maximus otter
Recovering policeman
- Joined
- Aug 9, 2001
- Messages
- 13,848
It’s no secret that the Internet of Things is full of insecure gadgets. All you need is one high profile incident to be flooded with terrifying headlines about how everything from robotic vacuum cleaners to smart sex toys can be hacked to spy on you. However, apparently some devices like Smarter’s IoT coffee machine can also be reprogrammed to go haywire and demand ransom from unsuspecting users.
This week, Martin Hron, a researcher with the security firm Avast, reverse engineered a $250 Smarter coffee maker as part of a thought experiment to potentially uncover an important flaw in the infrastructure of smart devices.
“I was asked to prove a myth, call it a suspicion, that the threat to IoT devices is not just to access them via a weak router or exposure to the internet, but that an IoT device itself is vulnerable and can be easily owned without owning the network or the router,” he wrote in a blog post detailing his methods.
His experiment was a success: After a week of tinkering, he effectively turned the coffee maker into a ransomware machine. When the user tries to connect it to their home network, it triggers the machine to turn on the burner, spew hot water, endlessly spin the bean grinder, and display a pre-programmed ransom message while beeping incessantly. The only way to get it to stop? Unplugging your now seemingly possessed coffee maker entirely.
“It was done to point out that this did happen and could happen to other IoT devices,” Hron said in an Ars Technica interview.
Hron discovered that the coffee maker acts as a wifi access point and uses an unencrypted connection to link to its corresponding smartphone app, which is how the user interacts with their machine and hooks it up to their home wifi network. The app also pushes out firmware updates, which the machine received with “no encryption, no authentication, and no code signing,” pers Ars Technica, providing an easy exploit.
Upon learning this, he uploaded the Android app’s latest firmware version to a computer and reverse engineered it using IDA, an interactive disassembler and staple in any reverse engineer’s toolkit. The process also required disassembling the coffee maker to learn what CPU it used. Armed with this information, he wrote a Python script that mimicked the coffee maker’s update process to implement the modified firmware and lines of script that actually trigger it to go haywire.
https://gizmodo.com/this-hacked-coffee-maker-demands-ransom-and-demonstrate-1845191662
maximus otter
This week, Martin Hron, a researcher with the security firm Avast, reverse engineered a $250 Smarter coffee maker as part of a thought experiment to potentially uncover an important flaw in the infrastructure of smart devices.
“I was asked to prove a myth, call it a suspicion, that the threat to IoT devices is not just to access them via a weak router or exposure to the internet, but that an IoT device itself is vulnerable and can be easily owned without owning the network or the router,” he wrote in a blog post detailing his methods.
His experiment was a success: After a week of tinkering, he effectively turned the coffee maker into a ransomware machine. When the user tries to connect it to their home network, it triggers the machine to turn on the burner, spew hot water, endlessly spin the bean grinder, and display a pre-programmed ransom message while beeping incessantly. The only way to get it to stop? Unplugging your now seemingly possessed coffee maker entirely.
“It was done to point out that this did happen and could happen to other IoT devices,” Hron said in an Ars Technica interview.
Hron discovered that the coffee maker acts as a wifi access point and uses an unencrypted connection to link to its corresponding smartphone app, which is how the user interacts with their machine and hooks it up to their home wifi network. The app also pushes out firmware updates, which the machine received with “no encryption, no authentication, and no code signing,” pers Ars Technica, providing an easy exploit.
Upon learning this, he uploaded the Android app’s latest firmware version to a computer and reverse engineered it using IDA, an interactive disassembler and staple in any reverse engineer’s toolkit. The process also required disassembling the coffee maker to learn what CPU it used. Armed with this information, he wrote a Python script that mimicked the coffee maker’s update process to implement the modified firmware and lines of script that actually trigger it to go haywire.
https://gizmodo.com/this-hacked-coffee-maker-demands-ransom-and-demonstrate-1845191662
maximus otter