Skip to main content

Internet-connected Mr. Coffee machines have security vulnerability, McAfee says

Mr. Coffee Smart Coffeemaker
Image used with permission by copyright holder

It may sound scary, but while you’re making yourself a cup of coffee, a hacker just may be brewing up an attack. According to security firm McAfee, an internet-connected coffee maker produced by Mr. Coffee and Wemo suffers from a security vulnerability that could let a malcious actor intercept traffic from the device and even schedule the machine to make coffee without the owner’s permission.

The affected device is the Mr. Coffee Coffee Maker with Wemo, first introduced back in 2014. The issue stems from the connectivity provided by Wemo. According to McAfee, Wemo devices communicate with a connected Wemo smartphone app, and can transfer date in two ways: Remotely via the internet or locally, bysending the information directly to the Wemo application. The vulnerabilty occurs when the communication is taking place locally.

McAfee researchers discovered it is possible to intercept transmissions made between the Mr. Coffee Coffee Maker with Wemo and the connected Wemo app. This can occur because the data is transferred in plaintext with no additional encryption or protection to prevent the information from being viewed by a malicious third party. By viewing that information, an attacker can see different data that is bouncing between the device and the Wemo app, including the brew schedule — times that the device owner has set up the machine to automatically brew a new pot of coffee.

With access to the communication between the coffee maker and app, a hacker could theoretically start inserting their own commands and pushing them to the device. That means an attacker could schedule the coffee maker to turn on without the permission or knowledge of the owner. McAfee pointed out that there is no validation on the source of a scheduled brew, so there is nothing to prevent the action from going forward even though it’s from an illegitimate source.

“Cybercriminals are relentless, and as long as we continue to connect devices to the internet, they will continue to search for ways to exploit them,” Raj Samani, McAfee fellow and chief scientist, said in a statement. “Vulnerability disclosures can be frightening for both the consumers using connected devices and the organizations that create them, however, the process is an essential component of creating a safer future. Cybersecurity researchers, businesses, and consumers working together to expose and eliminate these vulnerabilities keeps us all a step ahead of the bad guys.”

It’s worth noting that these types of attacks would have to be targeted efforts. A hacker would have to be connected to the same network that the vulnerable coffee maker is on. It also requires the coffee maker to be communicating locally rather than remotely, when remote access is the default setting for the machine. When conacted, Wemo parent company Belkin told Digital Trends it issued an advisory for the issue in August and offered a firmware update to address the issue on January 8, 2019.

Editors' Recommendations

AJ Dellinger
AJ Dellinger is a freelance reporter from Madison, Wisconsin with an affinity for all things tech. He has been published by…
Microsoft just discovered the next big evolution in displays
Resident Evil 4 running on the LG UltraGear 45 gaming monitor.

Microsoft is working on a new patent that aims to bring unprecedented levels of control to displays. The new tech, dubbed Pixel Luminesce for Digital Display, allows you to micromanage every single pixel of your display, adjusting the brightness as needed. If and when this makes it out of the development stage, it could end up being huge for all sorts of use cases, and could bring major improvements to some of the best gaming monitors.

The patent application describing the tech, first shared by Windows Report, describes the new technology as something that would enable selective dimming. With Microsoft's new tech, you could decide that one part of the display stays brighter while the rest of it remains unaffected, and this would happen dynamically.

Read more
SWAT team’s Spot robot shot multiple times during standoff
Spot, a robot dog.

A Boston Dynamics’ Spot robot deployed by the Massachusetts State Police (MSP) was shot during a standoff in Cape Cod, Massachusetts.

It’s believed to be the first time that the robot helper has taken a bullet during active duty, and it highlights how the machine can help keep law enforcement out of harm’s way during challenging situations.

Read more
Microsoft Edge is slowly becoming the go-to browser for PC gamers
microsoft edge chromium to roll out automatically soon chrome

Microsoft Edge is already jam-packed with features that other web browsers don't have, but a new one might well help your PC run faster while gaming. The default Windows web browser now has the option to limit the amount of RAM it uses, helping you prioritize RAM access to other applications or games. The feature is currently being tested in the Canary version of Microsoft Edge and could roll out to everyone if Microsoft deems it useful enough and gets quality feedback.

Spotted by X (formerly Twitter) user Leopeva64, the setting for this new feature is buried in the System and Performance section of the latest Canary version of Microsoft Edge. It is being rolled out gradually, so not everyone has it yet, but it gives two options for controlling your PC resources.

Read more