Coffee maker ransomware is both amusing and frightening [UPDATE]

JC Torres - Sep 27, 2020, 9:54pm CDT
Coffee maker ransomware is both amusing and frightening [UPDATE]

The IoT or Internet of Things explosion brought about a new generation of devices and appliances that could what we previously only saw in science fiction. Almost all of their abilities, however, relied on connecting to the Internet or at least to your home network. Security experts have warned about the risks of such connected devices but while owners themselves may take some precaution, all of that gets thrown out the window if the manufacturer itself doesn’t even meet the basic security requirements.

There have been instances in the past when Smarter’s iKettles have been reported with security vulnerabilities. To be clear, the latest versions of its iKettle and Coffee Maker smart appliances have reportedly plugged up the security holes. Considering how people rarely change appliances until they’re broken, however, they may not be aware of the security dangers they have put themselves in from outdated models.

The core problem with Smarter’s first-gen connected coffee maker is that it doesn’t employ even the most basic security practices for software, especially those that go through a network. Communication with the smartphone app isn’t encrypted and firmware updates coming through that same app is nether encrypted nor checked for integrity. It’s no surprise, then, that Avast security researcher Martin Hron was able to “update” Smarter’s coffee machine with ransomware disguised as firmware and make all hell break loose.

The ransomware pretty much made the machine go haywire and perform functions without any way of stopping it except to unplug the machine. Of course, it was simply a proof-of-concept so no ransom could be paid to fix the issue. You are, therefore, stuck with a malfunctioning coffee maker.

This report should be used as an anecdote to shun the progress that IoT made. It should, however, serve as a cautionary tale for manufacturers to step up their security game now that the Internet is part of the product’s equation and for consumers to be more conscious of the smart products that they buy and bring into their homes.

UPDATE: The article erroneously named the iKettle as the machine in question. The article has been updated to correct this. Additionally, a Smarter representative reached out with this statement from the company:

“Smarter is committed to ensuring its smart kitchen range has the highest levels of security safeguards at its core, and all connected products sold since 2017 are certified to the UL 2900-2-2 Standard for Software Cybersecurity for Network-Connectable Devices. A very limited number of first-generation units had been sold in 2016 and although updates are no longer supported for these models, we do review any legacy claims on a per customer basis in order to provide continued customer care.”

Must Read Bits & Bytes