In the wake of a ransomware attack on a major hospital chain, a ransomware attack on the Las Vegas school system, and a ransomware attack on one of the U.S. government’s software contractors, I have the dubious honor of sharing with you the news that there’s been a ransomware attack on... a coffee maker. I wish I could say that this news is surprising, but in the darkest timeline anything that can be hacked will be hacked, because internet terrorists can’t resist doing something “for the lulz.” I’m hoping this hack will stay merely lulz-related, because the greater implications of this are a lot to consider.
The violated IoT-enabled coffee maker in question was built by Smarter, a British company that, according to its website, manufactures “kitchen products that are practical, convenient, sustainable and are designed to serve you.” Five years ago an internet security firm was able to expose a flaw in Smarter’s electric kettle that could potentially allow hackers to infiltrate the owner’s home network, which would give them access to all the other devices connected to that network. The firm also found serious firmware issues, which opened the door for hackers to replace Smarter’s installed firmware with their own.
The new electric kettle and coffee maker that Smarter released in 2018 fixed the security flaw present in old models, but the company never notified its customers about the flaw, and data shows that the older versions of these appliances are still in use. So, as a “thought experiment,” internet security researcher Martin Hron hacked a Smarter coffee maker, infected it with ransomware, and shared exactly how he did it for his company’s blog. I’m sure nothing bad will come of any of this!
If you’re not ready to give Bulgarian hackers your social security number just to get your morning coffee, there is some good news: the only way this particular attack can work is if a hacker is within range of the Wi-Fi network it’s connected to, meaning that if your coffee maker attempts to extort you for millions of dollars, the likely culprit is either one of your neighbors, or whoever is in the unmarked van parked outside your house.
But, as always happens when we’re discussing tech, that bit of good news is immediately followed my more terrifying news: Hron believes that if a hacker really wanted it bad enough, they could program the Smarter coffee maker to attack the router and any devices connected to the network: computers, security systems, Alexa, Roombas... any “smart” thing in your house could be controlled from the outside without your knowledge.
Once Hron is done breaking down how to turn a coffee maker into a foreign agent, he reminds us that this problem is a lot bigger than one single smart appliance, and that as the market for smart technology grows ever larger, security flaws might not be an easy fix.
“The lifespan of a typical fridge is 17 years, how long do you think vendors will support software for its smart functionality?” Hron writes. “[W]ith the pace of IoT explosion and bad attitude to support, we are creating an army of abandoned vulnerable devices that can be misused for nefarious purposes...These devices, for the most part, have no screen and can therefore mask malicious activities running in the background from their owners.”
Enjoy the rest of your day, everybody!