Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

11/5/2015
04:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Vulnerable Coffee Machine Demonstrates Brewing Security Challenges Of IoT

Researchers examined four mobile-app controlled home devices and found vulnerabilities in every single one of them.

Most people probably never think of their faithful coffee machine providing a way for a hacker to gain access to the home network. But if you happen to be using one of the new-fangled WiFi enabled brewers that are becoming available these days, you might have a small problem.

Turns out that the devices, which can be controlled via a mobile app, do more than just let users brew a hot pot of coffee from anywhere via their smartphones. A vulnerability in the way the coffee maker exchanges information with a smartphone during initial setup provides a way for an attacker to grab the password to the home wireless network, security vendor Kaspersky Lab said in a report released Thursday.

The smart coffee maker was one of four wireless-enabled home devices that the researchers examined for vulnerabilities. They discovered flaws of varying severity in each of them.

None of the flaws that Kaspersky discovered were of the show-stopping variety. And some of them, like the one in the coffee maker, can only be exploited under certain pretty unlikely conditions. (An attacker would need to know exactly when someone was setting up their new coffee maker and be physically near the device in order to be able to intercept the password).

Even so, the vulnerabilities provide an indication of the sort of security issues that will need to be mitigated before an IoT-enabled world can be fully embraced, the research says. "The results of our investigation provide much food for thought," Kaspersky researchers Victor Alyushin and Vladimir Krylov said in the report.

The four devices that the researchers examined were Google’s Chromecast video-streaming USB dongle; a smartphone-controlled IP camera; a similarly enabled home security system; and the smart coffee maker.

In the case of Chromecast, the researchers found that a previously discovered flaw in the system could be exploited from a significantly longer distance than previously thought. The so-called "rickrolling" vulnerability basically allows an attacker to flood the Chromecast USB dongle with requests to disconnect itself from the home WiFi network. Once disconnected, the Chomrecast USB tries reconnecting to the network in a process that involves using its own WiFi network to connect to a smartphone or tablet. The rickrolling flaw allows an attacker to essentially intercept this process and get the device to connect to its rogue device instead.

Up to now, it had been thought that only someone situated physically close to the Chromecast dongle could exploit the flaw. What the Kaspersky researchers found is that the vulnerability can be exploited from a far greater distance using an inexpensive directional WiFi antenna and a version of Linux used for penetration testing purposes.

The researchers found three security flaws in the smartphone-controlled IP camera that they examined, all of which have now been fixed. One of the flaws basically gave attackers a way to gain complete control of the camera by intercepting the communication between the smartphone app and camera as it gets routed via a cloud service provider. Another of the now patched flaws gave attackers root-level access to the camera hardware and would have allowed them to change the firmware at will.

A similar inspection of the home security system showed a weakness in the sensors used to inform homeowners if a locked window or door is opened. The flaw would have let attackers bypass the sensors relatively easily using little more than a magnet.

The main takeaway from the report is that any mobile app-controlled consumer device is likely to have security holes in them, Alyushin told Dark Reading. "The probability that they will be critical is not that high," he says.

"At the same time, the low severity of such security issues doesn't guarantee that they won't be used in an attack," he says. Attackers can cause real damage by combining multiple low-level flaws, he warns.

"Criminals might exploit several of these issues at once, which is why it is so important for vendors to fix all issues -- even those that are not critical," he says.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7914
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.
CVE-2016-4606
PUBLISHED: 2020-02-21
Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
CVE-2020-5243
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
CVE-2019-14688
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
CVE-2019-19694
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...