Threat Research

The Internet of Thing: How a single coffee maker’s vulnerabilities symbolize a world of IoT risks

Martin Hron, 18 June 2019

We hacked one coffee maker in all kinds of ways – even turning it into a ransomware tool and a gateway to a home network

Imagine your worst Internet of Things nightmare: Your smart devices attack you. Now imagine a bigger nightmare: Your dependable “smart” coffee maker stops serving your morning brew.

As a “white hat” hacker and engineer I’m pretty scared of a situation that denies me my favorite cup of coffee in the morning. So to explore the vulnerabilities of smart devices I took a deep breath and hacked a coffee maker.

What’s the worst that could happen? A hacker burns your coffee? Actually, we were able to configure the coffee maker into a ransomware machine. In an even more sinister hack, we were able to use the coffee maker as a gateway and spy into all the connected devices on the home network.

And there was no coffee. (Sorry to be so scary.)

We exploited a common problem: Like many smart devices, the coffee maker came with default settings and a Wi-Fi connection, so it worked right out of the box. No password was required to connect to the coffee maker over Wi-Fi, so it was easy to upload malicious code into the machine.

We took the hacking of that one device to extremes – turning it into a ransomware tool and using it as a gateway into the hacking of a home’s entire network. We weren’t just hacking a coffee maker; we were demonstrating the potential hacking of a world of smart devices.

Recent research from Avast and Stanford University shows that 66% of North American homes have at least one IoT device, and 40% of homes globally do. A relatively small group of device makers – 90% of devices are made by just 100 vendors – suggests the possibility of similar vulnerabilities that could be exploited in large-scale attacks.

The coffee maker we hacked is probably much like one you have in your home or office. It makes coffee when you push a few buttons on the machine – or when you operate it with an app on your mobile phone or tablet.

Many IoT devices first connect to your home network via their own Wi-Fi network, which is intended to be used just to set up the machine. Ideally consumers immediately protect that Wi-Fi network with a password. But many devices are sold without a password to protect the Wi-Fi network, and many consumers don’t add one. This is a major vulnerability, because that Wi-Fi network is public in that it is visible to anyone. So hackers can see it and use it to compromise your smart device, for instance by uploading malicious software to it. Once that device is compromised, other devices in the home can later be hacked, too. In fact, the entire network can be accessed via one smart device. Bad actors can even access the computers and mobile devices connected to the network.

We infiltrated the coffee maker via Wi-Fi, then set up malicious software updates that made the coffee maker do unexpected and potentially dangerous things. We made the burner overheat, potentially starting a fire. We made scalding water pour onto the burner. We even made the coffee maker send ransomware messages demanding payment.

Here’s a more serious scenario: You never hear anything at all from the hacked coffee maker – or any of your other smart devices that are connected to it. Remember: One of the ways the coffee maker can be hacked remotely is to use it as a gateway to the entire network. That means hackers could have access to everything: The emails sent on the Wi-Fi, the payment information when you shop online, the home security system, the baby monitor, everything.

That’s what can be at risk when you hook up IoT devices without locking down their security. And millions of people have done that – not realizing how exposed they are to compromise. That’s why we did this – so people everywhere would wake up and smell the coffee.

IoT security solutions

What can you do to secure your smart home? Learn and live by these IoT security tips.

  • Secure the wireless network – IoT network security begins and ends with the router. It comes with a default password, so change it right away to something complex.
  • Consider cybersecurity – IoT security products are being released in the near future, such as Avast Smart Home Security.
  • Change default passwords – This goes for any device that comes with a default password, not just your router.
  • Know your devices – It may be tempting to tear it out of the box and simply punch ON, but it’s imperative to look at every connected device as more than a gadget.
  • Update ASAP always – It cannot be stressed enough — keep the firmware of your IoT devices updated with the latest versions and patches available.
  • Connect only if necessary – If you don’t necessarily need your coffee maker or your lightbulbs to be “smart,” keep using the analog classics.

The risks are out there, but so are solutions. There is no need to fear the oncoming horde of IoT devices. Stay alert to what you’re adding to your network, keep your network protected, and you can safely explore secured smart devices.