All Your Coffee Are Belong To Us

Wolf nipple chips writes "Craig Wright discovered that the Jura F90 Coffee maker, with its honest-to-God Jura Internet Connection Kit, can be taken over by a remote attacker, who can cause the coffee to be weaker or stronger; change the amount of water per cup; or cause the machine to require service (call this one a DDoC). 'Best yet, the software allows a remote attacker to gain access to the Windows XP system it is running on at the level of the user.' An Internet-enabled, remote-controlled coffee-machine and XP backdoor — what more could a hacker ask for?"

Bah!

[BWJones (18351)]

Bah! Get your coffee [utah.edu] and an old school French press [wikipedia.org] to brew the tastiest coffee. Put your hacking efforts into the roasting, selection and cultivation of your beans and leave the time and resource wasting, lame Windows controlled coffee makers to the junk heap of history.

Re:Bah!

[by Anonymous Coward]

Keep up with time mate, it's called a Freedom Press

Re:Bah!

[Joebert (946227)]

I wave my private parts in your French press's general direction.

You know that feeling you get when you know you should tell someone they're about to do something really painfull, but you don't want to say anything because you haven't had a good laugh all week ?

Re:Bah!

[SMS_Design (879582)]

I believe they're referring to a Moka pot [wikipedia.org], actually.

Re:Bah!

[1karmik1 (963790)]

I'm italian, Coffee for us is either Moka or Espresso. At home, the best of the best is always moka. Even buying bar-grade espresso machines (the 3000$+ ones) isn't the same because with those machines (that makes an OUTSTANDING coffee) you had to make several hundreds coffee/day to remove the taste of brandnewness from them. A Moka can get to working order with few tens of runs. Every household in italy has a Moka. It's cheap and it makes a great coffee. (I wouldn't call Espresso tho, Espresso is even less water/even more coffee. Moka is something in between Espresso and $EVERYOTHERPARTOFTHEWORLD-coffee but more on the Espresso side (it's still a lot lot lot less water than any other coffee.). If you happen to stop by italy buy a Bialetti one, you won't regret it (we're talking 20$ here, nothing anyone could go bankrupt with.). Even more useful if you got a coffee grinder or a shop that sells moka-grinded coffee, since the grains are a little different from american-coffee ones (not sure which one is bigger. Moka ones are definitely bigger than espresso, which are the smallest.)

Re:Bah!

[cayenne8 (626475)]

"If you have a party where everyone needs coffee, even having a couple of them won't be enough..."

Hmm...I don't think I've ever been to a party where coffee was an issue...??

Usually we're concerned on not running out of beer, wine or liquor...

"Hey Phil, the Tigers are about to score again, can ya toss me a nice hot latte without too much foam?? Your out? WTF? Ok...I'm outta here, lets to to the local Starbucks, where they know how to treat a sports crowd!!"

Re:Bah!

[LizardKing (5245)]

You're not supposed to keep them clinically clean. As any Italian will tell you, only wash a cafitiere [wikipedia.org] with warm water - no washing up liquid or other kind of detergent. Not only will this increase the life of the rubber sealing ring, it improves the taste over time as the jug becomes coated with a coffee residue (even the Wikipedia article mentions this). As for burning the coffee, what are you using to heat the thing, a flamethrower? As the water reservoir heats, steam is passed through the ground coffee, meaning it can't burn unless you're heating the sides of the cafetiere.

Re:Bah!

[AgentPaper (968688)]

I'd have to respectfully disagree with that one. On a cheap aluminum moka pot, you might run into flavor issues from too-frequent scrubbing (aluminum + acid = yuk). If your pot is stainless, though (and these days, any decent pot will be), leaving that caked-on stuff in there will degrade the flavor of any coffee you make in it, as the coffee oils do tend to go rancid rather quickly post-brewing. The effect rapidly worsens if you use lower-grade coffee.

Then again, given my background and profession, I'd be heavily biased toward "clinically clean" even if it did throw the flavor off. ;-)

Java?

[Arakageeta (671142)]

I wonder how well it runs Java...

Re:Java?

[lanswitch (705539)]

I'm only interested if it can do Cocoa as well.

Re:Java?

[ozmanjusri (601766)]

Maybe if it was running WinCE.

Re:Java?

[NeilTheStupidHead (963719)]

// Possibly a more efficient way of doing this ... cycle count? coffee.add(sugar) coffee.add(milk)

Yes it's: coffee.add()

Sex?

[pembo13 (770295)]

Sorry, that's the first thing that came to mind on the question of what more could a hacker want.

Re:Sex?

[jd (1658)]

I assume the question is limited to things within the realms of reality, rather than science-fiction (the only known environment where geeks get laid). Of course, a totally evil hacker might upload a suitable hot coffee mod.

Tea

[ozbird (127571)]

Whatever you do, don't ask it for a cup of tea while it's connected to the Internet. "Share and enjoy." [russellbeattie.com]

Setting the scene

[BWJones (18351)]

I mean come on now... what good can an Internet connected coffee maker really do? No security conscious office will ever want a Windows enabled appliance around. Just imagine the scene:

Special Agent Wilkins: How the Hell did they get in?

Special Agent Thompson: Sir..... I... uh, think they got in through the coffee maker.

Special Agent Wilkins: The What?

Special Agent Thompson: Sir, the coffee maker that we got you for your birthday... the one that you wanted to be able to brew up a cup o joe from your office?

Special Agent Wilkins: Oh fsck me....

Re:Setting the scene

[jd (1658)]

This [wikipedia.org] is what happens when coffee pots go on the Internet, albeit in a different way. A similar effect was probably intended, though.

What more could a hacker want?

[katterjohn (726348)]

How about the coffee?

Re:What more could a hacker want?

[jd (1658)]

Hmmmmm. I wonder what would happen if someone totally evil patched the code so you had to win at minesweeper to get the coffee?

Re:What more could a hacker want?

[WWWWolf (2428)]

How about the coffee?

Ah, the cleverness of the hack in question is not that they can make the coffee maker to produce coffee, no. The evil hax0rs really want the coffee.

Employee 1: "This has to be the most ridiculous work order I've ever received."
Employee 2: "What is it?"
E1: "At precisely 12:02, I'm supposed to take the cup from the coffee percolator and deliver it to this address a few blocks away."
E2: "What? Are you kidding?"
E1: "No, it's on our company letterhead. Signed by the CEO. 'Deliver this cup of coffee to our IT subcontractor. This may sound like an unusual order, but millions are at stake here.'"
E2: "Well, I wonder what those primadonnas come up with next time?"

EVERYBODY PANIC!

[rossz (67331)]

Screw the company web server. Screw the sql database server. They've hacked the coffee machine! AHHHHHHHHH!!!!!!

HTCPCP

[by Anonymous Coward]

So, does this device conform to the HTCPCP (Hyper Text Coffee Pot Control Protocol) [http://www.faqs.org/rfcs/rfc2324.html] ?

Re:HTCPCP

[Pikoro (844299)]

"Coffee pots heat water using electronic mechanisms, so there is no fire. Thus, no firewalls are necessary, and firewall control policy is irrelevant."

That is the essence of the problem.

Not a constantly-connected device

[aaronbeekay (1080685)]

As far as I can tell, the coffeemaker *doesn't* run Windows-- the exploit is in the "connection kit", which is software that runs on a PC, which plugs into the coffeemaker, which lets coffee-people fix your coffeemaker from afar.

So this wouldn't have much in the way of applicability unless you knew someone with this particular $2000 coffeemaker, which was already experiencing problems, who had purchased the $100+ coffeemaker diagnostic kit and had the coffeemaker plugged in, through the diagnostic kit, to their PC at the time.

Seems like there are better ways to get into Windows.

At least it was a Coffee Maker...

[patio11 (857072)]

... and not, oh, an integrated diabetes management system, pill dispenser, etc...

classic example of why...

[timmarhy (659436)]

... not everything needs an internet connection

That's why they call it a firewall.

[Chris Snook (872473)]

If you let the whole world control your heating elements, bad things happen. When was the last time you saw an Itanium box with a public IP?

Re:That's why they call it a firewall.

[DoofusOfDeath (636671)]

When was the last time you saw an Itanium box with a public IP?

Are you kidding? When's the last time you saw any Itanium box?

What's for breakfast?

[fyoder (857358)]

Once the coffee maker is compromised and turned into a rogue email server, breakfast choices will be coffee and spam, coffee egg and spam; coffee egg bacon and spam; coffee egg bacon sausage and spam; coffee spam bacon sausage and spam; coffee spam egg spam spam bacon and spam; coffee spam sausage spam spam bacon spam tomato and spam....

Vikings: Spam spam spam spam...

Don't people learn

[Xarin (320264)]

Don't people ever learn. If you don't install a firewall, anti-virus protection, and anti-spyware software on your coffee maker, you deserve to be hacked. My coffee maker runs Linux and has never been hacked.

Coffee

[dunezone (899268)]

I, for one, welcome our new coffee brewing overlords.

Did you hear the ones about...

[pandrijeczko (588093)]

Did you hear the one about the Microsoft coffee maker?

It makes tea then convinces you that you only ever wanted a tea.

Did you hear the one about the Apple coffee maker?

It does an amazing Mocha Frappucino with whipped cream, caramel sauce and a chocolate flake in the top but doesn't know how to make a plain black coffee.

Did you hear the one about the Linux coffee maker?

v0.1 made a good plain coffee but it took a while doing it, v1.0 makes good plain coffee but there's a patch that allows it to make better tea than the Microsoft coffee maker and v2.0 gives you a cup of plain coffee, a cup of whipped cream, a cup of caramel sauce, a chocolate flake in a wrapper and tells you to make the coffee how you want but for a much lower price than the Apple one.

Did you hear the one about the Vista coffee maker?

Nope, neither did I but then who gives a shit.

Re:Did you hear the ones about...

[mrogers (85392)]

Did you hear the one about the OpenBSD coffee maker?

Theo De Raadt makes a perfect cup of espresso and then throws it over your shirt.

What more could a hacker want?

[CoolGopher (142933)]

An Internet-enabled, remote-controlled coffee-machine and XP backdoor -- what more could a hacker ask for?

Access to the coffee his new bot brews?

A culture of helplessness

[jandersen (462034)]

This is probably going to be simply ignored, as it is just one of my pet peeves; but as it is one of my pet peeves, I will proceed none the less. Consequently, this is my Message To The World:

What's the bloody sense in making a thing like this - let alone owning one? It is not exactly demanding, making you own coffee: put ground coffee beans in your favourite cafetiere/filter/mysterious glass thing with a spirit burner, add water, possibly hot. Wait for the magic to unfold right before your very eyes. Pour and drink. If you want to go all out, you grind your own coffee beans.

Recently I've seen more and more of these pointless gadgets where you insert a little foil capsule into a complicated piece of equipment and out comes a mediocre cup of coffee that has cost probably 10 times as much as a good cup of hand-made coffee; and you will have left a huge, reeking carbon footprint in the process. Plus, after a while you will have convinced yourself that you could never go back to doing it the old way - in other words, you have become dependent on a silly gadget, a little bit more helpless.

I suppose that is exactly where the industry wants us: unable to cook our own food, so we have to rely on ready made crap, unable to perform even the simplest of everyday tasks, because we rely on household machinery. Why do people fall for it? We honestly don't need most of these things unless we suffer from a physical disability; and they don't actually save us any meaningful time - by which I mean time we then spend on doing things that are worth doing rather than sit down to watch tv or play computer games.

Check with the Internet Engineering Task Force

[JakartaDean (834076)]

Well, I hope someone is checking whether this thing is truly RFC 2324 compliant.

http://tools.ietf.org/html/rfc2324 [ietf.org]

Re:Check with the Internet Engineering Task Force

[saforrest (184929)]

Well, I hope someone is checking whether this thing is truly RFC 2324 compliant.

I was just going to mention that RFC 2324 considered this problem way back in 1998, in section 7 "Security Considerations":

7. Security Considerations

Anyone who gets in between me and my morning coffee should be insecure.

Unmoderated access to unprotected coffee pots from Internet users might lead to several kinds of "denial of coffee service" attacks. The improper use of filtration devices might admit trojan grounds. Filtration is not a good virus protection method.

Mornings for me...

[ockegheim (808089)]

...involve coffee and a hacking cough, so maybe it would suit me.

Reminds me of the toaster in Red Dwarf.

My coffee machine was designed in the 1950s, and makes brilliant coffee if you put enough love in.

It could actually be dangerous...

[ewrong (1053160)]

1: Hack your competitiors coffee machine.
2: Set it to only serve decaff.
3: Sit back and watch their productivity go through the floor.

I wonder

[Etrigoth (1119741)]

Is this technically a Java exploit ?

*sorry*

but of course

[nimbius (983462)]

just another entry in a long list of devices that, while harmless otherwise, now have the ability to injure you once integrated with Microsoft Windows.

Re:hmmm

[by Anonymous Coward]

Yeahhhhhh, i'm gonna have to go ahead & ... disagree with you there, yeahhh. I'm not sure hacking Lumberg's coffee maker is going to have any affect on him, yeahhh, you see, Lumberg doesn't sleep as he is up all night continually drinking from his perpetually-full mug, even as he bangs your girlfriend.

btw, I'm gonna have to ask you to go ahead and come in on Sunday, too... :-P

Re:Weaken them

[jamesh (87723)]

NO one can survive without caffeine!

I can. I can stop caffeine any time I want to.

Re:Weaken them

[algerath (955721)]

You know the first step in getting help is admitting that you have a problem.

Re:Weaken them

[Upphew (676261)]

But if I don't have a problem, then I don't need help, so why should I admit anything?

Re:First post?

[by Anonymous Coward]

Have the RIAA sent it a DMCA takedown notice for sharing files [slashdot.org] yet?

PC LOAD COFFEE

Re:First post?

[mr_matticus (928346)]

PC = Percolation Cartridge, I assume?

If there's not a slider lever in the tray to accept Darjeeling media, I'm afraid it will never take off in the UK, dooming these machines to the same fate as A4-incompatible printers.

Re:First post?

[Zeinfeld (263942)]

I have been predicting this one for a while, I wrote in the manifesto that nobody is going to want home automation if it means having to worry if Mr Coffee has been recruited into a botnet.

The solution I proposed there was that a coffee pot does not get a full Internet connection. Instead of the default being full access we switch to default deny. It only gets to connect to the local net at all after authentication. And it only gets access that is appropriate to its function and consistent with site policy. Obviously the typical consumer is not going to be writing security policies so this process is going to have to be automated which is where a small amount of Semantic Web technology comes in.

Re:First post?

[funaho (42567)]

A simpler solution is, when putting your coffee maker on the Internet, to make sure JavaScript is turned off.

Yes, I made a horrible pun. :)

Re:First post?

[CastrTroy (595695)]

PC LOAD COFFEE? WTF does that mean?

Here's some extra text to get past the caps filter.