What if the wonderful world of the Internet of Things (IoT) turns into a nightmare? This is what the researcher wanted to demonstrate Martin Hron of the Avast company by installing ransomware in a connected Smarter brand coffee machine. The video below indeed shows the machine which becomes totally uncontrollable and must be quickly disconnected.
The researcher used an older version of the machine, which was known to have numerous security holes. After a week of work in reverse engineering, Hron found that he could take control of many components of the device such as the display, grain crusher, burner, and water dispenser. The researcher specifies:
This was done to highlight that this has happened and could happen to other IoT devices. This is a good example of a plug-and-play problem. You don’t have to configure anything. Usually sellers don’t think about it.
In fact, the machine behaves when it is first used as a Wi-Fi access point to communicate with the configuration app installed on the smartphone. Except that the Wi-Fi connection is absolutely not secure and can be easily hacked. But the most serious is that this flaw also concerns the update of the firmware of the machine. It does not include authentication or code signing.
It was necessary to identify the microprocessor of the coffee machine
It is therefore sufficient to send the machine modified firmware that contains the ransomware. The whole problem is changing the firmware. For this, Hron had to disassemble the device to identify the microprocessor it contains.
Once the firmware has been changed, all you have to do is create a script in Python language that performs the update process from an Android smartphone. However, hacking can only be done if the coffee machine is not already connected to a home network, because in this case its configuration SSID is no longer accessible.
However, a hacker can work around the problem by sending a specific data packet to the Wi-Fi network, which will cause a disconnection and make the SSID accessible again. However, it must be placed in an area close to the Wi-Fi network.
Martin Hron’s experience is a demonstration of the potential danger of connected machines which are more and more present in our daily lives. This problem is, for example, recurrent in surveillance cameras, but could affect other types of devices. Hron insists that manufacturers need to be responsible and close the security holes in all problematic machines, including older models that are still in use.
Source : Avast