Air Fryer Hacking On The Menu As Security Flaws Revealed
Researchers from the Cisco Talos Intelligence Group have uncovered security vulnerabilities in a popular kitchen appliance, the Cosori Smart Air Fryer. The blog post confirming these vulnerabilities states that these could “hypothetically allow an adversary to change temperatures, cooking times and settings on the air fryer.” The remote code execution vulnerabilities, CVE-2020-28592 and CVE-2020-2859 could allow remote code injection by an attacker. Temperature and timer controls in the hands of a malicious attacker could prove dangerous in the extreme, but what is the real-world risk?
Vacuum cleaners, coffee machines and sex toys
The internet of not so smart things is a security and privacy nightmare, no doubt about that, but some vulnerabilities are more worrying than others.
Last year I reported on a robot vacuum cleaner that could be hacked to spy on the user. Out of the lab and in the real world, this would require a firmware update, access to the local network and the correct ambient light and sound levels to work.
There are, truth be told, much easier ways to use technology to eavesdrop on someone.
Smart lock issues, yep. Coffee machine ransomware, less so. Connected car hacking and even permanently locking an internet-connected chastity belt, well, yeah.
Air fryer hacking, not so much.
The problem with air fryer security vulnerabilities
Obviously, the ability to tamper with temperature and timer controls on a cooking device dangerous thing that, if successfully exploited, could potentially start a fire. So why am I not overly concerned about this one?
Well, to begin with, the researchers admit that the attacker “must have physical access to the air fryer for some of these vulnerabilities to work.” Given that there are only two vulnerabilities to begin with, the exploit opportunity has already shrunk considerably, it would seem to me.
OK, you have to allow for the ingenuity of persistent threat actors, which might see a scenario involving a stack of other exploits and malware to gain access to the local network and then the air fryer firmware. Still, it’s a bit of a stretch. At least as far as the average user, or rather risk to the average user, is concerned. Equally, the firmware could be mucked about with somewhere in the supply chain, but that’s also unlikely in anything but a very niche victim-targeting scenario.
“Security issues in IoT devices, even with complex exploitation scenarios, are concerning because often a user can usually never easily tell if a device is vulnerable to an issue or even if a device has already been compromised” Craig Williams, the Cisco Talos director of outreach, told me. With regards to the air fryer vulnerabilities, Williams says “in CVE-2020-28593, for example, the bug could be used to implant malicious firmware into the device. This could then be used for any number of nefarious purposes, perhaps most likely as a proxy point for attackers to route their traffic through during future campaigns.”
Who needs an internet-connected food fryer anyway?
Sure, maybe I am overly cynical, but scary sounding hacker warnings are not always things to set off the real-world panic alarm. It’s crucial for researchers to keep finding and reporting these vulnerabilities to hold manufacturer’s feet to the fire and make products safer for the user. Nobody is going to argue against that. However, I would advance the case for arguing that nobody needs their air fryer, or any fryer for that matter, to be connected to the internet. I can’t think of a single instance when I’ve been away from home and wished I could get the French fries cooked by the time I got back. Maybe I live at a slower pace than some, but perhaps that’s not a bad thing.
Tim Erlin, vice-president of product management and strategy at Tripwire, said, “it can seem like it’s worth a laugh when vulnerabilities are found in these network-connected smart devices, but the increasing ubiquity of connected devices combined with vulnerabilities like these increasingly creates an attack surface with real risk. Your air fryer or light bulbs might not be that interesting in and of themselves, but they could provide a point of entry to other devices on the network.”
Craig Williams advises users to “consider do you really need the device to be on the internet? If so, then one should look for a device vendor that is likely to continue to be around for a while and support the device with security updates. This can usually be checked by searching for the name of the device and the acronym ‘CVE’. If you see advisories with patches available, you’re probably doing OK.”
Cosori confirms firmware update for the air fryer concerned
I reached out to Cosori regarding the matter as Cisco Talos went public in disclosing these issues as it says the manufacturer “did not respond appropriately” during the 90 days outlined in its vulnerability disclosure policy.
“Cosori deeply cares about the safety of the users of smart products,” a Cosori spokesperson says, “we have set to solve this issue immediately.” The Cosori statement continues:
“First, as a result of a detailed analysis, we are sure the scope of the vulnerability is limited to the local area network, and it cannot be controlled remotely through the WAN. And then, we have resolved the problem, an upgraded version of the appliance will be released soon. So, the air fryer can be upgraded with repaired firmware on April 25, 2021.”
Cosori advises users to upgrade the firmware to the latest version and says it will “keep on developing a safe and convenient system for our customers.”