Chaos in a cup: When ransomware creeps into your smart coffee maker

When the fledgling concept of the Internet of Things (IoT) was beginning to excite the world almost a decade ago, perhaps no coffee lover at that time would’ve imagined including the coffee machine in the roster of internet-connected devices—even in jest. True, the simple, utilitarian coffee machine may not be as popular now as it used to back in the day, but its continued availability within office premises and private home kitchens, plus inherent risks—much like any IoT device—may be in equal footing with your smart speaker, smart doorbell, or smart light bulb.

Cybersecurity issues surrounding internet-connected coffee machines are further punctuated by the latest news about how Martin Hron, a reverse engineer from Avast, tinkered his Smarter coffee maker to not only beep and spew out hot water but also deprive you of a nice, morning brew and display a short ransom note.

Courtesy of Dan Goodin, Ars Technica

Yes, Hron turned his coffee maker into a ransomware machine by directly modifying its firmware.

Your bedlam before breakfast

Simply put, firmware is software that allows users to control the electronic hardware they’re using. Typically, firmware has no encryption or any form of protection, making it a likely and easy target to hit by malicious hackers and spy agencies.

“My colleagues often hear me say that ‘firmware is a [sic] new software.’ And that software is very often flawed,” writes Hron in a blog post detailing his coffee machine tinkering exploits, “The weakened state of IoT security is due in large part to the fact that, nowadays, it is more convenient and cheap to place a processor inside a device […]. This solution is not only cheap, but has also one important property—it can be updated.”

When it comes to breaking into smart coffee makers to explore vulnerabilities in smart devices, this isn’t Hron’s first rodeo. He also made a ransomware machine out of the coffee maker he hacked in June 2019 to make it do things we’ve seen in the above video. Not only that, he demonstrated that smart devices, in general, can be used as a gateway into private networks, allowing threat actors to do as they please within this space. From snooping on every device connected to the same network the coffee machine is connected to, to intercepting communication between and among users, to downloading sensitive data, to uploading malicious software.

Unfortunately, the latter was what happened to one company when ransomware was suddenly introduced in their system via a compromised coffee machine.

Coffee, connectivity, and a ransom note

A Reddit user who went by the handle C10H15N1—they admitted to the alias being a throw-away one to maintain anonymity—realized first-hand how a small mistake in setting up IoT devices in the workplace could cause panic and potentially massive problems if not dealt with early on.

Three years ago, they recounted in a post, they were faced with a problem when an operator of a local factory control system reported that all four computers with monitoring software installed were down and showing an error message, which we later on find out is actually a ransomware message. As a programmable logic controllers (PLC) expert, C10H15N1 assisted the operator to find out what’s wrong and come up with a solution. First, the operator described to him what sounded like a ransomware infection—something that wouldn’t happen given that the affected computers, which were still running on an outdated version of Windows XP, were not connected to the internet.

C10H15N1 then instructed the operator to restart the computers and reinstall a fresh image. It worked for a while, then one-by-one, the computers started showing the same error again, leaving C10H15N1 stumped. While in the middle of figuring out why the computers got reinfected, the operator went off to get coffee, only to come back empty handed because he couldn’t get a cup as the coffee machines were displaying the same error message.

At the end of the day, no human or machine were harmed during the attack. They eventually realized that malicious actors used the coffee machines as a platform to infect other computers within their network. Normally, smart coffee machines are connected to their own, isolated Wi-Fi; however, the third-party personnel who installed the percolators connected them to the control room network via a cable.

Nevertheless, C10H15N1’s company sent out a scathing letter to their coffee machine supplier about what happened.

What can you do to protect yourself from troubles your smart coffee machine may cause you?

While it is true that IoT ransomware is no longer a theory but a reality—albeit rare—this doesn’t mean that it’s alright for organizations and consumers alike to keep their guard down. Now that we have a real-world scenario, coupled with multiple feats of security researchers successfully hacking into smart percolators [1][2][3][4][5][6][7], IoT ransomware must be on every enterprise’s and private citizen’s radars. They should already be thinking of ways to better protect themselves. Let’s start with these:

  • Ensure that your smart percolator is not connected to a network that is also connected to by systems with sensitive information. Also avoid connecting to a network where sensitive communication within your organization (or home) takes place.
  • Update your smart percolator’s firmware ASAP.
  • Secure your network. Instead of using your router’s default password, change it to a more complex one.

When it comes to whether you should get an IoT device or not, the general rule is to first ask yourself this question: Do I really need my light bulb/coffee pot/washing machine/doorbell/other household items to be smart?

If your answer is “no”, then you should keep using the items and appliances you are using. However, if having an IoT in the home is unavoidable—you really need to replace that broken TV, and no shop is selling the same make and model anymore—then by all means buy that smart TV, and that smart coffee maker, too, while you’re at it. But please make sure that you do everything you can to stay protected. Remember that your supplier has their part to play in the security of things. You have your part, too.

Happy International Coffee Day! Keep that coffee flowing and, as always, stay safe!