Stupid Technology

Hack My Coffee - Please

From Craig Wright comes this riveting post:

I have a Jura F90 Coffee maker with the Jura Internet Connection Kit. The idea is to:

Craig goes on to reverse engineer the software, with predictable results: Coding with no security. The details are painful.

The connectivity kit for the coffee machine installs software that uses the connectivity of the PC it is running on to connect the coffee machine to the Internet. This allows a remote coffee machine “engineer” to diagnose any problems and to remotely do a preliminary coffee service. Be still my heart - a remote coffee machine ENGINEER. (A NEW acronym:RCME)

It seems the software allows the “RCME” (can you say “attacker?”) to gain access to the Windows system it is running on at the level of the user. For most of us, that would be administrator.

Compromise by Coffee. Whoo HOO. Can’t wait to see this come up in an audit.

And you can buy it for only $1798.00 at Amazon.

What’s surprising is that this thing has been on the market since September 2006, and it seems to have just now hit the press.

And Jura’s response?

“Jura is well aware of these articles which it clearly qualifies as misinformation. “ So Jura says security researchers are wrong. A coffee maker company knows best! OOOKay.

“The internet Connectivity Kit which can optionally be acquired for only one device (IMPRESSA F90/F9) And this makes insecure software better how?

will at no times connect the coffee machine to the world wide web. Except the software allows a remote coffee machine ENGINEER to access the machine from the web. OOOKay, again, this is secure how?

“Its settings can therefore only be changed by the machine’s rightful owner.” And if a remote coffee machine ENGINEER is allowed to run diagnostics on the machine - is this statement accurate? What else can the remote coffee machine ENGINEER do while he/she is running those diagnostics?

I’m feeling a caffeine buzz already. Is this a high risk vulnerability? No. Is it a good idea? NO.

Losing My Identity At the Drugstore Instant Photo Machine

A few days ago I went with my partner to the local drugstore (all the big chains have these machines) to print out a jpeg to send with a card for Father’s Day. The picture was on a thumb drive for easy transport, and I was along to provide technical support (I try to at least appear useful).

Imagine my HORROR when, after plugging in the drive as the machine requested, I saw the machine begin reading everything on the thumb drive, including financial spreadsheets, letters, family photos and lots of confidential stuff. Turns out she was using the same thumb drive she backs up all her critical documents with to transport the photo to the drugstore.

Needless to say, it was too late to recall, and my poor partner could only say, “I didn’t know!” at my yelp of despair. We printed the photo and left, with me mumbling under my breath about what a good column THAT was going to make.

So, how long before some poor minimum wage guy working behind the counter and hacking on weekends says, “Hmmm. Look at all that interesting data along with all those dumb pictures.” There is no warning or indicator on the machines that we should think about what we’re giving away on those thumb drives along with pictures of junior and his new fishing rod. Perhaps they’re assuming we know better. (ROTFL)

More likely, it has not occurred to the designers nor the drugstore management that those machines should only be reading for .jpeg, .tiff, .bmp, .raw and other illustration files, not ALL files. Although the information was not printed, it was acquired. Even if there is no hard drive (which I highly doubt) the files would remain in memory. Where is all that information sitting? Who has access to it? Am I nervous? You betcha.

I can only wonder how long will it be before we get something in the news about these machines.