Hackers kidnap your morning Joe? Someones got a case of the Mondays
As a civilized person, I drink tea every morning. Made in my small single cup pot with water heated by a simple electric kettle. This is the tradition that built the greatest empires history has ever known. Yet for some reason, there are people, crazy people, who’d rather start their day drinking sludge made from some ground up, bitter, burnt seeds.
People who drink coffee seem very particular about how they make their beverages. Dare I say more so than tea drinkers. With leaf snobs the argument is usually over whether to warm the pot, or if the milk goes in first or last. However, bean aficionados seem to need all sorts of wacky gadgets to achieve the perfect cup. Including, of course, ones that connect to the internet.
Well, this Internet of Things (IoT) tech has a bit of a problem with security, or lack there of. Security researcher Martin Hron at Avast noted that the firmware on these devices is easily susceptible to alterations without even physically accessing the machine itself. Pretty much all data they’re sending over the net is in plaintext over unsecured WiFi connections.
You can click the link above for a full rundown on what the researches did. The gist of it though is Hron was able to tweak the firmware and change menu prompts without too much effort. He created a laughably simple little program that resides in an unused portion of memory, which locks the coffee pot’s controls and displays a cheeky ransomeware message. Imagine waking up to see your fancy kitchen gadget demanding a microtransaction before making your brew. Actually, scratch that, I don’t want to give EA any ideas.
Of course the hacker still needs to somehow bust into the local network to jack your pot. However, this may be easier than you’d think given that modems and routers also rarely receive security patches. Fake Android apps could also utilize social engineering to cheekily sneak in.
The problem isn’t just limited to ransomeware either, as IoT devices could also be hijacked for botnets and DDoS attacks. Something which researchers have been warning about for some time now. Most of these devices use general purpose ARM computers to operate their functions rather than dedicated hardware. So there’s really no special code or insider knowledge involved here. The companies that make them often contract out software development to third parties, and often don’t understand the need to keep that software patched. Making for a rather large security hole. A chain is only as strong as its weakest link.
I think I’ll stick with my “dumb” kettle and china pot for the time being.