I remember a number of cartoons from my childhood that had nightmarish scenarios where appliances and machinery would come alive and torment the poor character who was stuck in the dream.
Smart appliances have been sought after (and feared) since long before the Jetson’s and Disney’s Tomorrowland. With the Internet of Things and cloud connected devices, there is even more of a concern as so many dreams of the past come to reality.
Here are some recent developments that may cause you to double check your firewall.
Coffee maker ransomware
$4.85 for a latte may seem like highway robbery, but what if your home coffee maker actually started asking for ransom payments?
Martin Hron, a senior researcher with the anti-virus company Avast, hacked his coffee maker to demonstrate the vulnerabilities of many internet connected devices. If the ransom was not paid, his machine would begin brewing and pouring hot water (without a cup in place) all over the kitchen table.
That could cause a mess, perhaps not the worst nightmare, but what about your plumbing, your oven, or one of the more serious facility systems? His research demonstrated the risks that can occur.
Hron used an older model coffee maker from a company called Smarter that allows someone to make coffee using their smartphone or tablet. However, the coffee maker he used for his research was made before 2017, when the company switched to a new, more secure platform. The poor security on the older model allowed him to alter the machine’s firmware.
For those interested in diving deeper into the coffee code, Avast has a blog with notes available here:
https://decoded.avast.io/martinhron/the-fresh-smell-of-ransomed-coffee/
Robot vacuum as a listening device
Have you added a Roomba or Robot Vacuum to your home? Many people love them, especially that it cleans in hard to reach places such as under the sofa and coffee table with ease. If so, you may have gotten more than what was offered on the package.
Researchers found that the LiDAR sensors used by some robot vacuums have a vulnerability that could allow an attacker to listen to room conversations. [LiDAR stands for Light Detection And Ranging and is used in this case to help the vacuums navigate around objects on the floor.]
The attack was able to use the LiDAR to detect audio vibrations from the laser sensors reflecting on objects in the room. See this previous article regarding extracting audio from vibrations https://execsecurity.com/news/extracting-audio-from-video/.
The LiDAR hack is a highly complex attack, so it should not be considered a major concern at this stage.
The researchers were able to compromise the Xiaomi Roborock vacuum cleaning robot, making use of previously known vulnerabilities. You can read more about past hacking of the Xiaomi device here: https://dontvacuum.me/talks/DEFCON26/DEFCON26-Having_fun_with_IoT-Xiaomi.pdf .
Read more on the coffee maker hack here:
https://www.foxnews.com/food-drink/smart-coffee-maker-hacked-ransomware
https://decoded.avast.io/martinhron/the-fresh-smell-of-ransomed-coffee/
Read more on the robot vacuum cleaner hacks here:
https://threatpost.com/robot-vacuums-audio-lidarphone-hack/161421/
https://www.sciencedaily.com/releases/2020/11/201117210102.htm
https://techxplore.com/news/2020-11-hacked-robotic-vacuum-cleaner-speech.html