[Dshield] From security-basics: Hacking Coffee Makers

Jon Kibler Jon.Kibler at aset.com
Tue Jun 17 15:49:41 GMT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

In case you do not subscribe to the security-basics list, I thought you
may find this interesting on several fronts:
   -- Hacking appliances
   -- Unsecured and unpatchable Windows O/S
   -- Vulnerable O/S exposed to Internet
   -- Physically attack a user remotely

Jon
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkhX3RUACgkQUVxQRc85QlOFCQCfbtqbqXuDijk5Yw38Ty2lJyoz
MpQAn2E92WxPUDnsImsD+vDf5g3Wcdkq
=gj5y
-----END PGP SIGNATURE-----




=========================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

-------------- next part --------------

Hi All,
I have a Jura F90 Coffee maker with the Jura Internet Connection Kit. The idea is to:

"Enable the Jura Impressa F90 to communicate with the Internet, via a PC.
Download parameters to configure your espresso machine to your own personal taste.
If there's a problem, the engineers can run diagnostic tests and advise on the solution without your machine ever leaving the kitchen."

Guess what - it can not be patched as far as I can tell ;) It also has a few software vulnerabilities.

Fun things you can do with a Jura coffee maker:
1. Change the preset coffee settings (make weak or strong coffee)
2. Change the amount of water per cup (say 300ml for a short black) and make a puddle
3. Break it by engineering settings that are not compatible (and making it require a service)

The connectivity kit uses the connectivity of the PC it is running on to connect the coffee machine to the internet. This allows a remote coffee machine "engineer" to diagnose any problems and to remotely do a preliminary service.

Best yet, the software allows a remote attacker to gain access to the Windows XP system it is running on at the level of the user.

Compromise by Coffee.

Regards,
Craig Wright GSE-Compliance

Craig Wright
Manager, Risk Advisory Services

Direct : +61 2 9286 5497
Craig.Wright at bdo.com.au
+61 417 683 914

BDO Kendalls (NSW-VIC) Pty. Ltd.
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
http://www.bdo.com.au/

The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system.

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator at bdo.com.au.

BDO Kendalls is a national association of separate partnerships and entities. Liability limited by a scheme approved under Professional Standards Legislation.






=========================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

More information about the list mailing list