IoT coffee machine hacked to demand ransom
Your morning brew could be disrupted by a lack of encryption and a reverse engineered firmware update


A security researcher has managed to reverse engineer an IoT coffee maker to the point where ransomware could be uploaded to the machine.
Martin Hron, a researcher with security firm Avast, conducted an experiment on the £179 Smarter Coffee Maker (version 1) to prove that hacking IoT devices is more than just accessing them via weak routers.
Security issues within the Smarter brand of coffee machines, and its iKettle, have previously been highlighted. London-based security firm Pen Test Partners found that they could recover Wi-Fi encryption keys used in the first version of the Smarter iKettle in 2015. These same flaws were also spotted in the first version of the coffee maker.
Hron managed to turn that same coffee maker into a ransomware machine. After tinkering with the IoT device, he found that when connected to the user's home network, the coffee maker's functions all went off simultaneously and a pre-programmed ransom message endlessly bleeped across the display.
His experiment was so successful that the only way to stop the machine from going haywire was to pull the plug.
"I was asked to prove a myth, call it a suspicion, that the threat to IoT devices is not just to access them via a weak router or exposure to the internet, but that an IoT device itself is vulnerable and can be easily owned without owning the network or the router," Hron wrote in a blog post.
"We thought this would be enough to freak any user out and make it a very stressful experience. The only thing the user can do at that point is unplug the coffee maker from the power socket."
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Hron was able to access the coffee machine through a firmware update because of the unencrypted connection to its corresponding smartphone app. He uploaded the Android app's latest firmware version to a computer and reverse engineered it using an interactive disassembler, and also took the coffee machine apart to learn what CPU it used.
With all that information, he then wrote a Python script that mimicked the coffee maker's update process. His modified firmware and lines of script caused the machine to go haywire and demand a ransom.
RELATED RESOURCE
BIOS security: The next frontier for endpoint protection
Today’s threats upend traditional security measures
This is by no means an easy hack and it has its limitations, as an attacker would need to find the coffee maker within Wi-Fi range. It can be triggered by hacking someone's router, but that would potentially require access to more than just a coffee machine.
"A very limited number of first-generation units had been sold in 2016 and although updates are no longer supported for these models, we do review any legacy claims on a per customer basis in order to provide continued customer care," a Smarter spokesperson told IT Pro.
But the implications of this kind of hack are concerning for the wider IoT industry, according to Hron, as smart gadgets could be rendered incapable of receiving patches to fix such a weakness. He also suggests that this type of vulnerability might be exploited in devices that no longer receive support.
"With the pace of IoT explosion and bad attitude to support, we are creating an army of abandoned vulnerable devices that can be misused for nefarious purposes such as network breaches, data leaks, ransomware attack and DDoS."
Bobby Hellard is ITPro's Reviews Editor and has worked on CloudPro and ChannelPro since 2018. In his time at ITPro, Bobby has covered stories for all the major technology companies, such as Apple, Microsoft, Amazon and Facebook, and regularly attends industry-leading events such as AWS Re:Invent and Google Cloud Next.
Bobby mainly covers hardware reviews, but you will also recognize him as the face of many of our video reviews of laptops and smartphones.
-
Bigger salaries, more burnout: Is the CISO role in crisis?
In-depth CISOs are more stressed than ever before – but why is this and what can be done?
By Kate O'Flaherty Published
-
Cheap cyber crime kits can be bought on the dark web for less than $25
News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
By Emma Woollacott Published
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackers
News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
By Emma Woollacott Published
-
Healthcare systems are rife with exploits — and ransomware gangs have noticed
News Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
By Nicole Kobie Published
-
Alleged LockBit developer extradited to the US
News A Russian-Israeli man has been extradited to the US amid accusations of being a key LockBit ransomware developer.
By Emma Woollacott Published
-
February was the worst month on record for ransomware attacks – and one threat group had a field day
News February 2025 was the worst month on record for the number of ransomware attacks, according to new research from Bitdefender.
By Emma Woollacott Published
-
CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted
News The Medusa ransomware as a Service operation compromised twice as many organizations at the start of 2025 compared to 2024
By Solomon Klappholz Published
-
Warning issued over prolific 'Ghost' ransomware group
News The Ghost ransomware group is known to act fast and exploit vulnerabilities in public-facing appliances
By Solomon Klappholz Published
-
The Zservers takedown is another big win for law enforcement
News LockBit has been dealt another blow by law enforcement after Dutch police took 127 of its servers offline
By Solomon Klappholz Published
-
There’s a new ransomware player on the scene: the ‘BlackLock’ group has become one of the most prolific operators in the cyber crime industry – and researchers warn it’s only going to get worse for potential victims
News Security experts have warned the BlackLock group could become the most active ransomware operator in 2025
By Solomon Klappholz Published