Two years ago, Smarter released the iKettle version 3 and the Coffee Maker version 2, said Ken Munro, a researcher who worked for Pen Test Partners at the time. The updated products used a new chipset that fixed the problems. He said that Smarter never issued a CVE vulnerability designation, and it didn't publicly warn customers not to use the old one. Data from the Wigle network search engine shows the older coffee makers are still in use.As a thought experiment, Martin Hron, a researcher at security company Avast, reverse engineered one of the older coffee makers to see what kinds of hacks he could do with it. After just a week of effort, the unqualified answer was: quite a lot. Specifically, he could trigger the coffee maker to turn on the burner, dispense water, spin the bean grinder, and display a ransom message, all while beeping repeatedly. Oh, and by the way, the only way to stop the chaos was to unplug the power cord. You can see it for yourself here.“It’s possible,” Hron said in an interview. “It was done to point out that this did happen and could happen to other IoT devices. This is a good example of an out-of-the-box problem. You don't have to configure anything. Usually, the vendors don’t think about this.”
When Hron first plugged in his Smarter coffee maker, he discovered that it immediately acted as a Wi-Fi access point that used an unsecured connection to communicate with a smartphone app. The app, in turn, is used to configure the device and, should the user choose, connect it to a home Wi-Fi network. With no encryption, the researcher had no problem learning how the phone controlled the coffee maker and, since there was no authentication either, how a rogue phone app might do the same thing. That capability still left Hron with only a small menu of commands, none of them especially harmful. So he then examined the mechanism the coffee maker used to receive firmware updates. It turned out they were received from the phone with—you guessed it—no encryption, no authentication, and no code signing.
These glaring omissions created just the opportunity Hron needed. Since the latest firmware version was stored inside the Android app, he could pull it onto a computer and reverse engineer it using IDA, a software analyzer, debugger, and disassembler that’s one of a reverse engineer’s best friends. Almost immediately, he found human-readable strings.
DeLonghi and Saeco (owned by Philips) are two of the top brands in the super automatic world, so I tested out one of each brand’s midrange machines: DeLonghi’s Magnifica S ($800 - $1,100 on Amazon) and Saeco’s Incanto Carafe ($900 - $1,100 on Amazon) .Both the Magnfica S and Incanto grind, compress, brew, and dispense espresso with the tap of a button.
“From this, we could deduce there is no encryption, and the firmware is probably a ‘plaintext’ image that is uploaded directly into the FLASH memory of the coffee maker,” he wrote in this detailed blog outlining the hack.
To actually disassemble the firmware—that is, to transform the binary code into the underlying assembly language that communicates with the hardware, Hron had to know what CPU the coffee maker used. That required him to take apart the device internals, find the circuit board, and identify the chips.
With the ability to disassemble the firmware, the pieces started to come together. Hron was able to reverse the most important functions, including the ones that check if a carafe is on the burner, cause the device to beep, and—most importantly—install an update.