SoylentNews is people
SoylentNews
from the all-your-beans-are-belong-to-us dept.
When coffee makers are demanding a ransom, you know IoT is screwed:
With the name Smarter, you might expect a network-connected kitchen appliance maker to be, well, smarter than companies selling conventional appliances. But in the case of the Smarter's Internet-of-things coffee maker, you'd be wrong.
As a thought experiment, Martin Hron, a researcher at security company Avast, reverse engineered one of the $250 devices to see what kinds of hacks he could do. After just a week of effort, the unqualified answer was: quite a lot. Specifically, he could trigger the coffee maker to turn on the burner, dispense water, spin the bean grinder, and display a ransom message, all while beeping repeatedly. Oh, and by the way, the only way to stop the chaos was to unplug the power cord.
"It's possible," Hron said in an interview. "It was done to point out that this did happen and could happen to other IoT devices. This is a good example of an out-of-the-box problem. You don't have to configure anything. Usually, the vendors don't think about this."
(Score: 3, Informative) by Dr Spin on Sunday September 27 2020, @06:28AM (19 children)
This. A thousand times this.
Warning: Opening your mouth may invalidate your brain!
(Score: 4, Insightful) by Zinnia Zirconium on Sunday September 27 2020, @06:45AM (2 children)
I think the vendors think the customers are expected to install the things on a home or office network which is behind NAT that usually functions as enough of a firewall to keep outsiders out and family members or coworkers are not reasonably expected to attack the kitchen appliances over the local network.
(Score: 5, Funny) by EETech1 on Sunday September 27 2020, @07:52AM
I used to change the plotter messages all the time!
https://community.spiceworks.com/scripts/show/1184-change-a-networked-hp-laserjet-ready-message [spiceworks.com]
INSERT COIN!
(Score: 5, Insightful) by legont on Sunday September 27 2020, @12:53PM
They also expect customers to open firewalls so the appliances can communicate with the vendors and keep it up to date when they change their networks at unpredictable times without notices.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 4, Interesting) by fakefuck39 on Sunday September 27 2020, @06:47AM (15 children)
Except in this case they do, and the article author is a 16yo girl being loud and making shit up to get attention.
The coffee maker on first power-on makes an unsecure wifi ap, to which you connect your phone app, to put it on your secure wifi. So yes, it can get attacked in those 30 seconds. Like any chromecast or anything else. After that, the author states the updates are sent from your phone to it, unauthenticated, when both devices are on your home wifi. So yes, a hacker can attack your coffeemaker. If the hacker is on your home wifi already.
There is no security issue here.
(Score: 5, Insightful) by helel on Sunday September 27 2020, @10:36AM (5 children)
It's true that this isn't exactly compromising the coffee maker over the internet but it's a threat as long as it's in your house. Once the device has been compromised it can get back on your wifi and act as a beachhead for the attacker. If your plan to secure your other devices is "their on my secure network" then that network just became non-secure.
In short, the limitation on this threat is not timing, it's only whether or not somebody feels it's worth their effort to get within wifi range of your residence.
Republican Patriotism [youtube.com]
(Score: 4, Interesting) by legont on Sunday September 27 2020, @01:01PM
Yep, exactly the reason why all the printers at the office and at home have wifi removed. Yes, not turned off, but removed tin foil style.
Each device that connect to a protected network needs care and it's unrealistic to do for all of them; with current design anyway.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 2) by fakefuck39 on Sunday September 27 2020, @08:10PM (3 children)
it is absolutely not a "threat" as long as it's at my house. you cannot get to the device from the internet. you can only get to it from your phone app, when both your phone and device are both on your firewalled encrypted network. what you're saying is "if the device is already somehow already magically compromised then it can attack your other devices on your network." the problem is, it's not already compromised, and it can't be.
(Score: 0) by Anonymous Coward on Sunday September 27 2020, @11:42PM (2 children)
That's incredibly arrogant. Unless the home network is completely isolated from the internet and nobody is close enough to interact with the wireless, that's just not true. The thing that's protecting you is that nobody wants in badly enough to do it. One thing that we should know by this point is that any internet connected network can be broken into and many that aren't internet connected as well.
Personally, I don't get why one would need their coffee maker to be connected to any sort of network. I can set my non-wifi enabled coffee maker to start at whatever time I like. Most of the time, I don't, I use the espresso machine that's also not wifi enabled. Even under the best case scenario that wifi connection is using electricity that I'd have to be paying for.
(Score: 2) by hendrikboom on Monday September 28 2020, @02:28AM
If there is any reason to connect the coffee maker to the internet, is should obviously be done by wire, not wifi.
(Score: 2) by fakefuck39 on Monday September 28 2020, @08:29PM
What you state has zero to do with what is being discussed. Which is the ability to compromise the coffeemaker from an app on your phone. Yes, your coffee maker is completely isolated from the internet. By the firewall that is built into your router. Like literally every company's LAN. How are you going to get to my coffee maker if you don't know it's local network IP, and if all your incoming packets are blocked by the firewall? Someone able to hack your router does not mean your coffee maker is not secure lol.
Personally, I would love stats on how much coffee I drink over time, have a fresh cup auto-brewed 5 minutes before the meetings on my calendar, and have it auto-order cofee when I'm about to run out.
You have a mental problem, with your brain. Your arguments are "all networks are insecure, so nothing can be on the internet, and "my electric bill for a wifi connection is too high." You are a joke. Your logic are a joke. You are a loser who forgot to take his medication for the autism.
(Score: 4, Insightful) by sjames on Sunday September 27 2020, @07:35PM
So if you live in an apartment or condo, the kid next door will probably strike sooner or later.
Keep in mind, most people setting up a home WiFi have no idea what they're doing.
(Score: 2) by toddestan on Monday September 28 2020, @06:57PM (7 children)
Are you even talking about the same article? From the article, yes the coffeemaker does create a wireless AP upon first power-up so that you can connect to it using a smartphone app. You can then use that to configure the coffeemaker to connect to a secured access point. But you can also choose to not do that, and just continue to control the coffeemaker using the smartphone app directly over an unsecured wireless connection. That's how it was hacked. The practice of allowing an unsecured connection for initial setup by itself really isn't an issue. But it should only allow for setting up a secured connection for subsequent access, and certainly shouldn't allow full control of the device through the initial unsecured connection. That's the security issue right there.
Also, where do you see that the author is a 16 year old girl? The author is Dan Goodin, a security editor at Ars Technica for over 15 years. The person who did the actual hack is Martin Hron, a researcher at Avast. Neither is a 16 year old girl. Seems like you're the one making shit up to get attention.
(Score: 2) by fakefuck39 on Thursday October 01 2020, @05:21AM (6 children)
so you're saying that you not using the security feature (connect to home wifi) is a bug in the software? tell me, if you don't lock your house and you get robbed, is it because the lock is bad?
(Score: 2) by toddestan on Friday October 02 2020, @02:31AM (5 children)
Since when has connect to home wifi been a security feature? Most people would consider that a security risk if anything. That the coffee maker can be controlled directly from the phone without an internet connection going through some server somewhere which will offline in less than 2 years is actually a pretty big plus compared to most IoT trash. Except, oops! Everything is completely open and unencrypted with no authentication! If they had set up some security after the initial setup connection then they'd be fine. Having a connection to the home wifi has nothing to do with it.
(Score: 2) by fakefuck39 on Friday October 02 2020, @03:07AM (4 children)
since when has wpa2 and being behind a firewall been a security feature? i don't know what to tell you.
i din't need or want everything encrypted on my firewalled home lan. heck, i even use ftp and telnet and passwordless remsh. that is not a security risk. i secure the network at its entrypoint. i do not protect trusted devices inside my network from each other. no, that is not a security risk. you know what would be annoying? typing in a username and password every time i want to see how many liters of coffee i've had today.
tell me, do you have locks with different keys for every room insode your house? must be a tough life to live with everyone out to get you.
(Score: 2) by toddestan on Friday October 02 2020, @12:47PM (3 children)
WPA2 and a firewall, versus not being connected to the internet at all? The easy way to secure they could have secured the device would be to use Bluetooth. Pair and bond to a specific smartphone/tablet, use Bluetooth's built in encryption and not allow other connections. Perfectly secure, and no need for a username or password. Most off the shelf Bluetooth stacks will do that for you. They probably had to work even harder to mess things up this bad. Yes, you won't be able to check your coffee level while on another continent with Bluetooth, but if that is important set up the wifi. Do you even know what you're talking about? Given the way you just make shit up (16 year old girl as the author???) I'm guessing no.
(Score: 2) by fakefuck39 on Friday October 02 2020, @02:29PM (2 children)
So, you're avoiding the topic at hand again? Again, the device is meant to be used to be used on your home LAN, as everything in your house. You are claiming that because you purposely won't use it that way, and will purposely leave it broadcasting an open access point forever, the device is insecure. Well, again retard, why don't you sue your lock maker when your house gets robbed, because you left the door open.
Why would I bother with bluetooth when the device is on home wifi? Why would I want to have to turn bt on on my phone and connect when all I want to do is press the app button and show my coffee usage? And then when I connect to a speaker later, it'll auto-connect bt to the coffee maker instead? Literally every use case I have for this I presented also now doesn't work without it connecting to cloud, or including the software logic and some extra storage on the coffee maker. How will this thing track my monthly coffee usage or reorder when I'm out of beans?
Literally every device works like this. You plug in a new chromecast, it makes an unsecured AP.
You really are a retard or speak english as a second language, poorly, if you think I claimed a 16yo girl literally wrote this article. You seem to be one of a 16yo nerd-boy reject though, with light autism. You and the author should get together and fuck.
(Score: 2) by toddestan on Friday October 02 2020, @10:38PM (1 child)
Oh, so now it's down to name calling. I guess you really don't have anything else to say, so just hurl some insults. Why do you continue to argue when you are clearly wrong, and dispute easily verifiable facts? Like your comment here where you said "...and the article author is a 16yo girl being loud and making shit up to get attention.". You deny now that you said that when anyone can easily click up the thread see that you said exactly that? I mean, just how fucking stupid are you?
Anyway, I'm done. No point in arguing with a moron like yourself who just makes shit up on the spot and acts like an autistic 4 year old.
(Score: 2) by fakefuck39 on Friday October 02 2020, @10:55PM
no retard. I am not denying what I said. I am saying if you interpreted "author is a 16yo girl being loud and making shit up to get attention" as "the article author is 16 years of age and female" instead of "the article author is being loud like a 16yo girl at the mall," you are either a retard, or have poor mastery of the basics of the english language. likely because you are autistic and weird, and do not have a lot of contact with people.
(Score: 2) by jasassin on Sunday September 27 2020, @06:47AM (11 children)
You kept the receipt.
It's still under warranty (and the company is still in business).
You can afford Starbucks.
It doesn't scald you, your kids, or pets.
Your house doesn't burn down.
You don't have hearing like Blaster from "Mad Max Beyond Thunderdome".
You can get the hacked firmware for use after your company lays you off.
You're not owner, or shareholder, of the company when lawsuits due to the above start arriving.
jasassin@gmail.com GPG Key ID: 0x663EB663D1E7F223
(Score: 2) by c0lo on Sunday September 27 2020, @06:58AM (10 children)
Have they started to pay for the participants in their phase III trials for their awful brew?
If they have, I'll need to consider if my health worth jeopardizing for the money they pay.
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 2) by pvanhoof on Sunday September 27 2020, @07:37AM (2 children)
Is there such a big anatomical difference between hipsters and human beings that they need additional clinical trials?
Hmm, maybe facial hair, gels and cheap "bio" clothing affects how certain brews interact with particular cells..
(Score: 0) by Anonymous Coward on Sunday September 27 2020, @07:51AM
Toxicity isn't determined by anatomy.
(Score: 0) by Anonymous Coward on Sunday September 27 2020, @11:49PM
From personal experience, the main difference between the hipsters/snobs and everybody else is just exposure and ability to get better coffee. I personally was willing to accept Starbucks coffee as decent enough until I bought my own machine, ground the beans that I had shipped to me the same day they were roasted and learned to properly foam my milk. It is a huge difference and one that most people are likely to notice if they drink it. A large part of that is that since I'm doing it all myself, I can adjust everything to my specific preferences rather than hope that my preferences match what the coffee shop is going for.
The bigger question is whether they care enough about that difference to buy the gear and worry about doing it themselves. For most people, the cost savings of doing it themselves is a bigger motivator. A latte or cappuccino only really involves a dollar or two worth of actual ingredients. For what a coffee shop charges, it would only take probably a few hundred cups to break even with high quality beans and milk. If you're willing to accept cheaper beans, you can still get better quality than at most coffee shops and you'll pay for the gear more quickly.
Ultimately, unless you're drinking a cup or two every day from the local coffee shop or have demanding standards, it's usually better to just buy from the coffee shop.
(Score: 2) by MostCynical on Sunday September 27 2020, @10:21AM (4 children)
Somehow they have convinced people to pay them [fastfoodprice.com]
Up to $5.85 (USD) for an "Espresso Venti Frappuccino"
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by c0lo on Sunday September 27 2020, @10:29AM (1 child)
They came with something that makes fools from people (and parting them from their money) and... the FDA says nothing.
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 2) by MostCynical on Sunday September 27 2020, @10:59AM
need to kill about 80 people directly [nbcnews.com] to get the FDA involved..
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 0) by Anonymous Coward on Sunday September 27 2020, @11:54PM (1 child)
I don't personally see anything wrong with that. Any time that you eat out you're paying for more than just the food you consume. You're paying for the staff, the rent, the utilities and the lot. Out of the nearly $6 you're paying for the cup, the coffee shop owner is probably only getting to keep somewhere in the neighborhood $0.60 or $1 if they're extremely lucky.
If you want similar, or better, coffee, you're probably going to be spending several hundred dollars on gear. Then you're probably going to have to drink dozens of cups before you even break even. On top of which, people usually don't even go to coffee shops for the coffee, it's for the people they run into there, which you're not likely to get at home.
I'm personally cheap, but you're probably not going to save that much money by buying your own gear and doing it yourself. You're probably spending somewhere between $ and 3 on the actual ingredients, then you have to consider the cost of the gear and the gear's depreciation and ultimately you're likely to find that in addition to having to figure out how to best use the equipment and spend money on the supplies getting it dialed in, that you're looking at possibly hundreds of cups just to break even.
(Score: 2) by MostCynical on Monday September 28 2020, @12:57AM
This [ebay.com] or one of these [aeropress.com]
Plus something like this [amazon.com]
Add some milk, total cost somewhere under $0.30 per cup.
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 5, Interesting) by SDRefugee on Sunday September 27 2020, @04:50PM (1 child)
I *used* to go to Starbucks, back when it was a nice place for a cupajoe, a nice seat and a place to put my laptop for an hour or so of work. Now, its *closed* (only drive-thru) and I'll be damned if I'm gonna pay for their -only-passable- coffee and drink it in my car... Now I make it at home and sit out on the patio at my house using my OWN wifi, where NO over-bearing barista is gonna tell me to buy more or get out...
America should be proud of Edward Snowden, the hero, whether they know it or not..
(Score: 0) by Anonymous Coward on Monday September 28 2020, @01:00AM
I gave up on my local Starbucks when they sold out to Google for internet.
At one time, I could go there and become anonymous, not signing into anything, and feel free to browse tke net, knowing I was not getting into the sights of spearphishers, targeted ad campaigns, telemarketers, con artists, etc. I could conduct private research ( well, usually porn ) without leaving a pristine trail back to my home or employer. I felt pretty safe with a burner tablet. And No Google credentials to track me.
No more.
I now go to McDonald's. And get a burger thrown in for the same price.
If other people were visiting Starbucks for a relaxed place to anonymously look at the internet, now no longer can, I wonder how that translates into expensive cups of coffee that never get served.
I think that handshake with Google was quite expensive for them.
(Score: 3, Funny) by The Mighty Buzzard on Sunday September 27 2020, @07:06AM (5 children)
Some things are just too important to stand on principle and refuse to pay the ransom.
This also emphasizes the importance of working backups. I, for instance, have two working drip coffee makers, one espresso/drip combo machine, two espresso pots, and three percolators. And if all that fails, I can make it in a damned cooking pot and make the grounds sink afterwards by adding a bit of cold water. Or cold brew it overnight in mason jars.
My rights don't end where your fear begins.
(Score: 2) by sgleysti on Sunday September 27 2020, @04:20PM (2 children)
I've got a ceramic coffee filter holder thing that sits on top of a mug. I bought this instead of a drip brewer since I already had an electric kettle for tea. Try hacking that! Like you said, if the electric kettle fails, I can boil water with a pot on the stove.
My coffee grinder is a hand-cranked conical burr grinder with a gearbox. Works great.
I worked in embedded software development for a while but more recently switched to just straight electronics hardware. I still don't know what the fuck the deal is with software and how everything seems to be broken. I would like to learn formal methods at some point in my life...
(Score: 2) by Mojibake Tengu on Sunday September 27 2020, @06:20PM (1 child)
One of my electric kettles, that one dedicated for quick coffee and as a big coffee maker backup, with adjustable temperature control system, evolved a software bug on its own and I am not joking.
Sencor SWK 2090BK. https://www.sencor.com/electric-glass-kettle/swk-2090bk [sencor.com]
Instead of maintain temperature mode, it now panics in blinkenlight beeping circus.
The edge of 太玄 cannot be defined, for it is beyond every aspect of design
(Score: 2, Insightful) by anubi on Monday September 28 2020, @01:13AM
Tell me about it.
I have had both expensive microprocessor controlled ovens and washing machines fail on me.
Despite all this high tech marketing, high definition programmable displays, and nearly unlimited memory, they don't tell me what the problem is.
Give me back my old bi-metallic controller. This high tech crap causes me more problems than its worth.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 0) by Anonymous Coward on Sunday September 27 2020, @11:57PM (1 child)
I agree. But, owning your own gear isn't just about not being held hostage, it's also about being able to get the settings dialed in to what you in particular want. Personally, I've got a couple espresso machines, a regular coffee maker, a french press and a cold brew maker. None of these use the internet for anything and only the regular coffee maker has any smarts to it. The smarts are mostly limited to a clock and dispensing differing amounts of water for differing amounts of time based on presets.
It's kind of funny how the best coffee is usually from the cheapest gear. The more you pay, the worse the coffee gets.
(Score: 2) by The Mighty Buzzard on Monday September 28 2020, @05:17PM
The only bell or whistle I want is for a drip pot to make the coffee a few minutes before I wake up. Anything beyond that is of no use to me.
My rights don't end where your fear begins.
(Score: 5, Insightful) by Rosco P. Coltrane on Sunday September 27 2020, @07:29AM (2 children)
No: I expect smart appliance makers to make devices whose sole purpose is to spy on you, don't work when the internet goes down, have exceptionally bad security, and don't really provide any useful advantage compared to the equivalent dumb device.
"Smart"-anything written on the box is a big red flag that tells me to stay clear away from that product at the store.
(Score: 5, Insightful) by knarf on Sunday September 27 2020, @09:22AM (1 child)
Although I would not use as much hyperbole there is a lot in what you say. I would:
- expect makers of 'smart' gadgets to focus mostly on superficial characteristics, mostly visual design
- expect the 'smart' functionality to be mostly useless fluff
- expect the device to be focused on customer lock-in by demanding the use of supplies from a single vendor
- expect the device to artificially limit the life span of supplies through mandatory expiry dates after which the device stops functioning until it has been fed a new filter/descaler/sensor/etc.
- expect the technical design of the 'smart' functionality to be abysmal
- expect the 'smart' parts to be wide open to attack due to the use of known vulnerable components and protocols
- expect this vulnerability never to be solved during the life span of the device
- expect that life span to be no more than 2-3 years after which the company either goes out of business or launches an 'improved' model
- expect support for the 'smart' functions to disappear after those 2-3 years, rendering the device useless or at best usable as a sub-standard quality basic device
- expect the vendor to try to 'monetise' user data by all means
In short, smart people avoid 'smart' devices.
(Score: 3, Interesting) by istartedi on Sunday September 27 2020, @08:40PM
"Smart" in this context appears to be a word that might possibly be in the early stage of a broader semantic change [wikipedia.org].
Appended to the end of comments you post. Max: 120 chars.
(Score: 0) by Anonymous Coward on Sunday September 27 2020, @08:03AM (2 children)
I had the same problem with my IoT enabled penis-inspector.
(Score: 2, Interesting) by Anonymous Coward on Sunday September 27 2020, @08:58AM (1 child)
No longer having the problem, then.
Lemme guess, you don't have a penis anymore, right? Right?
(Score: 2) by MostCynical on Sunday September 27 2020, @10:23AM
no, he disconnected his hand from the internet..
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2, Interesting) by Anonymous Coward on Sunday September 27 2020, @12:59PM (1 child)
Last time I checked, the insurance companies got tired of random electrical appliances burning down your house so they require UL certification of these gadgets.
If the hacker can cause a fire, then perhaps UL certification should include some sort of security review for IoT?
(Score: 4, Informative) by sgleysti on Sunday September 27 2020, @04:28PM
I'm not an agency engineer, but my best guess is that there's a passive mechanical cutoff switch that kills power to the whole device if it starts to overheat.
At work we have to certify devices to UL, and if the firmware isn't class B certified, it can't be relied on as even a secondary protection in case a primary protective mechanism (fuse, etc.) fails in a fault condition. During UL testing, the MCU / firmware must be configured to do exactly the wrong thing and we still have to pass the test.
This applies even though the MCUs in many of this company's products don't connect to the outside world except through very simple interfaces to other devices the company sells.
(Score: 0) by Anonymous Coward on Sunday September 27 2020, @03:03PM (1 child)
If the consumer is dumb enough to buy it, why care?
I don't know if anybody else has considered that k-cups exist to make it easier to adulterate coffee. I started thinking about this after I noticed I would get drowsy after drinking k-cup regular test, and be just fine drinking from the regular pot. It is like packaged cigs, vs. roll your own. The change in packaging allows metering dosage. You can't have rat poison shaking to the bottom of the pouch and all getting smoked at once. But you can dose people to the gills if you can control the product on a unit by unit basis.
Really the FDA needs to look into this, because I know they are putting crap in the k-cups that shouldn't be there. Apparently there needs to be a beer purity law for the coffee industry.
(Score: 0) by Anonymous Coward on Sunday September 27 2020, @05:48PM
Maybe k-cups use fake coffee: https://atomocoffee.com/faq [atomocoffee.com]
(Score: 2) by Azuma Hazuki on Sunday September 27 2020, @03:45PM (1 child)
For the most part I drink tea anyway, but the thought occurs, *why* does anyone need a "smart" coffee pot? The whole idea just sounds like some harebrained money-making scheme. Coffee and tea are not complicated: get the grind/roast or leaf selection right, adjust water temperature if using green or white tea, and let the most analog processes possible--gravity, heat transfer, convection, and Brownian motion--do the rest.
I am "that girl" your mother warned you about...
(Score: 0) by Anonymous Coward on Monday September 28 2020, @12:04AM
I'm not familiar with this particular coffee maker, but adjustability is helpful. My drip coffee maker has different presets for different amounts of coffee, 8 oz., 16oz., and then half and full carafes. It also has several different strength settings from regular, rich, over ice and specialty. Then there's a time delay setting with a clock. They manage it without any internet craziness, but it is a bit unwieldy in some respects to get it set up.
With an app interface, there's a bunch of variables that you could adjust like for different serving sizes, strengths and temperatures for different coffees. You can potentially have different presets depending upon the coffee or not have to remember what the setting was for the better cup of coffee you had last time.
Granted, I've become a bit of a snob, but you see the same thing with tea where different teas are infused at different temperatures for different lengths of time and you may throw out a differing number of infusions before getting to the one that you actually want to drink. It's the same basic idea, if you change the variables you can turn a good cup of coffee into crud, or an acceptable cup of coffee into something a bit better.
(Score: 2) by looorg on Sunday September 27 2020, @07:04PM
Here I was thinking the coffee machine AI had decided to poison everyone at the office and then demand bitcoins to dispense the antidote ...