Endpoint

11/5/2015
04:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Vulnerable Coffee Machine Demonstrates Brewing Security Challenges Of IoT

Researchers examined four mobile-app controlled home devices and found vulnerabilities in every single one of them.

Most people probably never think of their faithful coffee machine providing a way for a hacker to gain access to the home network. But if you happen to be using one of the new-fangled WiFi enabled brewers that are becoming available these days, you might have a small problem.

Turns out that the devices, which can be controlled via a mobile app, do more than just let users brew a hot pot of coffee from anywhere via their smartphones. A vulnerability in the way the coffee maker exchanges information with a smartphone during initial setup provides a way for an attacker to grab the password to the home wireless network, security vendor Kaspersky Lab said in a report released Thursday.

The smart coffee maker was one of four wireless-enabled home devices that the researchers examined for vulnerabilities. They discovered flaws of varying severity in each of them.

None of the flaws that Kaspersky discovered were of the show-stopping variety. And some of them, like the one in the coffee maker, can only be exploited under certain pretty unlikely conditions. (An attacker would need to know exactly when someone was setting up their new coffee maker and be physically near the device in order to be able to intercept the password).

Even so, the vulnerabilities provide an indication of the sort of security issues that will need to be mitigated before an IoT-enabled world can be fully embraced, the research says. "The results of our investigation provide much food for thought," Kaspersky researchers Victor Alyushin and Vladimir Krylov said in the report.

The four devices that the researchers examined were Google’s Chromecast video-streaming USB dongle; a smartphone-controlled IP camera; a similarly enabled home security system; and the smart coffee maker.

In the case of Chromecast, the researchers found that a previously discovered flaw in the system could be exploited from a significantly longer distance than previously thought. The so-called "rickrolling" vulnerability basically allows an attacker to flood the Chromecast USB dongle with requests to disconnect itself from the home WiFi network. Once disconnected, the Chomrecast USB tries reconnecting to the network in a process that involves using its own WiFi network to connect to a smartphone or tablet. The rickrolling flaw allows an attacker to essentially intercept this process and get the device to connect to its rogue device instead.

Up to now, it had been thought that only someone situated physically close to the Chromecast dongle could exploit the flaw. What the Kaspersky researchers found is that the vulnerability can be exploited from a far greater distance using an inexpensive directional WiFi antenna and a version of Linux used for penetration testing purposes.

The researchers found three security flaws in the smartphone-controlled IP camera that they examined, all of which have now been fixed. One of the flaws basically gave attackers a way to gain complete control of the camera by intercepting the communication between the smartphone app and camera as it gets routed via a cloud service provider. Another of the now patched flaws gave attackers root-level access to the camera hardware and would have allowed them to change the firmware at will.

A similar inspection of the home security system showed a weakness in the sensors used to inform homeowners if a locked window or door is opened. The flaw would have let attackers bypass the sensors relatively easily using little more than a magnet.

The main takeaway from the report is that any mobile app-controlled consumer device is likely to have security holes in them, Alyushin told Dark Reading. "The probability that they will be critical is not that high," he says.

"At the same time, the low severity of such security issues doesn't guarantee that they won't be used in an attack," he says. Attackers can cause real damage by combining multiple low-level flaws, he warns.

"Criminals might exploit several of these issues at once, which is why it is so important for vendors to fix all issues -- even those that are not critical," he says.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
The Case for a Human Security Officer
Ira Winkler, CISSP, President, Secure Mentem,  12/5/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8651
PUBLISHED: 2018-12-12
A cross site scripting vulnerability exists when Microsoft Dynamics NAV does not properly sanitize a specially crafted web request to an affected Dynamics NAV server, aka "Microsoft Dynamics NAV Cross Site Scripting Vulnerability." This affects Microsoft Dynamics NAV.
CVE-2018-8652
PUBLISHED: 2018-12-12
A Cross-site Scripting (XSS) vulnerability exists when Windows Azure Pack does not properly sanitize user-provided input, aka "Windows Azure Pack Cross Site Scripting Vulnerability." This affects Windows Azure Pack Rollup 13.1.
CVE-2018-8617
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8...
CVE-2018-8618
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8...
CVE-2018-8619
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists when the Internet Explorer VBScript execution policy does not properly restrict VBScript under specific conditions, aka "Internet Explorer Remote Code Execution Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Exp...