• 10.07.13

What A Twitter-Controlled Coffeemaker Teaches Us About Home Security

Do we really want everything to connect to the Internet?

What A Twitter-Controlled Coffeemaker Teaches Us About Home Security
[Image: Flickr user comedy_nose]

Using a coffeemaker, Arduino Uno kit, and a power tail that cost approximately $70, a security researcher has connected the Black & Decker coffee machine to a Twitter feed to prove two things:

  1. You can connect a coffee maker to Twitter…
  2. But you might not want to.

The Arduino OS and some custom code allowed her to get the coffeemaker to make coffee on command through using a hashtag called #driptwit. The account was then left with intentionally weak security, allowing Tiffany Strauchs Rad, a security researcher specializing in connected devices, to simulate a hacker attack and successfully gain “unauthorized” access to her own machine.

Like many security experts, Rad is deeply ambivalent about the wisdom of tech nerds connecting home appliances to Twitter or any other service with relatively weak security. At a recent conference in San Francisco, she showed how she broke into her networked, Twitter-powered coffee machine–with the implicit message that pranksters or criminals could have a ball with any home appliances turned into smart devices via Arduino or proprietary toolkits. According to Rad, many connected devices for the home have firmware with only rudimentary security precautions standing between you and a prankster seeking to fill your kitchen floor with coffee.

In a presentation at a Kaspersky Labs conference, Rad noted that “I did this to show there are vulnerabilities in passwords–there are other similar vulnerabilities in connected systems.” She added that “When thinking about systems, you have to consider if they are connected to the Internet and if there is cryptography. We certainly love smart devices because of the convenience of turning home crock pots on and off from work, but the downside is that some researchers are looking at deep vulnerabilities in firmware.”

The hacked coffeemaker was a standard issue Black & Decker modded to begin operating through Twitter via Instructables and Tweet-A-Pot. Rad then added custom Python code because “the libraries from three years ago didn’t work with this project at all. I had to kick the code to make it go.” Although Internet-connected coffeemakers are largely a novelty, they’re not unknown; I’ve been to at least three workplaces in academia or the private sector with web-enabled coffeemakers.

Hacking this proof-of-concept together had its own hazards. While on the road in Ghana, the power tail and coffeemaker were plugged into a hotel lobby when the power converter attached to them sparked a small fire. Production electronics don’t usually start fires like hacked projects do, but it’s an apocryphal reminder of the little hazards of having machines operating without direct supervision.

Rad, a security researcher for Kaspersky and computer science professor at the University of Southern Maine, is primarily known for her research work into connected, Internet-enabled cars and security flaws in the control systems of federal prisons.