The public promise of the Internet Of Things from years ago when the first journalists discovered the idea and strove to make it comprehensible to the masses was that your kitchen appliances would be internet-connected and somehow this would make our lives better. Fridges would have screens, we were told, and would magically order more bacon when supplies ran low.
A decade or so later some fridges have screens, but the real boom in IoT applications has not been in such consumer-visible applications. Most of your appliances are still just as unencumbered by connectivity as they were twenty years ago, and that Red Dwarf talking toaster that Lives Only To Toast is still fortunately in the realm of fiction.
The market hasn’t been devoid of IoT kitchen appliances though. One is the Smarter Coffee coffee machine, a network-connected coffeemaker that is controlled from an app. [Simone Margaritelli] bought one, though while he loved the coffee he really wasn’t keen on its not having a console application. He thus set about creating one, starting with reverse engineering its protocol by disassembling the Android version of its app.
What he found was sadly not an implementation of RFC 2324, instead it uses a very simple byte string to issue commands with parameters such as coffee strength. There is no security, and he could even trigger a firmware upgrade. The app requires a registration and login, though this appears to only be used for gathering statistics. His coffee application can thus command all the machine’s capabilities from his terminal, and he can enjoy a drink without reaching for an app.
On the face of it you might think that the machine’s lack of security might not matter as it is on a private network behind a firewall. But it represents yet another example of a worrying trend in IoT devices for completely ignoring security. If someone can reach it, the machine is an open book and the possibility for mischief far exceeds merely pranking its owner with a hundred doppio espressos. We have recently seen the first widely publicised DDoS attack using IoT devices, it’s time manufacturers started taking this threat seriously.
If the prospect of coffee hacks interests you, take a look at our previous coverage.
[via /r/homeautomation]
On the plus side, as it requires no authentication (even for the firmware update process) then it opens the door for possible custom firmware
I’d upload firmware that immediately locks it down.
Next step is to make a control loop using the company’s CI system unit test results feeding into the –strength parameter. Future enhancement requires adding a metering pump for whisky for that Ballmer Peak boost.
“Isn’t that a little strong for in the morning?” “It’s those those damn hackers again I swear! And you know I can bring my self to be wasteful.”
Regarding IOT –
Just because you can, doesn’t mean you should.
“We do what we must, because we can” :^)
“They say great science is built on the shoulders of giants. Not here. At Aperture, we do all our science from scratch. No hand holding.”
Some people can’t take a dump these days without insisting that it’s triggered by a mobile phone app.
You need an auth for an app to make coffee? wtf? So, the whole setup wouldn’t work with an active internet connection?
That’s about the sum of it, yes. Buy the coffee machine, they sell your coffee drinking data.
Rather fortunate they left it wide open then really, expect a replacement app without login real soon.
” We have recently seen the first widely publicised DDoS attack using IoT devices, it’s time manufacturers started taking this threat seriously.”
They won’t take the threat seriously unless it threatens their revenue. As such, I think IoT devices should be remotely hacked to DDoS the device makers website(s) indefinitely. When the cost of running their site exceeds the savings of not investing in security, that’s when they will take it seriously.
https://pbs.twimg.com/media/Ct2wKcEVUAE9Zh0.jpg
but thanks for reference to RFC 2324! It was intended as a joke but today it could be true…
So you want an internet connected coffee machine do you? How about this one?
http://oi65.tinypic.com/ineiqd.jpg
Suddenly, the agent’s obsession over everything with a microchip in one of Rick Cook’s “Wizardry” novels doesn’t read as irrationally nutty…