With the Smarter name, you can expect a network-connected kitchen appliance manufacturer to be smarter than companies that sell traditional appliances. But you're wrong with the Smarter's Internet of Things coffee maker.
As a thought experiment, Martin Hron, a researcher with security firm Avast, reverse engineered one of the $ 250 devices to see what kinds of hacks it could perform. After just a week of exertion, the unreserved answer was: quite a bit. Specifically, it could cause the coffee maker to turn on the burner, dispense water, turn the bean grinder, and display a ransom note while beeping repeatedly. Oh, and by the way, the only way to stop the mess was to unplug the power cord. Like this:
What a hacked coffee maker looks like
"It is possible," said Hron in an interview. “It was pointed out that this was also the case with other IoT devices. This is a good example of an out-of-the-box problem. You don't have to configure anything. Usually providers don't think about it. "
What do you mean by "out-of-the-box"?
Enlarge /. That poor IoT coffee machine didn't stand a chance. When Hron first plugged in his Smarter coffee maker, he found that it immediately acted as a Wi-Fi access point, using an unsecured connection to communicate with a smartphone app. The app, in turn, is used to configure the device and, if the user so wishes, to connect to a home Wi-Fi network. Without encryption, the researcher had no problem learning how the phone controlled the coffee maker and how a fraudulent phone app could do the same, as there was no authentication either.
That ability still left Hron with a small menu of commands, none of which were particularly harmful. Then he examined the mechanism by which the coffee maker received firmware updates. It turned out that the phone was receiving them – you guessed it – with no encryption, no authentication and no code signing.
Those blatant omissions created exactly the opportunity Hron needed. With the latest firmware version stored in the Android app, he could drag it to a computer and reverse engineer it using IDA, a software analyzer, debugger, and disassembler, one of a reverse engineer's best friends. He found legible strings almost immediately.
"From this we can conclude that there is no encryption, and the firmware is likely a 'clear text' image uploaded directly to the coffee machine's FLASH memory," he wrote on this lengthy blog outlining the hack .
Take out the inside
In order to actually break down the firmware, i.e. convert the binary code into the underlying assembly language that communicates with the hardware, Hron needed to know which CPU the coffee maker was using. To do this, he had to dismantle the built-in devices, find the circuit board and identify the chips. The following two pictures show what he found:
Enlarge /. The circuit board.
Enlarge /. 1 – ESP8266 with AT modem firmware, 2 – STM32F05106 ARM Cortex M0 – main CPU that glues everything together, 3 – I2C EEPROM with configuration, 4 – debug ports and programming interface.
With the ability to disassemble the firmware, the pieces began to come together. Hron was able to reverse key functions, including those that check if there is a carafe on the burner, sound a beep on the device, and most importantly, install an update. Below is a block diagram of the main components of the coffee maker:
Hron eventually got enough information to write a Python script that mimicked the update process. With a slightly modified version of the firmware, he found that it worked. This was his "Hello World" style:
Freak every user out
The next step was to create a modified firmware that does something less harmless.
"Originally, we wanted to prove that this device could mine cryptocurrency," wrote Hron. "Given the CPU and architecture, this is certainly doable, but at a speed of 8 MHz it makes no sense as the value produced by such a miner would be negligible."
So the researcher decided on something else – a machine that would demand a ransom if the owner wanted the way shown in the video to stop working spectacularly. With the benefit of unused space in the silicon, Hron added lines of code that caused all the fuss.
“We thought this would be enough to freak out any user and make it a very stressful experience. The only thing the user can do at this point is to unplug the coffee maker. "
Once the working update script and changed firmware have been written and downloaded onto an Android phone (iOS would be much more difficult, if not prohibitive due to its closed nature), there are several ways to carry out the attack. The easiest thing to do is to find a compromised coffee maker within Wi-Fi range. If the device has not been configured to connect to a Wi-Fi network, all you need to do is look for the SSID broadcast by the coffee maker.
Once the device connects to a home network, this ad hoc SSID, which is required to configure the coffee maker and initiate updates, is no longer available. The easiest way to circumvent this restriction is for the attacker to know that a coffee machine is being used on a particular network. The attacker would then send a deauthorization packet to the network, which would cause the coffee maker to disconnect. As soon as this happens, the device sends the ad hoc SSID again so that the attacker can update the device with malicious firmware.
A more opportunistic variant of this vector would be to send a deauthorization packet to every SSID within Wi-Fi range and wait to see if ad hoc broadcasts are displayed (SSIDs are always "Smarter Coffee: xx", where xx is the lowest byte of the MAC address of the device).
The limitation of this attack, obvious to many, is that it will only work if the attacker can find a vulnerable coffee maker and is within Wi-Fi range. Hron said one way to get around this is to hack a wifi router and use that as a bridgehead to attack the coffee maker. This attack can be carried out remotely. However, if an attacker has already compromised the router, the network owner will have worse things to worry about than a faulty coffee maker.
In any case, Hron said the ransom attack was just the beginning of what an attacker could do. He believes that with more work, an attacker could program a coffee maker – and possibly other devices made by Smarter – to attack the router, computer, or other devices connected to the same network. And the attacker could probably do it with no apparent sign, something was wrong.
Put it in perspective
Because of the limitations, this hack poses no real or imminent threat, although for some people (myself included) it is enough to keep me away from smarter products, at least as long as current models (the one used by Hron is older) do not use encryption, authentication or code signature. Company representatives did not respond immediately to inquiries.
Rather, as mentioned earlier in this post, the hack is a thought experiment designed to investigate what is possible in a world where coffee makers, refrigerators, and all other types of home appliances connect to the internet. One of the interesting things about the coffee maker hacked here is that it is no longer eligible to receive firmware updates. Therefore, there is nothing owners can do to fix the vulnerabilities found by Hron.
Hron also addresses this important point:
In addition, this case shows one of the most important problems with modern IoT devices: “The life of a typical refrigerator is 17 years. How long do you think vendors will support software for its intelligent functionality? ”Sure, you can still use it even if it stops receiving updates, but with the pace of the IoT explosion and poor attitudes towards support, we're creating an army abandoned vulnerable devices that can be misused for nefarious purposes such as network breaches and data leaks, ransomware attack and DDoS.
There is also the problem of knowing what to do about the IoT explosion. Assuming you get an IoT gadget at all, it's tempting to think that the smarter step is to simply not connect the device to the internet at all and run it as a normal, non-networked appliance.
But in the case of the coffee maker here, this would actually make you more vulnerable, as it only broadcasts the ad hoc SSID, thus saving a hacker a few steps. Without an old-fashioned coffee maker, it would be better to connect the device to a virtual LAN, that is, with a separate SSID partitioned from the one normally used.
The Hron article linked above contains more than 4,000 words of extensive detail, many of which are too technical to cover here. Reading should be a requirement for anyone building IoT devices.
Listing image from Avast