Hey, guys! How are y’all holding up? I’m a little sleepy and in desperate need of coffee right now … except that can’t happen because the coffee machine’s hacked.
I’m kidding! It wasn’t my coffee machine that got hacked into ... yet.
A smart coffee machine by Smarter got successfully hacked into by a curious senior researcher in Avast, Martin Hron. The best part is that this wasn’t any normal hack. The coffee machine got hacked with ransomware.
Yes, you read that right!
IoT has made this a reality now: pay the ransom or no coffee. Sad day for all coffee lovers out there. However, this isn’t the worst-case scenario … unless you can’t function as a human being without caffeine.
All jokes apart, let’s take a look at the ransomware attack on the smart coffee machine.
What did the curious researcher discover?
Hron wanted to find out if it was possible to hack a smart coffee machine without first compromising either the network it was connected to or the router itself.
Apparently, he could.
A smart coffee machine that’s turned on behaves as a Wi-Fi access point where it establishes an unencrypted, unsecured connection to a companion application. The poorly protected connection allowed him to probe the firmware update mechanism used. Predictably, the updates were also unencrypted - no authentication; no code-signing.
With all of these advantages at hand, Hron proceeded with the reverse-engineering process of the firmware stored within the Android application.
How did he go about the ransomware attack?
Hron’s initial plan was to turn the smart coffee machine into a cryptocurrency mining machine rather than doing something goofy and, frankly, pointless like spit out coffee. Cryptocurrency mining was possible, however, the speed of the CPU of the smart coffee machine didn’t allow for this to happen.
So, Hron settled for the next best thing: creating a nuisance that can’t be ignored.
He created a huge, noisy malfunction that can only be stopped by paying a ransom or simply unplugging the smart coffee machine. Since Hron spent a long time devising his ransomware attack, he made sure it was both persistent and hard to dismiss.
Here’s the recipe of the ransomware attack:
Ransomware attack =
Trigger (command that connects the machine to the network) +
Payload (some malicious code that "renders the coffee maker unusable and asks for a ransom")
Hron didn’t stop there, though. Just like his ransomware, he persisted.
He went ahead and configured his trigger codes to permanently turn on the hotbed and water heater as well as the coffee grinder in the smart coffee machine. Once again, the only way to silence the frenzied machine is to pay the ransom or simply unplug the machine. Plugging the machine back in, however, resumes the onslaught continues anew.
Find the video of the smart coffee machine hack in action here.
Thinking out loud
A hacker wouldn’t gain much in hacking a smart coffee machine for ransom. I mean, the smarter choice in this high-risk, low-gain scenario would be to replace the hacked smart coffee machine rather with a more secured one rather than paying the ransom - which may be more pricey.
With this objective in mind, a hacker would be wasting time and resources on a useless attempt. However, there is something much more dangerous that a hacker can do that will result in much more severe consequences.
In an article by Ars Technica, a more worrisome move that a hacker can make is hacking into the smart coffee machine to programme it to attack the router or other network-connected devices. According to Hron, this is possible with a little extra work.
Though the smart coffee machine Hron hacked into is an older generation, no longer supported model, all IoT devices - in general - are open to all kinds of risks and attacks due to the lack of proper security in place. As such, we need always make sure any technology we invest in comes with enough security in it, especially IoT devices.
That’s it for the blog today, y’all! Feel free to drop comments and share this blog if you found it interesting.
Stay safe and stay tuned.
Until next time, friends!