Security researcher hacks coffee maker to show IoT devices’ vulnerabilities

Avast security researcher Martin Hron released a video of him brewing a new kind of trouble in a Smarter coffee maker: A ransom message.

“When turned on for the first time, the coffee maker works in a local mode and it creates its own Wi-Fi network that the hopeful coffee drinker first connects to in order to set up the device,” explains Hron in a blog post. The problem is, there’s hardly any encryption, authorization or authentication. Anyone who can access the network can control the coffee maker by simply changing the device’s IP address.

When Hron learned of this vulnerability, he decided to experiment. He hijacked the Smarter coffee maker via Wi-Fi, changed the machine’s firmware and turned it into a ransom machine. 

“We created ransomware that when triggered renders the coffee maker unusable and asks for ransom, while at the same time turning on the hotbed, water dispensing heating element, permanently and spinning up the grinder, forever, displaying the ransom message and beeping,” Hron wrote.

The experiment shines a new spotlight on public Wi-Fi networks, which may make some question the credibility of IoT devices. 

Keep in mind that Smarter no longer supports the coffee maker in the experiment. In a bid to move to a safer and more secure platform, the company upgraded its devices’ security in 2017. Newer versions of the Smarter iKettle don’t share this vulnerability.