Employees expect a few basic things at their workplace, a cubicle, a pleasing environment and, of course, a refreshment area. When it comes to breaks, coffee is a prerequisite for many employees, as it boosts their energy, and helps them maintain their productivity.
Organizations use different types of devices to brew their coffee, and it could be an old, traditional, or a new, smart coffee machine. But have you ever wondered how these smart coffee machines can become victims to cyberattacks?
Researcher Martin Hron from security vendor Avast discovered he was able to hack a smart coffee machine without even breaching the network, or the Wi-Fi router the coffee machine was connected to. Hron identified that these coffee machines behaved as Wi-Fi access points, and established an unencrypted connection to its usability app.
He also figured out the machine's firmware update procedures were unencrypted; they didn't include proper authentication procedures. Hron was able to reverse engineer the machine's firmware within the app, and hack the device. Hron was also able to convert the machine into a cryptocurrency mining device instead of a coffee machine, which was even more shocking.
After a little masterful coding, Hron was even able to initiate a ransomware attack on the machine, making it malfunction, and creating unnecessary noise and unsafe routines, i.e., brewed coffee spilling onto the heated plate, which would be resolved only after the payment of the ransom. You can see the hack in action in this one-minute video:
What is more concerning is that hackers might not stop with just a ransomware attack, as simply unplugging the machine would resolve the issue. If properly orchestrated, this machine can be hacked and reverse engineered to breach the router or the network.
The best way to secure these coffee machines is to ensure they are compliant with the correct cybersecurity and data security standards, such as UL 2900-2-2, a certification from the Standard for Software Cybersecurity for Network-Connectable Devices. Updating the firmware periodically ensures network-connectable devices are kept free of vulnerabilities.
Hron determined that 570 smart coffee machines from this vendor were not securely configured; the machines included a Wi-Fi access point that allowed hackers to exploit them. Equally distressing is that equipment that works with the aid of internet typically comes with a lifespan of 10 or 15 years, and the vendor's liability to support these devices lasts for only a few years. Even though we can use the devices after their lifespan, the vendor's support and obligation to update the device's firmware is not guaranteed considering that most manufacturers launch new devices every few years.
Consumers, for professional and personal purposes, need to understand the implications of using network-connected devices, and should ensure they purchase those that are safeguarded with compliance certifications, and are kept up to date with appropriate patches. When devices are no longer supported by updates or patches, it is best to replace them. The Internet of Things (IoT) devices and those that utilize the 5G spectrum are expected to expand the digital reach of individuals. Consumers hold some responsibility for knowing what they are purchasing, and knowing how to secure them from malicious actors.
