As part of his computer security research, a cybersecurity specialist managed to hack into a coffee machine whose test resulted in a ransom demand.
This hacking is significant of the much maligned danger of connected objects.
This article will also interest you: Cybersecurity of connected objects and remote work
Since the advent of the Internet of Things, the issue of the security of connected objects has always been at the centre of many debates. With the entry of 5G in the coming months, this danger or concern is likely to increase. The Internet of Things is too vulnerable. It only takes a neglected machine also really together to make an entire network vulnerable. And this is what has just been demonstrated by computer security researcher Martin Hron, of the specialist company Avast. One of the leaders in security solution supplies.
According to the information that came on the feat of computer security specialist, the object that was chosen for the security test was affected by several security flaws. Among them can be the absence or signatures in the receipt of orders and firmware updates, the absence of decryption. Yet these are very critical vulnerabilities because they can enable cybercriminals to initiate major computer attacks.
This demonstration demonstrates how connected objects are always so exposed. An exhibition that is not trivial because it can also endanger a computer network.
In practice, cybersecurity expert Martin Hron says he has managed to disrupt the correcting operation of the coffee machine by using a chip built into the object. This allowed him to formulate a ransom demand message and then stop the malfunction. It means that the only way to stop the machine after it has been targeted by the computer attack is for it to be disconnected. He explains: "The firmware is up to date and there is no easy option to push the firmware update to see what's in network traffic. What is interesting here is what is missing. There was no communication to the Internet either from the coffee maker or the app. So how is it possible for the app to know that the coffee maker has the latest firmware? The only data packets that passed were those between the machine and the application when the application had asked the machine for the firmware version. It's strange, and it seems to tell us that the firmware is probably not on the Internet and should be part of the application. So we opened the file .apk as easily as a .zip file. What we found there proved our hypothesis. ».
He will point out that at the base, it was not the objective of demanding a ransom, for example. "Originally, we wanted to prove that this device could exploit the cryptocurrency (…) Given the processor and architecture, it's certainly doable, but at a speed of 8 MHz, it makes no sense because the value produced by such a minor would be negligible." He says.
Finally, the Avast specialist points out why he decided to do this particular test: "Some research is so amusing that it confirms why I'm doing this job. I was asked to prove a myth, call it a suspicion, that the threat of IoT devices is not just about accessing it via a weak router or Internet exposure, but that an IoT device itself is vulnerable and can be easily hacked without necessarily hacking into the network or router. I also bet that I could make this threat persist and make it a real danger to any user. We often say that your home network, considered a chain of trust, is not as strong as its weakest link, but what if the same thing were true at the device level? What would that mean? »
"Suppose you have a well-protected IoT with features that can be accessed via a well-defined API; even if you can control the device via the API, you probably can't do too much harm. Firmware, the programming inside the device, has logical constraints that do not allow you, for example, to close garage doors while someone is in their path or to overheat a device to burn.
"We used to believe that we could trust equipment, such as a regular kitchen appliance, and that it could not be easily modified without physically disassembling the device. But with today's "smart" devices, that's no longer the case. you write in a blog post.
Now access an unlimited number of passwords: