Vulnerable Coffe Maker Software Found

Apparently, the Jura Internet Connection Kit for the Jura F90 Coffee Maker machine (an actual coffee maker, if you were wondering) has a number of remotely-exploitable vulnerabilities.  The existence of the vulnerabilities has been published on the SecurityFocus mailing list by a Mr Craig Wright, but there is no exploit code in the wild, nor are there many details given.

The software is supposed to help Jura maintenance people troubleshoot and fix your machine over the internet, removing the need for a housecall. The line between pointless hack and potentially harmful exploit has been crossed however, as, beside obnoxious-but-relatively-innocuous things like pouring a half-liter short expresso, an attacker who exploits the vulnerable software can also… wait for this… run any programs on the host Windows XP system, with the credentials of the user.

Mr Wright has been kind in not providing details on what port the affected program uses for communicating, so the Internet is unlikely to see a flood of portscans looking for a vulnerable machine of this sort (the Jura being out of the price range of your usual black hat hacker kid should also help).

The manufacturer has not released a fixed version yet and the affected software cannot, apparently, be updated remotely. No word yet if the vulnerable software uses the standard proposed or, indeed, if this is a protocol-level vulnerability.

Levity (and coffee) aside, this is another example of the security frontier being pushed from the system to the application level – a vulnerable application may not compromise the whole system, but it surely means trouble for the affected users; the distinction is almost not worth making for desktop machines.