Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

11/5/2015
04:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Vulnerable Coffee Machine Demonstrates Brewing Security Challenges Of IoT

Researchers examined four mobile-app controlled home devices and found vulnerabilities in every single one of them.

Most people probably never think of their faithful coffee machine providing a way for a hacker to gain access to the home network. But if you happen to be using one of the new-fangled WiFi enabled brewers that are becoming available these days, you might have a small problem.

Turns out that the devices, which can be controlled via a mobile app, do more than just let users brew a hot pot of coffee from anywhere via their smartphones. A vulnerability in the way the coffee maker exchanges information with a smartphone during initial setup provides a way for an attacker to grab the password to the home wireless network, security vendor Kaspersky Lab said in a report released Thursday.

The smart coffee maker was one of four wireless-enabled home devices that the researchers examined for vulnerabilities. They discovered flaws of varying severity in each of them.

None of the flaws that Kaspersky discovered were of the show-stopping variety. And some of them, like the one in the coffee maker, can only be exploited under certain pretty unlikely conditions. (An attacker would need to know exactly when someone was setting up their new coffee maker and be physically near the device in order to be able to intercept the password).

Even so, the vulnerabilities provide an indication of the sort of security issues that will need to be mitigated before an IoT-enabled world can be fully embraced, the research says. "The results of our investigation provide much food for thought," Kaspersky researchers Victor Alyushin and Vladimir Krylov said in the report.

The four devices that the researchers examined were Google’s Chromecast video-streaming USB dongle; a smartphone-controlled IP camera; a similarly enabled home security system; and the smart coffee maker.

In the case of Chromecast, the researchers found that a previously discovered flaw in the system could be exploited from a significantly longer distance than previously thought. The so-called "rickrolling" vulnerability basically allows an attacker to flood the Chromecast USB dongle with requests to disconnect itself from the home WiFi network. Once disconnected, the Chomrecast USB tries reconnecting to the network in a process that involves using its own WiFi network to connect to a smartphone or tablet. The rickrolling flaw allows an attacker to essentially intercept this process and get the device to connect to its rogue device instead.

Up to now, it had been thought that only someone situated physically close to the Chromecast dongle could exploit the flaw. What the Kaspersky researchers found is that the vulnerability can be exploited from a far greater distance using an inexpensive directional WiFi antenna and a version of Linux used for penetration testing purposes.

The researchers found three security flaws in the smartphone-controlled IP camera that they examined, all of which have now been fixed. One of the flaws basically gave attackers a way to gain complete control of the camera by intercepting the communication between the smartphone app and camera as it gets routed via a cloud service provider. Another of the now patched flaws gave attackers root-level access to the camera hardware and would have allowed them to change the firmware at will.

A similar inspection of the home security system showed a weakness in the sensors used to inform homeowners if a locked window or door is opened. The flaw would have let attackers bypass the sensors relatively easily using little more than a magnet.

The main takeaway from the report is that any mobile app-controlled consumer device is likely to have security holes in them, Alyushin told Dark Reading. "The probability that they will be critical is not that high," he says.

"At the same time, the low severity of such security issues doesn't guarantee that they won't be used in an attack," he says. Attackers can cause real damage by combining multiple low-level flaws, he warns.

"Criminals might exploit several of these issues at once, which is why it is so important for vendors to fix all issues -- even those that are not critical," he says.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16395
PUBLISHED: 2019-09-17
GnuCOBOL 2.2 has a stack-based buffer overflow in the cb_name() function in cobc/tree.c via crafted COBOL source code.
CVE-2019-16396
PUBLISHED: 2019-09-17
GnuCOBOL 2.2 has a use-after-free in the end_scope_of_program_name() function in cobc/parser.y via crafted COBOL source code.
CVE-2019-16199
PUBLISHED: 2019-09-17
eQ-3 Homematic CCU2 before 2.47.18 and CCU3 before 3.47.18 allow Remote Code Execution by unauthenticated attackers with access to the web interface via an HTTP POST request to certain URLs related to the ReGa core process.
CVE-2019-16391
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 allows authenticated visitors to modify any published content and execute other modifications in the database. This is related to ecrire/inc/meta.php and ecrire/inc/securiser_action.php.
CVE-2019-16392
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages.