'Smart' home appliances such as your humble coffee maker may sprinkle your latte with a host of security problems.
I like coffee, but I don't like coffee grounds. So I went looking for a nice, built-in, automatic coffee machine, and found a bunch of security issues along the way. The journey even linked up my current bugbears of iPhones and home-network profiling for burglars.
Home appliance vendors champion ‘smart' appliances, much as corporates are being encouraged to implement amazingly insecure building automation systems. The rationale is usually along the lines of savings through smarter use of energy and greater convenience.
However, the spin-off for my coffee addiction is that home appliances are starting to come with RJ45, WiFi and Bluetooth connections. Miele announced at the beginning of September that it is launching an error reporting and remote control system for kitchen and washing appliances. Even better, they can be controlled from an iPhone. Now I really want its coffee machine – for security research, of course.
Who remembers the early days of remote coffee reporting? Back in 1991, a team from Cambridge University Computer Lab was having caffeine issues, as its coffee-maker was a few rooms away. So it implemented a basic ‘webcam' for remote monitoring of the pot status, well before HTTP as we know it existed – just Google ‘Trojan Room coffee machine' for more information.
I nearly fell off my chair laughing when I found RFC 2324, which describes HTCPCP/1.0, ‘the hyper text coffee pot control protocol'. I wonder if any appliance vendors out there are going to support that?
One of the first to market with an ‘internet' coffee machine was Swiss manufacturer Jura, whose F90 was found to have a whole host of security problems – it even has an entry on Bugtraq. It seems it had some OWASP 101 input validation fails, which could lead to a denial of coffee service, but – more worryingly – you could modify pre-set coffee programmes, and overflow your cup.
Where does this lead us? No doubt you have been asked about staff wanting to connect their own mobile devices to their networks. Nearly every time I speak to a security manager, the subject of iPads comes up. The senior execs want them, sometimes they've already bought them using a company credit card, or they've brought in their own. They want their corporate email on it, yet the data they are party to is probably the most sensitive in the entire business.
Now, I'm not suggesting that your execs are going to ask to hook up their washing machine to the corporate network. That would be plain silly, but they will probably have the remote control app installed on their iPhone. That same iPhone that syncs with your Exchange server...
We have been through this all before, with home workers wanting to use their own PCs and laptops to connect to corporate systems. Many have been bitten in the process. Why? Because the home PC is the softest target of all. How well can you really define your network perimeter?
I've been involved in several security investigations where a compromise was traced back to a home worker's personal computer. What seemed like a good idea for flexible working, allowing a home PC to connect to web-based corporate services, turned out to be a conduit for malware and keylogging. All seemed to result from infections picked up while web-browsing.
A coffee machine or fridge with an RJ45 connection might not seem like much of a threat – and I bet you will at least consider buying one next time you replace an appliance. I bet further that if you do buy one, you'll immediately hook it up to your home network. I know I will.
At least we are aware of security, but what about Josephine Bloggs? Another functional device on the home network easily compromised. Still want to let them connect through their home PC or personal mobile device to your corporate network? Better hope the environment you let them connect through is bombproof, or you'll need more than coffee.
I'll let you know how I get on with my coffee machine, though I won't be letting you know its IP address!