We hacked one coffee maker in all kinds of ways – even turning it into a ransomware tool and a gateway to a home network
Imagine your worst Internet of Things nightmare: Your smart devices attack you. Now imagine a bigger nightmare: Your dependable “smart” coffee maker stops serving your morning brew.
As a “white hat” hacker and engineer I’m pretty scared of a situation that denies me my favorite cup of coffee in the morning. So to explore the vulnerabilities of smart devices I took a deep breath and hacked a coffee maker.
What’s the worst that could happen? A hacker burns your coffee? Actually, we were able to configure the coffee maker into a ransomware machine. In an even more sinister hack, we were able to use the coffee maker as a gateway and spy into all the connected devices on the home network.
And there was no coffee. (Sorry to be so scary.)
We exploited a common problem: Like many smart devices, the coffee maker came with default settings and a Wi-Fi connection, so it worked right out of the box. No password was required to connect to the coffee maker over Wi-Fi, so it was easy to upload malicious code into the machine.
We took the hacking of that one device to extremes – turning it into a ransomware tool and using it as a gateway into the hacking of a home’s entire network. We weren’t just hacking a coffee maker; we were demonstrating the potential hacking of a world of smart devices.
Recent research from Avast and Stanford University shows that 66% of North American homes have at least one IoT device, and 40% of homes globally do. A relatively small group of device makers – 90% of devices are made by just 100 vendors – suggests the possibility of similar vulnerabilities that could be exploited in large-scale attacks.
The coffee maker we hacked is probably much like one you have in your home or office. It makes coffee when you push a few buttons on the machine – or when you operate it with an app on your mobile phone or tablet.
Many IoT devices first connect to your home network via their own Wi-Fi network, which is intended to be used just to set up the machine. Ideally consumers immediately protect that Wi-Fi network with a password. But many devices are sold without a password to protect the Wi-Fi network, and many consumers don’t add one. This is a major vulnerability, because that Wi-Fi network is public in that it is visible to anyone. So hackers can see it and use it to compromise your smart device, for instance by uploading malicious software to it. Once that device is compromised, other devices in the home can later be hacked, too. In fact, the entire network can be accessed via one smart device. Bad actors can even access the computers and mobile devices connected to the network.
We infiltrated the coffee maker via Wi-Fi, then set up malicious software updates that made the coffee maker do unexpected and potentially dangerous things. We made the burner overheat, potentially starting a fire. We made scalding water pour onto the burner. We even made the coffee maker send ransomware messages demanding payment.
Here’s a more serious scenario: You never hear anything at all from the hacked coffee maker – or any of your other smart devices that are connected to it. Remember: One of the ways the coffee maker can be hacked remotely is to use it as a gateway to the entire network. That means hackers could have access to everything: The emails sent on the Wi-Fi, the payment information when you shop online, the home security system, the baby monitor, everything.
That’s what can be at risk when you hook up IoT devices without locking down their security. And millions of people have done that – not realizing how exposed they are to compromise. That’s why we did this – so people everywhere would wake up and smell the coffee.
What can you do to secure your smart home? Learn and live by these IoT security tips.
The risks are out there, but so are solutions. There is no need to fear the oncoming horde of IoT devices. Stay alert to what you’re adding to your network, keep your network protected, and you can safely explore secured smart devices.
Avast Threat Intelligence has identified a new advanced persistent threats (APT) campaign targeting government agencies and a government data center in Mongolia.
Our Aposemat Team has been testing the capabilities of IPv6 and how malware could take advantage of it. One of the topics explored was exfiltration of data via the IPv6 protocol, which we discuss in this post.
Popular banking services, including PayPal, Revolut and Venmo, allow users to request money from others with a few easy steps. Although simple, this functionality could increase the likelihood of related spearphishing attacks.