It may sound scary, but while you’re making yourself a cup of coffee, a hacker just may be brewing up an attack. According to security firm McAfee, an internet-connected coffee maker produced by Mr. Coffee and Wemo suffers from a security vulnerability that could let a malcious actor intercept traffic from the device and even schedule the machine to make coffee without the owner’s permission.
The affected device is the Mr. Coffee Coffee Maker with Wemo, first introduced back in 2014. The issue stems from the connectivity provided by Wemo. According to McAfee, Wemo devices communicate with a connected Wemo smartphone app, and can transfer date in two ways: Remotely via the internet or locally, bysending the information directly to the Wemo application. The vulnerabilty occurs when the communication is taking place locally.
McAfee researchers discovered it is possible to intercept transmissions made between the Mr. Coffee Coffee Maker with Wemo and the connected Wemo app. This can occur because the data is transferred in plaintext with no additional encryption or protection to prevent the information from being viewed by a malicious third party. By viewing that information, an attacker can see different data that is bouncing between the device and the Wemo app, including the brew schedule — times that the device owner has set up the machine to automatically brew a new pot of coffee.
With access to the communication between the coffee maker and app, a hacker could theoretically start inserting their own commands and pushing them to the device. That means an attacker could schedule the coffee maker to turn on without the permission or knowledge of the owner. McAfee pointed out that there is no validation on the source of a scheduled brew, so there is nothing to prevent the action from going forward even though it’s from an illegitimate source.
“Cybercriminals are relentless, and as long as we continue to connect devices to the internet, they will continue to search for ways to exploit them,” Raj Samani, McAfee fellow and chief scientist, said in a statement. “Vulnerability disclosures can be frightening for both the consumers using connected devices and the organizations that create them, however, the process is an essential component of creating a safer future. Cybersecurity researchers, businesses, and consumers working together to expose and eliminate these vulnerabilities keeps us all a step ahead of the bad guys.”
It’s worth noting that these types of attacks would have to be targeted efforts. A hacker would have to be connected to the same network that the vulnerable coffee maker is on. It also requires the coffee maker to be communicating locally rather than remotely, when remote access is the default setting for the machine. When conacted, Wemo parent company Belkin told Digital Trends it issued an advisory for the issue in August and offered a firmware update to address the issue on January 8, 2019.