In recent years, more and more household appliances are affixed with smart labels. When we see the word "smart", we may think that these appliances are smarter and more convenient than traditional appliances. However, when using these smart devices that need to be connected to the Internet, have you considered their security?
Martin Hron, a researcher at security firm Avast, conducted an experiment in which he reverse-engineered a $250 smart coffee maker. He wants to know what kind of hacking can be done against these IoT devices. After a week of hard work, he came to the answer. Specifically, he could hack the coffee machine to turn on the heater, make it squirt water, turn on the grinder, and even display a ransom message while making the machine beep repeatedly. And, the only way to stop these troubles is to unplug the power cord.
"It's possible for a smart coffee machine to be hacked," Horn said in an interview. "This experiment is to show that it does happen, and it could happen to other IoT devices."
Most IoT devices work "out of the box", users don't need to configure anything, and usually, sellers don't think about it. So, it's a good example to let you guys know a few things.
What is out of the box?
When Horn first connected to the smart coffee machine, he discovered that the coffee machine was acting as a Wi-Fi hotspot and that the hotspot communicated with the smartphone app over an unsecured connection. The APP can be used to configure the device and the user can choose to connect it to the home Wi-Fi network. Because there is no encryption, researchers can easily understand how the phone controls the coffee machine, and because there is no authentication, hacking software can also control the coffee machine.
This mechanism allows Horn to implement only a small set of commands, none of which are particularly harmful. Horn then examined the mechanism by which the coffee machine received firmware updates. It turns out that they receive firmware updates via the phone, and again, there is no encryption and no authentication.
These glaring vulnerabilities gave Horne an opportunity for hacking. Since the latest firmware version is stored in the Android app, he can get it on his computer and reverse engineer it using the software analyzer IDA. Without breaking a sweat, he cracked the readable code.
"From this, we can infer that the entire update mechanism is not encrypted and that the firmware may be a 'cleartext' image added directly to the coffee machine's flash memory," he wrote in a blog post.
dismantling
In order to actually disassemble the firmware (that is, convert the binary code into the low-level assembly language that communicates with the hardware), Horn had to know what kind of CPU the coffee machine was using. So he disassembled the internal parts of the device, found the circuit board, and identified the chip. The following two images show his findings:
1. ESP8266 chip with AT modem firmware; 2. STM32F05106 ARM Cortex M0 chip, which is the main CPU; 3. I2C EEPROM with the configuration; 4. Debug port and programming interface. (Source: Avast)
After disassembling the machine to see what the parts do, Horne put them back together. After that, Horn was able to undo the coffee maker's most important functions, including checking the heater for a water bottle and causing the device to beep. Horn can also control firmware installation updates for the coffee machine. The following is a block diagram of the main components of the coffee machine:
The next step is to create modified firmware to do something less friendly.
Horn wrote: “Initially, we wanted to prove that the device could do cryptocurrency mining. Of course, it was possible given the CPU and architecture, but at 8MHz it didn’t make sense because such a miner The production value is negligible.”
So the researchers decided to do something else to wreak havoc: If the owner wanted to stop the coffee machine, they would have to pay a ransom, as shown in the video. Since there was still some unused memory space in the chip, Horn added a few lines of code that caused all the confusion.
"We think that's enough to put users off. We can easily make the experience of using the smart coffee machine the worst, and the only thing the user can do is unplug the coffee machine from the power outlet."
If the update scripts and modified firmware are rewritten and loaded onto an Android phone (which is much more difficult to attack due to the closed nature of the iOS system), there are several ways to carry out the attack. The easiest way is to find a vulnerable coffee maker within the Wi-Fi range. If your device isn't configured to connect to a Wi-Fi network, it's easy to find them.
Hackers attack the main battlefield
Once the device is connected to the home network, this temporary SSID needed to configure the coffee maker and initiate any updates is no longer available. However, if an attacker knows that a smart coffee machine is being used on a given network, he can simply bypass this restriction. The attacker would then send a reauthorization packet to the network, which would cause the coffee machine to disconnect. After that, the device will start broadcasting the SSID again, giving attackers the freedom to update the device with malicious firmware.
As many people know, the limitation of this attack is that it only works if the attacker can locate a vulnerable coffee machine and is within the Wi-Fi range of the coffee machine. One way to get around this, Horn said, is to hack into a Wi-Fi router and use it as a prime hacking ground to attack coffee makers. This attack can be carried out remotely, but if an attacker has already compromised the router, network owners need to worry about something worse than a coffee machine failure.
Regardless, the ransomware attack is just the beginning of what attackers can do, Horn said. He believes that with more work, attackers could program coffee machines to attack routers, computers or other devices connected to the same network. Moreover, attackers can do this without obvious signs.
put this in perspective
Due to the limitations, this kind of hacking doesn't represent a real or immediate threat, although for some it's enough to keep them away from "smart" products, at least from devices that don't use encryption and authentication.
Of course, this hack was just an experiment to explore the possibilities of coffee makers, refrigerators, and other household devices connected to the Internet. Interestingly, the hacked coffee machine was no longer able to receive firmware updates, so there was nothing the owner could do to fix the bug Horn discovered.
Horn also made an important point: "Can a vendor maintain 17 years of software updates for a typical refrigerator with a lifespan of 17 years?" This is one of the most concerning questions in modern IoT devices.
Of course, users can still use it even if it no longer gets updates, but with the explosive speed of IoT and imperfect service support, these devices are extremely vulnerable and they can be abused for things like network breaches, data leaks, and ransomware attacks, and DDoS attacks.
There is also the question of how to deal with the explosive development of the Internet of Things. When we gradually realize the Internet of Everything, how can we ensure the security of each device? These issues are worth pondering by developers and businessmen.
