Posted by: Arian Eigen Heald
Hardware & InfoSec, Security, Start Laughing Now, Stupid Technology, Tearing My Hair Out
From Craig Wright comes this riveting post:
I have a Jura F90 Coffee maker with the Jura Internet Connection Kit. The idea is to:
“Enable the Jura Impressa F90 to communicate with the Internet, via a PC.
Download parameters to configure your espresso machine to your own personal taste.
If there’s a problem, the engineers can run diagnostic tests and advise on the solution without your machine ever leaving the kitchen.”
Guess what – it can not be patched as far as I can tell It also has a few software vulnerabilities.
Fun things you can do with a Jura coffee maker:
1. Change the preset coffee settings (make weak or strong coffee)
2. Change the amount of water per cup (say 300ml for a short black) and make a puddle
3. Break it by engineering settings that are not compatible (and making it require a service call from the Internet!)
Craig goes on to reverse engineer the software, with predictable results: Coding with no security. The details are painful.
The connectivity kit for the coffee machine installs software that uses the connectivity of the PC it is running on to connect the coffee machine to the Internet. This allows a remote coffee machine “engineer” to diagnose any problems and to remotely do a preliminary coffee service. Be still my heart – a remote coffee machine ENGINEER. (A NEW acronym:RCME)
It seems the software allows the “RCME” (can you say “attacker?”) to gain access to the Windows system it is running on at the level of the user. For most of us, that would be administrator.
Compromise by Coffee. Whoo HOO. Can’t wait to see this come up in an audit.
And you can buy it for only $1798.00 at Amazon.
What’s surprising is that this thing has been on the market since September 2006, and it seems to have just now hit the press.
And Jura’s response?
“Jura is well aware of these articles which it clearly qualifies as misinformation. “ So Jura says security researchers are wrong. A coffee maker company knows best! OOOKay.
“The internet Connectivity Kit which can optionally be acquired for only one device (IMPRESSA F90/F9) And this makes insecure software better how?
will at no times connect the coffee machine to the world wide web. Except the software allows a remote coffee machine ENGINEER to access the machine from the web. OOOKay, again, this is secure how?
“Its settings can therefore only be changed by the machine’s rightful owner.” And if a remote coffee machine ENGINEER is allowed to run diagnostics on the machine – is this statement accurate? What else can the remote coffee machine ENGINEER do while he/she is running those diagnostics?
I’m feeling a caffeine buzz already. Is this a high risk vulnerability? No. Is it a good idea? NO.