Hacking Coffee Makers.

2009.09.08
Credit: Craig Wright
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-264

Hi All, I have a Jura F90 Coffee maker with the Jura Internet Connection Kit. The idea is to: "Enable the Jura Impressa F90 to communicate with the Internet, via a PC. Download parameters to configure your espresso machine to your own personal taste. If there's a problem, the engineers can run diagnostic tests and advise on the solution without your machine ever leaving the kitchen." Guess what - it can not be patched as far as I can tell ;) It also has a few software vulnerabilities. Fun things you can do with a Jura coffee maker: 1. Change the preset coffee settings (make weak or strong coffee) 2. Change the amount of water per cup (say 300ml for a short black) and make a puddle 3. Break it by engineering settings that are not compatible (and making it require a service) The connectivity kit uses the connectivity of the PC it is running on to connect the coffee machine to the internet. This allows a remote coffee machine "engineer" to diagnose any problems and to remotely do a preliminary service. Best yet, the software allows a remote attacker to gain access to the Windows XP system it is running on at the level of the user. Compromise by Coffee. Regards, Craig Wright GSE-Compliance Craig Wright Manager, Risk Advisory Services Direct : +61 2 9286 5497 Craig.Wright (at) bdo.com (dot) au [email concealed] +61 417 683 914 BDO Kendalls (NSW-VIC) Pty. Ltd. Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney NSW 2001 Fax +61 2 9993 9497 http://www.bdo.com.au/ The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system. Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator (at) bdo.com (dot) au. [email concealed] BDO Kendalls is a national association of separate partnerships and entities. Liability limited by a scheme approved under Professional Standards Legislation.

References:

http://www.securityfocus.com/bid/29767
http://www.securityfocus.com/archive/1/archive/1/493440/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/493433/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/493387/100/0/threaded
http://osvdb.org/46407
http://news.cnet.com/8301-10784_3-9970757-7.html
http://attrition.org/pipermail/vim/2008-June/002002.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top