Tuesday, 1 July 2008

Comments from Jura

I have been told not to use the work email on this issue.

One of the issues is that a potential client that the firm I work for was a Jura importer. Writing this did not add clients, rather the opposite.

The accounting firm I work for does not get clients from vulnerability reports and this is not what I do for them. As such the claim by Jura that I am doing this as a means of contaction more clients is ludicrous.

My Employer is an accounting firm of which I am a security person, so the claim they make is misinformation. I primarily do forensic work, not vulnerability analysis for them.

I stated that the only affected product was the F90 with the connectivity kit and have at no times stated that any other product was involved.

A representative from the firm that does testing for Jura contacted my stating that they had extensively tested one of the other products and did not find this issue. I have not tested another product by Jura and they are unrelated. This comment is equivalent to stating that a hole in Linux has some relation to one in Windows. This is pure ignorance.

The response was:
"Two years ago our German test lab analyzed the Web-Module calles “Web Pilot” of Jura with the Jura Impressa Z5 coffee machine. The test report is only available in German . See: http://www.protectstar-testlab.org/award/innovation/protectstar_impressa_z5_web_pilot_web.pdf"

I stated that the Internet connectivity kit connects to the Internet. I did not state it is connected to the WWW. The software associated with this product runs on a users machine. This software has a bug.

Yes the software has to be installed, but the ONLY way to use the "Internet Connectivity Kit" is to have this software installed. I find the idea strange that the coffee maker management could be sold but not installed.

The memory unit in the "Internet Connectivity Device" has an input validation flaw. This allows a connected "Internet Connectivity Device" to be uploaded with invalid info. This can impact the host. I have validated that this can crash the machine.

As stated, my employer is not a security services firm, we are an audit firm. So the misinformation is from Jura.

Even if I was with a "security firm", the comment "If a security services company tries to evaluate potential security holes by affirming the contrary, one almost can’t help but think that this is an uninspired way of acquiring new clients" is incredibly ignorant. It demonstrates a marked disrespect for their clients - which I WAS one of.

Comment JURA Elektroapparate AG
Article “Hacker attack on JURA fully automatic coffee machine”

Current press reports are referring to a news item published by Craig Wright on securityfocus.com. JURA Elektroapparate AG is well aware of these articles which the company clearly qualifies as misinformation. The Internet Connectivity Kit which can optionally be acquired for only one device (IMPRESSA F90/F9) will at no times connect the coffee machine to the world wide web. Its settings can therefore only be changed by the machine’s rightful owner.

If a security services company tries to evaluate potential security holes by affirming the contrary, one almost can’t help but think that this is an uninspired way of acquiring new clients. JURA will get in touch with the author of the original contribution and resolve the matter.

JURA Elektroapparate AG, a Swiss company with worldwide operations, leads the field in innovation for fully automatic home coffee machines. Founded in Niederbuchsiten, Solothurn, in 1931, the company has 282 employees in Switzerland and 243 abroad working with its foreign distributors. JURA's consolidated revenues in 2007 totaled CHF 384.0 million, 13.3% of which was generated in Switzerland and 86.7% by international markets.

Further information

JURA Elektroapparate AG
Press Office
CH-4626 Niederbuchsiten
Tel: 062/389 83 40
Fax: 062/389 83 35

No comments: