Endpoint

11/5/2015
04:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Vulnerable Coffee Machine Demonstrates Brewing Security Challenges Of IoT

Researchers examined four mobile-app controlled home devices and found vulnerabilities in every single one of them.

Most people probably never think of their faithful coffee machine providing a way for a hacker to gain access to the home network. But if you happen to be using one of the new-fangled WiFi enabled brewers that are becoming available these days, you might have a small problem.

Turns out that the devices, which can be controlled via a mobile app, do more than just let users brew a hot pot of coffee from anywhere via their smartphones. A vulnerability in the way the coffee maker exchanges information with a smartphone during initial setup provides a way for an attacker to grab the password to the home wireless network, security vendor Kaspersky Lab said in a report released Thursday.

The smart coffee maker was one of four wireless-enabled home devices that the researchers examined for vulnerabilities. They discovered flaws of varying severity in each of them.

None of the flaws that Kaspersky discovered were of the show-stopping variety. And some of them, like the one in the coffee maker, can only be exploited under certain pretty unlikely conditions. (An attacker would need to know exactly when someone was setting up their new coffee maker and be physically near the device in order to be able to intercept the password).

Even so, the vulnerabilities provide an indication of the sort of security issues that will need to be mitigated before an IoT-enabled world can be fully embraced, the research says. "The results of our investigation provide much food for thought," Kaspersky researchers Victor Alyushin and Vladimir Krylov said in the report.

The four devices that the researchers examined were Google’s Chromecast video-streaming USB dongle; a smartphone-controlled IP camera; a similarly enabled home security system; and the smart coffee maker.

In the case of Chromecast, the researchers found that a previously discovered flaw in the system could be exploited from a significantly longer distance than previously thought. The so-called "rickrolling" vulnerability basically allows an attacker to flood the Chromecast USB dongle with requests to disconnect itself from the home WiFi network. Once disconnected, the Chomrecast USB tries reconnecting to the network in a process that involves using its own WiFi network to connect to a smartphone or tablet. The rickrolling flaw allows an attacker to essentially intercept this process and get the device to connect to its rogue device instead.

Up to now, it had been thought that only someone situated physically close to the Chromecast dongle could exploit the flaw. What the Kaspersky researchers found is that the vulnerability can be exploited from a far greater distance using an inexpensive directional WiFi antenna and a version of Linux used for penetration testing purposes.

The researchers found three security flaws in the smartphone-controlled IP camera that they examined, all of which have now been fixed. One of the flaws basically gave attackers a way to gain complete control of the camera by intercepting the communication between the smartphone app and camera as it gets routed via a cloud service provider. Another of the now patched flaws gave attackers root-level access to the camera hardware and would have allowed them to change the firmware at will.

A similar inspection of the home security system showed a weakness in the sensors used to inform homeowners if a locked window or door is opened. The flaw would have let attackers bypass the sensors relatively easily using little more than a magnet.

The main takeaway from the report is that any mobile app-controlled consumer device is likely to have security holes in them, Alyushin told Dark Reading. "The probability that they will be critical is not that high," he says.

"At the same time, the low severity of such security issues doesn't guarantee that they won't be used in an attack," he says. Attackers can cause real damage by combining multiple low-level flaws, he warns.

"Criminals might exploit several of these issues at once, which is why it is so important for vendors to fix all issues -- even those that are not critical," he says.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11486
PUBLISHED: 2019-04-23
The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in the Linux kernel before 5.0.8 has multiple race conditions.
CVE-2019-11487
PUBLISHED: 2019-04-23
The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hu...
CVE-2018-7576
PUBLISHED: 2019-04-23
Google TensorFlow 1.6.x and earlier is affected by: Null Pointer Dereference. The type of exploitation is: context-dependent.
CVE-2018-8825
PUBLISHED: 2019-04-23
Google TensorFlow 1.7 and below is affected by: Buffer Overflow. The impact is: execute arbitrary code (local).
CVE-2019-10688
PUBLISHED: 2019-04-23
VVX products using UCS software version 5.8.0 and earlier with Better Together over Ethernet Connector (BToE) application version 3.8.0 and earlier uses hard-coded credentials to establish a connection between the host application and device.