Your coffeemaker been hacked [yet]?

With the name Smarter, you might expect a network-connected kitchen appliance maker to be, well, smarter than companies selling conventional appliances. But in the case of the Smarter’s Internet-of-things coffee maker, you’d be wrong…

Security problems with Smarter products first came to light in 2015, when researchers at London-based security firm Pen Test partners found that they could recover a Wi-Fi encryption key used in the first version of the Smarter iKettle. The same researchers found that version 2 of the iKettle and the then-current version of the Smarter coffee maker had additional problems, including no firmware signing and no trusted enclave inside the ESP8266, the chipset that formed the brains of the devices. The result: the researchers showed a hacker could probably replace the factory firmware with a malicious one. The researcher EvilSocket also performed a complete reverse engineering of the device protocol, allowing reomote control of the device.

As a thought experiment, Martin Hron, a researcher at security company Avast, reverse engineered one of the older coffee makers to see what kinds of hacks he could do with it. After just a week of effort, the unqualified answer was: quite a lot. Specifically, he could trigger the coffee maker to turn on the burner, dispense water, spin the bean grinder, and display a ransom message, all while beeping repeatedly. Oh, and by the way, the only way to stop the chaos was to unplug the power cord…

The cautionary tale moves on and offers humor, corrective suggestions…and not a boatload of hope for up-to-date standards. Generally, firmware updates stop in a few years…even though beaucoup electronic products work for many more. As they should.

The NSA wants to monitor your pacemaker — bet that makes you feel safe and secure!

The NSA is interested in collecting information from pacemakers and other biomedical devices for national security purposes, according to The Intercept. Richard Ledgett, the agency’s deputy director, reportedly said at a conference…that, “We’re looking at it sort of theoretically from a research point of view right now.”

That suggests this isn’t something the NSA is actively doing; and if it did have the ability, Ledgett indicates that it wouldn’t exactly be a core source of information. “Maybe a niche kind of thing … a tool in the toolbox,” he said, according to The Intercept.

Still, it’s both wild and disconcerting to think that something as critical as a pacemaker could be monitored by a hacker. The NSA doesn’t plan to stop at that, either. Perhaps less surprising is Ledgett’s broader suggestion that the NSA is interested in using information from any internet-connected device.

National Intelligence director James Clapper indicated as much back in February, as The Intercept points out. The Guardian reports Clapper saying, “In the future, intelligence services might use the [Internet of Things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.” Though he’s stating it here as a hypothetical, it’s not hard to imagine that the NSA views the addition of connectivity to more and more devices — be it a fridge or a pacemaker — as valuable.

The Intercept is becoming more and more a valuable source for anyone concerned with questions of individual liberty and privacy in a connected world.

Our government and the alphabetized creeps on the snoop payroll – really hate it.

Do you have a zombie refrigerator?

zombie fridge

A fridge has been discovered sending out spam after a web attack managed to compromise smart gadgets…The fridge was one of more than 100,000 devices used to take part in the spam campaign.

Uncovered by security firm Proofpoint the attack compromised computers, home routers, media PCs and smart TV sets.

The attack is believed to be one of the first to exploit the lax security on devices that are part of the “internet of things”.

The spam attack took place between 23 December 2013 and 6 January this year, said Proofpoint… In total, it said, about 750,000 messages were sent as part of the junk mail campaign. The emails were routed through the compromised gadgets.

About 25% of the messages seen by Proofpoint researchers did not pass through laptops, desktops or smartphones, it said…instead, the malware managed to get itself installed on other smart devices such as kitchen appliances, the home media systems on which people store copied DVDs and web-connected televisions…

The results spoke for themselves when the addresses responded with explicit identification, including well-known, often graphically branded interfaces, file structures, and content,” David Knight told the BBC.

Mr Knight speculated that the malware that allowed spam to be sent from these devices was able to install itself because many of the gadgets were poorly configured or used default passwords that left them exposed.

Hilarious. Manufacturers of many of these devices are firms already part of geek technology. They’re run by people who should know better and either don’t care or simply presume criminal hackers are dumber than they are.

Many of these devices are unable to be user-updated – you have to rely upon the good intentions, sensible action taken by manufacturers. I’m not holding my breath waiting for that to happen, soon.

My household wifi systems route to the Internet via a pretty good firewall. My smart devices – including TV – are protected with NSA-level passwords and that’s about as far as I can take self-defense at the moment. Core responsibility lies with designers building-in appropriate barriers to script kiddies and their thug cousins – or they will begin to lose sales to manufacturers who will.