Why would a hacker want to break into your coffee machine? As odd as that sounds, there might be a reason for your beloved kitchen companion to be at risk.
Recently, Ars Technica reported on some security researchers who had managed to remotely hack a coffee machine and make it do unwanted things.
This is not a new endeavour. My friend Ken Munro has been hacking coffee machines for years – I sat next to him at a business lunch last December before COVID took over our lives. Ken is a fanatic of hacking coffee machines, and has been writing about it for many years. See this article in 2018.
The original purpose of this hack however, was to mine bitcoin.
A Brief Explanation of Bitcoin Mining
Bitcoin is a cryptocurrency you’ve probably heard of. There is no physical currency, it’s based on digital files. Being digital, the currency needs a way to ensure it can’t be copied or faked.
So, fundamental to the way the ecosystem works is that a large distributed (and thus not controlled by any one party) network of ‘checkers’ would verify that a bitcoin is genuine.
To achieve this genuine guarantee, every bitcoin comes with a history of every transaction it’s done from creation through to the last payment, and that history is stored inside something called a blockchain.
The blockchain is like an onion, which contains many layers of transactions, each of which can be verified — but that verification takes computer power. Imagine if someone gave you a pile of tens of thousands of crossword puzzles to solve!
Enter — Bitcoin Mining. By distributing the problem of checking all those blockchains for every transaction – the system rewards those that do the verification (mining) by generating a new bitcoin and giving it to the miner. This is bitcoin mining.
There are a finite amount of bitcoin that can be created, and as more bitcoin are produced, the system makes it harder to mine the next one. The idea is that a finite resource becomes more valuable.
So the activity which used to be profitable to perform on your own computers at home, now costs more in electricity than the bitcoin created, is worth.
Hackers Steal Computer Power
So hackers for some time have been breaking into computers of all kinds, including Internet of Things (IoT) devices and installing software on them which mines the bitcoin.
Each system they hack into doesn’t need to be powerful as long as they can hack enough of them and pool the resources. The victim gets a slightly larger electricity bill and the hacker makes bitcoin for free.
Back to the Coffee Machine
The researchers found they could easily break into the machine and compromise it so that it could be modified to run a bitcoin mining program. However, the CPU was so slow, the came to the conclusion that it wasn’t worth the effort.
Instead of giving up, however, they turned their thoughts to other possible malicious uses and speculated that if they infected your machine and made it misbehave they may be able to extract ransomware from you.
What is Ransomware?
Typically, the way ransomware works today is to encrypt data on your computer so that it becomes unusable to you. The only way to get your data back is to use (hopefully) a backup before the encryption took place, or to pay a ransom set by the hacker.
But there’s no data on the coffee machine, so instead the researchers speculated that by making your coffee machine act in unexpected ways, that some people might pay to get it working again.
This is where the idea was formed of ransoming coffee lovers by holding their espresso machines hostage.
The latest incarnation of the La Marzocco Linea Mini’s for example, are controlled by software on an app and I’m willing to bet a hacker could take control of that.
Would You Pay a Ransom?
Probably, most of us would contact the manufacturer. Hopefully, that manufacturer would have a way to reset the machine back to a normal state. This depends on how the sofware on the machine has been installed, however, and there’s not much to prevent it happening again.
What if You Didn’t Know it was Hacked?
If I was the evil hacker – I would not go about this in the way the researchers did. Instead, a more plausible use case would be for the hacked software to immitate the manufacturer, suggesting there is an out of maintenance fault with the machine and require a payment for the ‘update’ to be applied.
I think this would fool a lot of people. For this to be a cost-effective use of time for the hacker, it would need to be scaled, meaning the targets will likely be the mass market, medium priced machines – are you listening Breville?
Breaking into thousands of IOT devices doesn’t require a hacker to be sitting at their desk. They create code which scans the internet for signals from the device. When it finds a signal, it ‘fingerprints’ the device to identify what kind of IOT machine it is.
Once it has an idea what kind of device it is, it looks up whether that device is vulnerable to any attacks, picks the correct attack and runs the exploit against it.
All this is done automatically. When successfully compromised, the machine gets added to a list for the hacker to target with the next stage of the attack.
Coffee machine companies should be thinking about this, because if their customers start getting messages on their machine to say that they have to go to a web address to pay money for their ‘maintenance’ to be extended, then it will have a terrible PR effect for that company.
It is further unlikely that these coffee machine manufacturers will have a way to update the machine remotely, so they will not be able to offer any fix for their customers.
Worse still, when a customer goes to the web page to pay, they will almost certainly be targetted with further malware which will try to infect that device as well, leading to even more problems and loss of personal data.
The manufacturers have time to fix this before it happens. They need systems they can remotely update, so they can ‘patch’ any vulnerabilities that come to light, and they should implement some basic authentication security to make it harder for bots crawling the internet to automate attacks against them.
What do you think? Am I paranoid, or is there another attack vector that I haven’t mentiond. Comment below and tell me your thoughts.
I think you raise a very valid and concerning point regarding the possible hacking of on line coffee machines as a result of the manufacturers failing to appreciate that their potentially weak security policies and procedures for their products, could result in them being used for nefarious purposes with the impact of brand damage that this would cause.
Do you feel that it will likely need for a major ‘coffee machine manufacturer’ to suffer a data breach before this gets taken seriously ?
What would you suggest can be done to address this ?
Thanks for the feedback. We’ve seen this all before in the manufacturing sector with more serious use cases, such as pacemaker manufacturers letting unauthenticated access to their implants to conduct easy updates, without considering the potential for misuse.
To be clear, the issues are currently with WiFi connected devices, not Bluetooth. If there’s only a Bluetooth connection to a mobile app, then the attack vector is much harder and not scalable. But some manufacturers want to use WiFi for a number of reasons.
1. It negates the need for an app, which is appealing to some smaller manufacturers
2. It allows the machine to send back information about how it’s being used, which is valuable information for the manufacturer
3. It allows recipes to be shared among groups of machines
4. Bluetooth speeds are very low compared to WiFi, so downloading updates is much faster if the machine is directly connected to the Internet
So the temptation is to sometimes connect the machine directly to the locations WiFi, but in this case, the system must have robust authentication and basic firewalling sot that, for example, anyone trying to ‘fingerprint’ the machine to determine its model and software version, would get no results back. This obsfucation makes choosing an automated attack much harder.
Coffee equipment manufacturers are not geared up to doing technical support, so the attraction is to have a device that has no barrier to getting it up and running. Unfortunately, introducing an authentication process will require one extra step for the consumer to go through, and they don’t want to have to support customers who run into problems doing the setup.
Without a way to conduct remote updates securely however, including resetting the firmware, will mean that if/when there is an attack at scale against a smart coffee machine, the manufacturer will be faced with expensive options, such as asking the customer to take the machine to a service centre.