If you have an IoT compatible coffee maker, you may not want to let a hacker get his hands on it. An expert like Martin Hron, who is a researcher at security company Avast, may run all kinds of tricks on it, as he did with a Smarter $250 machine.
“It’s possible,” Hron said in an interview with Ars Technica. “It was done to point out that this did happen and could happen to other IoT devices. This is a good example of an out-of-the-box problem. You don't have to configure anything. Usually, the vendors don’t think about this.”
When toying with the coffee maker, Hron discovered that both the commands and firmware updates were received with no encryption, no authentication, and no code signing. With the first, he could not do much damage as there were limited commands but with the second, boy could he put on a show!
To do this, he first had to discover what CPU the coffee maker used. So, he took apart the device's internals, spotted the circuit board, and identified the chips. Hron was then able to mess with the machine's most important functions and turn into a device that would demand a ransom to stop malfunctioning.
The only way to stop the device was to unplug it! You may be wondering why Hron decided to take on this experiment. He explains it quite gracefully on his blog.
"Some research is so fun that it confirms why I do this work. I was asked to prove a myth, call it a suspicion, that the threat to IoT devices is not just to access them via a weak router or exposure to the internet, but that an IoT device itself is vulnerable and can be easily owned without owning the network or the router. I also bet that I could make that threat persist and present a true danger to any user."