The IoT or Internet of Things explosion brought about a new generation of devices and appliances that could what we previously only saw in science fiction. Almost all of their abilities, however, relied on connecting to the Internet or at least to your home network. Security experts have warned about the risks of such connected devices but while owners themselves may take some precaution, all of that gets thrown out the window if the manufacturer itself doesn’t even meet the basic security requirements.
To be clear, Smarter’s latest model of its iKettle (version 3) may have already addressed some, but not all, of the security vulnerabilities of its predecessors but both versions 1 and 2 are, unfortunately, still widely used. That’s not exactly surprising considering how people rarely change appliances until they’re broken, which means they could be using a ticking security time bomb for years.
The core problem with Smarter’s connected coffee maker is that it doesn’t employ even the most basic security practices for software, especially those that go through a network. Communication with the smartphone app isn’t encrypted and firmware updates coming through that same app is nether encrypted nor checked for integrity. It’s no surprise, then, that Avast security researcher Martin Hron was able to easily “update” Smarter’s iKettle with ransomware disguised as firmware and make all hell break loose.
The ransomware pretty much made the machine go haywire and perform functions without any way of stopping it except to unplug the machine. Of course, it was simply a proof-of-concept so no ransom could be paid to fix the issue. You are, therefore, stuck with a malfunctioning coffee maker.
This report should be used as an anecdote to shun the progress that IoT made. It should, however, serve as a cautionary tale for manufacturers to step up their security game now that the Internet is part of the product’s equation and for consumers to be more conscious of the smart products that they buy and bring into their homes.