Vulnerable Coffe Maker Software Found

No, you're not dreaming this up for lack of coffee

Apparently, the Jura Internet Connection Kit for the Jura F90 Coffee Maker machine (an actual coffee maker, if you were wondering) has a number of remotely-exploitable vulnerabilities.  The existence of the vulnerabilities has been published on the SecurityFocus mailing list by a Mr Craig Wright, but there is no exploit code in the wild, nor are there many details given.

The software is supposed to help Jura maintenance people troubleshoot and fix your machine over the internet, removing the need for a housecall. The line between pointless hack and potentially harmful exploit has been crossed however, as, beside obnoxious-but-relatively-innocuous things like pouring a half-liter short expresso, an attacker who exploits the vulnerable software can also… wait for this… run any programs on the host Windows XP system, with the credentials of the user.

Mr Wright has been kind in not providing details on what port the affected program uses for communicating, so the Internet is unlikely to see a flood of portscans looking for a vulnerable machine of this sort (the Jura being out of the price range of your usual black hat hacker kid should also help).

The manufacturer has not released a fixed version yet and the affected software cannot, apparently, be updated remotely. No word yet if the vulnerable software uses the standard proposed or, indeed, if this is a protocol-level vulnerability.

Levity (and coffee) aside, this is another example of the security frontier being pushed from the system to the application level – a vulnerable application may not compromise the whole system, but it surely means trouble for the affected users; the distinction is almost not worth making for desktop machines.

About the author


Razvan Stoica is a journalist turned teacher turned publicist and
technology evangelist. When Bitdefender isn't paying him to bring complex subjects to wide audiences, he enjoys writing fiction, skiing and biking.

Razvan Stoica started off writing for a science monthly and was the chief
editor of a science fiction magazine for a short while before moving on to
the University of Medicine in Bucharest where he lectured on the English
language. Recruited by Bitdefender in 2004 to add zest to the company's
online presence, he has fulfilled a bevy of roles within the company since.

In his current position, he is primarily responsible for the communications and community-building efforts of the Bitdefender research and technology development arm.