smarter Coffee, created by the same manufacturer, also poses a threat to the safety of users.
Two goals after the publication of these studies, Smarter released iKettle version 3 and Coffee Maker version 2. The updated products used a new chipset that was not affected by the problems found by Pen Test Partners, although the company's experts emphasized that Smarter never assigned the previously found vulnerabilities CVE IDs and did not alert customers of problems.
Now Avast specialist Martin Hron decided to study Smarter products. AT huge article, which Chron devoted to breaking into a coffee machine, he tells how he managed to turn on the heating and water supply without the user's knowledge, activate the coffee grinder and even display a message demanding a ransom on the device's display (all this was accompanied by an incessant squeak of a sound signal). Let me note that the expert did all this with one of the company's old coffee machines, having specially reconstructed it for tests.
“I was asked to prove the myth that the threat to IoT devices lies not only in the fact that they can be accessed through a vulnerable router and the Internet, but also in the fact that the device itself is vulnerable and can be compromised without penetrating the network. and without hacking the router. It is possible. And I did this to demonstrate that this can happen with other devices on the Internet of Things, ”says the researcher.
So, almost immediately, the expert found out that after turning on the coffee machine works as a Wi-Fi access point, using an unsecured connection to communicate with a smartphone and a special application. This application, in turn, is used to configure the device and also allows you to connect it to your home Wi-Fi network. In the absence of encryption, the researcher had no problems studying how exactly the smartphone controls the coffee maker, and since there was no authentication either, a fake application could also be used for this purpose.
However, it was not possible to find anything dangerous in the application, and then Chron moved on to researching the mechanism that the coffee machine uses to receive firmware updates. It turned out that their device also receives through a smartphone, and also without encryption, authentication and code signing.
Since the latest firmware version was stored inside the Android application, the expert was able to transfer it to a computer and reverse it using IDA. Almost immediately, he found readable lines and concluded that there was no encryption here either.
Fired up with the idea of creating malicious firmware for Smarter, Chron was forced to disassemble the device and find out what hardware it uses.
Having dealt with the hardware, Chron moved on to studying the firmware itself and was able to highlight the most important functions for hacking, for example, checking whether the coffee pot is on a heating element, or finding a way to make the device beep. Most importantly, the researcher figured out how to force the device to install a malicious update.
In the end, Chron got enough information to write a Python script that simulates the update process. After actually testing a slightly modified version of the firmware, he found that it worked fine.
As you can see in the illustration, initially the expert wanted to force the device to mine the Monero cryptocurrency, but this would be extremely inefficient and would almost make no sense, given the processor and Smarter architecture. Therefore, in the end, he decided to stop at a ransomware modification of the firmware, which would require a ransom, so that the device stopped behaving as shown in the video above.
Chron writes that a ransomware attack is the least an attacker can do. So, if a hacker puts in more effort, he can force the coffee maker (and probably other devices from Smarter) to attack a router, computers or other devices connected to the same network.
Fortunately, due to a number of limitations, such an attack is unlikely to pose an immediate threat to real users, but rather an interesting experiment. After all, after the update script and the modified version of the firmware itself have been created and downloaded to an Android smartphone (it will be more difficult to do this with iOS due to its closed nature), there are several ways to conduct an attack. The easiest one is to find a vulnerable coffee machine in the Wi-Fi range.
Otherwise, you will have to look for the SSID that the coffee machine broadcasts. Moreover, after the initial connection of the device, this SSID, which is required to configure the device and launch updates, is no longer available. That is, an attacker must know in advance that a coffee machine exists and is being used on a given network. Then he must, for example, send a deauthorization packet that will disable it. As soon as this happens, the device will once again broadcast the special SSID, allowing the hacker to send him an update with malicious firmware.
Chron notes that bypassing these restrictions will allow hacking the Wi-Fi router, which can be used as a springboard for an attack on the coffee machine. Such an attack can already be performed remotely, but if an attacker compromised a router, then a faulty coffee machine is unlikely to be exactly what the owner of a compromised network should worry about.