Wednesday, 18 June 2008

The latest Java based attack...

I have a Jura F90 Coffee maker with the Jura Internet Connection Kit. The idea is to:

Enable the Jura Impressa F90 to communicate with the Internet, via a PC.
Download parameters to configure your espresso machine to your own personal taste.
If there's a problem, the engineers can run diagnostic tests and advise on the solution without your machine ever leaving the kitchen.”


Guess what – it can not be patched as far as I can tell ;) It also has a few software vulnerabilities.

Fun things you can do with a Jura coffee maker:

  1. Change the preset coffee settings (make weak or strong coffee)
  2. Change the amount of water per cup (say 300ml for a short black) and make a puddle
  3. Break it by engineering settings that are not compatible (and making it require a service)

As a bad pun, the third attack could be called a Java denial of service...

The connectivity kit uses the connectivity of the PC it is running on to connect the coffee machine to the internet. This allows a remote coffee machine “engineer” to diagnose any problems and to remotely do a preliminary service.

Best yet, the software allows a remote attacker to gain access to the Windows XP system it is running on at the level of the user.

Compromise by Coffee…

No comments: