Last Updated on October 16, 2020 by monica chan
Why would a hacker want to break into your coffee machine? As odd as that sounds, there might be a reason for your beloved kitchen companion to be at risk.
Recently, Ars Technica reported on some security researchers who had managed to remotely hack a coffee machine and make it do unwanted things.
This is not a new endeavour. My friend Ken Munro has been hacking coffee machines for years – I sat next to him at a business lunch last December before COVID took over our lives. Ken is a fanatic of hacking coffee machines, and has been writing about it for many years. See this article in 2018.
The original purpose of this hack however, was to mine bitcoin.
A Brief Explanation of Bitcoin Mining
Bitcoin is a cryptocurrency you’ve probably heard of. There is no physical currency, it’s based on digital files. Being digital, the currency needs a way to ensure it can’t be copied or faked.
So, fundamental to the way the ecosystem works is that a large distributed (and thus not controlled by any one party) network of ‘checkers’ would verify that a bitcoin is genuine.
To achieve this genuine guarantee, every bitcoin comes with a history of every transaction it’s done from creation through to the last payment, and that history is stored inside something called a blockchain.
The blockchain is like an onion, which contains many layers of transactions, each of which can be verified — but that verification takes computer power. Imagine if someone gave you a pile of tens of thousands of crossword puzzles to solve!
Enter — Bitcoin Mining. By distributing the problem of checking all those blockchains for every transaction – the system rewards those that do the verification (mining) by generating a new bitcoin and giving it to the miner. This is bitcoin mining.
There are a finite amount of bitcoin that can be created, and as more bitcoin are produced, the system makes it harder to mine the next one. The idea is that a finite resource becomes more valuable.
So the activity which used to be profitable to perform on your own computers at home, now costs more in electricity than the bitcoin created, is worth.
Hackers Steal Computer Power
So hackers for some time have been breaking into computers of all kinds, including Internet of Things (IoT) devices and installing software on them which mines the bitcoin.
Each system they hack into doesn’t need to be powerful as long as they can hack enough of them and pool the resources. The victim gets a slightly larger electricity bill and the hacker makes bitcoin for free.
Back to the Coffee Machine
The researchers found they could easily break into the machine and compromise it so that it could be modified to run a bitcoin mining program. However, the CPU was so slow, the came to the conclusion that it wasn’t worth the effort.
Instead of giving up, however, they turned their thoughts to other possible malicious uses and speculated that if they infected your machine and made it misbehave they may be able to extract ransomware from you.
What is Ransomware?
Typically, the way ransomware works today is to encrypt data on your computer so that it becomes unusable to you. The only way to get your data back is to use (hopefully) a backup before the encryption took place, or to pay a ransom set by the hacker.
But there’s no data on the coffee machine, so instead the researchers speculated that by making your coffee machine act in unexpected ways, that some people might pay to get it working again.
This is where the idea was formed of ransoming coffee lovers by holding their espresso machines hostage.
The latest incarnation of the La Marzocco Linea Mini’s for example, are controlled by software on an app and I’m willing to bet a hacker could take control of that.
Would You Pay a Ransom?
Probably, most of us would contact the manufacturer. Hopefully, that manufacturer would have a way to reset the machine back to a normal state. This depends on how the sofware on the machine has been installed, however, and there’s not much to prevent it happening again.
What if You Didn’t Know it was Hacked?
If I was the evil hacker – I would not go about this in the way the researchers did. Instead, a more plausible use case would be for the hacked software to immitate the manufacturer, suggesting there is an out of maintenance fault with the machine and require a payment for the ‘update’ to be applied.
I think this would fool a lot of people. For this to be a cost-effective use of time for the hacker, it would need to be scaled, meaning the targets will likely be the mass market, medium priced machines – are you listening Breville?
Breaking into thousands of IOT devices doesn’t require a hacker to be sitting at their desk. They create code which scans the internet for signals from the device. When it finds a signal, it ‘fingerprints’ the device to identify what kind of IOT machine it is.
Once it has an idea what kind of device it is, it looks up whether that device is vulnerable to any attacks, picks the correct attack and runs the exploit against it.
All this is done automatically. When successfully compromised, the machine gets added to a list for the hacker to target with the next stage of the attack.
Coffee machine companies should be thinking about this, because if their customers start getting messages on their machine to say that they have to go to a web address to pay money for their ‘maintenance’ to be extended, then it will have a terrible PR effect for that company.
It is further unlikely that these coffee machine manufacturers will have a way to update the machine remotely, so they will not be able to offer any fix for their customers.
Worse still, when a customer goes to the web page to pay, they will almost certainly be targetted with further malware which will try to infect that device as well, leading to even more problems and loss of personal data.
The manufacturers have time to fix this before it happens. They need systems they can remotely update, so they can ‘patch’ any vulnerabilities that come to light, and they should implement some basic authentication security to make it harder for bots crawling the internet to automate attacks against them.
What do you think? Am I paranoid, or is there another attack vector that I haven’t mentiond. Comment below and tell me your thoughts.