A hacked kitchen robot to raise awareness of the hidden risks of connected objects
The thermomix TM5, a high -end multifunctional kitchen robot, very widespread in French households, has been the subject of an amazing hacking of piracy led by Synacktiv, a French offensive cybersecurity company.
Lamartine, author of poetic harmonies, asked “Inanimate objects do you have a soul?” »; In any case when connected, they are hackable!
It is not a malicious attack, but an experiment led by hackers, cybersecurity researchers.
This hacking in a controlled setting, highlights a reality that is still little perceived from the general public, which concerns our everyday objects. They have become computers like the others, and therefore potential targets of attackers.
Without modifying the device physically, the researchers managed to divert some of its functions, such as the display of personalized messages on the screen, handling the heating temperature, or the untimely trigger for error messages. A striking way of demonstrating that an object as familiar as a kitchen robot can be instrumentalized, once its faults have been discovered and exploited.
Synacktiv did not choose the thermomix to point the finger, nor question the manufacturer Vorwek, especially since the device has a good level of security in the face of competition; But because it perfectly embodies the new generation of connected devices, incorporating sometimes complex and vulnerable IT components. This type of demonstration makes it possible to educate in a concrete way, of the challenges of digital security in all the sides of our daily life.
There is no question here of creating panic. The simulated attack remains very technical, it is carried out in a research framework, and does not directly threaten users. But the message is clear, cybersecurity no longer only concerns computers or phones. Like these kitchen robots, a variety of several billion connected objects are in circulation, cars, watches, speakers, heating systems, toothbrushes, baby phone, cameras, pacemakers, etc.
Notable fact, Vorwek, informed of the operation, was very responsive. The manufacturer took this work seriously and even authorized their publication. Researchers welcome this responsible and transparent attitude, still too rare. Dialogue with experts to understand and correct the flaws demonstrates maturity on these issues, it is a strong signal for the market. This operation aims to encourage manufacturers to integrate safety mechanisms from the design of their products. Because the more a device is connected, the more it can become an input door if it is poorly protected. And in addition, the more current it is, the more its vulnerabilities can be used on a large scale if they are not corrected.
At a time when connected objects are essential in our lives, this demonstration highlights the urgency of a new collective reflex, that of considering digital security as a basic requirement, including in our kitchens.
RESOURCES
All the details about the compromise of the TM5 model via a hard attack https://www.synacktiv.com/publications/let-me-cook-you-a-vulnerability-exploitation-du-thermomix-tm5#conclusion
• In -depth analysis of the functioning of the TM5
• Creation of an open-source cook-Key (small module containing the recipes and allowing Wi-Fi connectivity). 3D models and code will be published soon
• Theoretically can be installed new recipes on this model
About Synacktiv
French company specializing in offensive cybersecurity, founded in 2012 by two security experts, its main areas of expertise are intrusions tests, security audits, retro-engineering, search for vulnerabilities and incident response.
Synacktiv participates in world -renowned sensitive projects. It develops many offensive safety tools in the context of its activities.
Synacktiv is approved PASSI RGS and LPM (Information Systems System Security Provider) & CESTI (Information Technology Safety Center) by ANSSI. Labeled Cybersecurity made in Europe by the Alliance for Digital Confidence (ACN), a certifier organization authorized by the National Games Authority (ANJ).
The company has more than 400 customers and currently employs a team of more than 200 cybersecurity experts. It operates mainly from its offices in Paris, Bordeaux, Toulouse, Lyon, Lille and Rennes. The teams work in France, in Europe and internationally.
On a national or international scale, the involvement of Synacktiv within the Cyber community is reflected in participation in numerous events (conferences, challenges, CTF) as well as the regular publication of security alerts or articles. To find out more www.synacktiv.com
