WiFi Hacking Mr. Coffee

You wake up on a Sunday, roll out of bed, and make your way to the centerpiece of your morning, the magical device that helps you start your day: the coffee machine. You open the companion app, because everything has an app in 2020, and select a large latte with extra froth. As you switch open a browser to check Hackaday, the machine beeps. Then the built-in grinder cranks up to 100, the milk frother begins to whir, and the machine starts spraying water. Frantic, you look at the display for an error code and instead see a message instructing you to send $75 to a bitcoin wallet, lest your $300 machine become a doorstop.

Outlandish though it may seem, this has become quite a real possibility, as [Martin Hron] at the Avast Threat Labs demonstrates. In fact, he could probably make your modern macchiato machine do this without setting foot in your house (so long as it comes with a built-in ESP8266, like his did).

Building on others’ work that identified the simple commands that control the machine over it’s WiFi connection (nothing says “brew me a nice cup o’ joe” like 0x37), [Martin] reverse-engineered the Smarter Coffee companion app to extract and reverse engineer its firmware. He was actually able to find the entire firmware image packaged within the app- relatively uncommon in the world of Over-The-Air (OTA) updates, but convenient in this case. Using Interactive Disassembler (IDA) to sift through the firmware’s inner workings, he identified the functions that handle all basic operations, including displaying images on the screen, controlling the heating elements, and of course, beeping. From there, he modified the stock firmware image to include some malicious commands and ran an OTA update.

The mind-boggling part here is that not only was the firmware transmitted as unencrypted plaintext over unsecured WiFi, but the machine didn’t even require a user to confirm the update with a button press. With one quick reboot, the trap was set. The machine operated normally, while waiting for “Order 66,” causing it to turn all the heating elements on, spool up the built-in grinder, and beep. Constantly.

While a broken coffee machine seems relatively innocuous, there are some pretty significant lapses in hardware/firmware security here that, while avoidable, almost seem unnecessary in the first place. It makes us wonder- why does Mr. Coffee need a smartphone in the first place?

[Thanks, Achilleas and STR-Alorman!]

41 thoughts on “WiFi Hacking Mr. Coffee

    1. nearly ten years ago, I asked the same question of a friend that had a wifi-enabled toaster oven with LCD display. He didn’t understand why I would even ask. It was obvious to him. His wife, on the other hand, gave me the “see what I have to put up with” look. Both are in tech fields and about as nerdy as it gets, but he has to have the toys, ahe just wants to have toast.

    2. There are some great IOT usecases out there… Just most of them are not what is being made, or they are being made terribly so you are wise to avoid them.

      The smart heating and lighting type stuff springs to mind as an actually really good usecase. The ability to control the lights in the building from your gadget is great for those of limited mobility and useful for the rest of us sometimes. The control of your heating/cooling systems also makes sense – even more so if its ‘smart’ enough to detect when the room should be climatically controlled but you can then override it manually. And being internet based when dear ol’ *insert friend relative who needs help but doesn’t understand tech here* needs something done in theory you can do it when they telegram/phone you.

      I’m not sure I’d ever actually use them while my mobility is good enough going to the control panel is easy. But I can see lots of usecases.

    3. I’ve been dreaming about making some of my kitchen appliances such as my microwave and oven “smart”. I can see doing so with a coffee machine too.

      Here’s why I want it.

      I want the timer to alert my phone so that I know when time is up even if I go upstairs or outside where I can’t hear the ding directly. Of course I can just set a timer on my phone but I don’t want to do that when the electronics to do it for me are so easily available today.

      I don’t need to be alerted each time a family member heats something up. But I also don’t want to have to log in or sync up devices each time I am cooking. If I had to do that I might as well just set the timer on the phone myself. I’m thinking each appliance could have an nfc tag, tap your phone on it while the appliance’s timer is running and your phone will get an alert when the timer goes off.

      That’s all. I don’t see any use being able to turn those devices or otherwise control them from my phone. I would still have to be there to load the ingredients.

      Maybe a fancier version would also have a phone app. open the app and you are greeted with temperature readings and/or camera feeds of the appliances whose timers you are currently monitoring. That’s kind of the deluxe, now I’m just showing off version though.

  1. “you look at the display for an error code and instead see a message instructing you to send $75 to a bitcoin wallet, lest your $300 machine become a doorstop.”

    Ok, no problem. I’ll buy an old-school moka for around 20€ (~$25) and enjoy my new technological doorstop peacefully sipping an espresso…

  2. It certainly does point out that the IOT pendulum swung too far. It started out pretty far at the beginning too. I was a consultant with Quirky back in the early IOT days when they came out with the infamous egg tray (not a product I worked on!)

    What this hack overlooks though, is that while you may not have to come into my house to get to my WiFi, you have to at least stand in my yard and I’ll see you. You also have to know my WiFi password and my enterprise-grade router isn’t likely to let you hack into it. Finally, once the coffee machine has run the grinder until it was empty, overheated all of the surfaces with the heating elements and sprayed water all over the hot warming plate – why would anyone pay a ransom to get the trashed machine back? You’d simply toss it and buy a replacement.

    I do like the sense of humor though. :)

    1. It’s called a “proof of concept”. It could be some other device. They could do it at night when you wont see it, or when you’re not at home, or or. They don’t have to trash the machine, they can just disable it. Etc etc.

      1. As a proof of concept it’s great to point out that wholesale shipping of new firmware in plain site is dangerous. At the very least a device ought to be getting firmware loads from known good sources and not just accepting anything. As you suggest, another device could actually be a problem. I worked on heating equipment some years ago and we built in measures to prevent hackers from taking control and freezing the house.

        As long as no one hacks my coffee maker to brew Starbucks “Kingford” roast coffee, I’m okay with a fun hack.

        1. The point of it is that a freaking coffee machine doesn’t need wifi, and that its software should be simple enough (and tested enough) not to need a fast way to update it.

          The best translation I ever saw for “IoT” is “Internet of Tat.”

          Useless things uselessly connected to the internet that turn even more useless when the internet connection (or some server out there somewhere) goes offline.

    2. Many people live in appartment houses. A visitor in your neighbor’s appartment can hack your coffee maker without you ever knowing someone was there.

      Seriously. Are people so freaking lazy they need an “app” to flip a switch on the machine across the room?

    3. “What this hack overlooks though, is that while you may not have to come into my house to get to my WiFi, ”

      You, maybe, but what about millions that live in apartments, townhouses, etc.? The hack could be done while standing in the community hallway, or sitting on a balcony.

      1. And you don’t need to stand anywhere nearby if you don’t want to – highly directional antenna can be used if you want to stay a nice long distance away (though maybe not legal if you are bricking folks coffee machine for ransom I guess you don’t care about that)

  3. Y’know, I love my new tech as much as the next hacker, but you’ll pry my Bunn from my cold, dead hands. Filter, coffee, water, and 3 minutes. That’s all you need. Maybe a switch to turn on the hotplate if it isn’t going into the thermos.

    No microprocessors. No wifi. Nothing. I’m pretty sure the heating element is driven by a dumb thermostat. And I still got piping hot coffee in 3 minutes from cold tap water.

    Sometimes the design needs no work.

    1. A couple of years ago, I bought a couple of toy robotic kits (sort of like LEGO Mindstorm) from Sam’s Club.
      But, when I saw the only way to control them was through an Android app downloaded from China, I left them in their boxes.

      1. Yeah, I bought a Sphero RVR. Guess what. It would not do ‘anything’ (a brick) until I downloaded an app (Sphero Edu) to my phone, which then downloaded the firmware to it. Then and only then could I take control with an RPI that sits on top of the RVR and not use the ‘app’. So buy a brick (expensive) and enable it only with an app…. I emailed back and forth with the company and it came down to …. load the app to get where you want to be. I resisted, but then gave in as I do like intent of the platform. Don’t use the app of course now.

  4. I can’t help wondering how much of this IOT rubbish is caused by marketing departments running up to the companies unsuspecting engineers and developers and screaming “we need an app”,
    “why, what does it do?”,
    “WE NEED AN APP!!!”

    1. To be fair, if you have a coffee machine that’s able to measure out its own ingredients and make a range of different beverages, controlling it with a cell phone app to set a timer and specify what beverage to make is a bit more understandable than some other IOT applications. Probably cheaper than a touch screen, too. But if you have to physically set up the coffeepot anyway, the app makes less sense.

      1. But then, you’d have to be carrying around your cell phone all the time. Frankly i’d rather not. When I am not on call, my phone sits idle on a desk somewhere in the house. Never understood why some are a slave to the phone and feel the ‘need’ to stay ‘connected’.

        Coffee pots, refrigerators, toasters, stove, dish washer, washing machine, dryer,, etc….. No need to be internet aware. Add expensive for more things to go wrong as well.

  5. Someone hacked your coffee machine?

    Just give it a brain transplant.

    How about a coffee maker ran via a RAMPS board?
    Maybe hack Marlin, add some g-code commands for brewing coffee.
    Now you can get back remote control using Octoprint.

Leave a Reply to McFortner Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.