The attack of the mutant coffee machines

The other day, a friend told me that he was at work, having a coffee; one of those from the machine that are now standard in most companies, you know, a Nespresso. When he pushed the button something strange happened and the machine got stuck in a loop —they get more and more like computers— and the lights were flashing. He turned it off and then on again (my friend is a computer engineer) and everything worked out fine —just like a computer— and he could satisfy his need for caffeine.

A few minutes later, while enjoying his coffee and a chat (my friend is Spanish), he got a call from someone identifying themselves as a member of the coffee machine’s maintenance service staff asking him if there was any problem with the machine. With the coffee machine? No… well, yes, but how did you know? You have it monitored? It’s sent you a fault message? How did it do that? Ah! 3G… No, I didn’t know. Thanks. Bye.

My friend was somewhat mind-boggled. It hadn’t occurred to him the machine could have a direct line out. Not that it was a bad idea. In fact, it’s an excellent idea for the maintenance service, as they can detect faults, even carry out preventive maintenance and, of course, analyze user consumption patterns: when most coffees are taken, how long the machine is working, whether it usually runs out of water or the user fills it before it empties, whether it overheats. All the necessary information not only to maintain the machine, but to improve design on later versions as well, or even optimize performance by simply updating the software (firmware to be more exact) controlling the device.

I searched in Internet and, as expected, on the Orange telephone operator page I found that they had made an agreement with Nespresso to equip two of their most sophisticated models with this capacity. Models normally used in companies.

But, as my friend, as well as being a computer engineer, is a cybersecurity specialist, couldn’t stop thinking about it. What communication capacities did the machine have? What broadband? Is it hackable? As he’s done an audit or two in his time, he started thinking about abuse cases and wondered how far security had been considered when designing this new function. Would it be possible for an attacker to modify device performance without the manufacturer knowing about it? Could someone access the machine’s programme? And modify the programming of the chip that controls it? Nobody can get really worked up about a coffee machine but, once it’s connected to the Internet, that changes things, doesn’t it?

Where are these machines installed? In company meeting rooms or rest areas. In the offices of top management in companies and the administration. Are there coffee machines in the meeting rooms of the military? And in research centres?

Would it be possible to connect a microphone and transmit information through this communication channel? Paranoias, paranoias. I had a strange dream last night, like a B movie from the 60s: the attack of the mutant coffee machines.

Too twisted. Although, on the other hand, who would suspect a coffee machine?