back to article Command line coffee machine: Hacker shuns app so he can stay at the keyboard for longer

Zimperium researcher Simone Margaritelli has hacked his coffee machine finding a way to brew coffee using the command line. Margaritelli (@evilsocket) says he reverse engineered the app used to control the Smarter AM coffee machine. It means hackers can choose to ignore apps when they need a coffee and instead stumble over to …

  1. Small Furry Animal

    Must.Have.More.Coffee

    I know it's Monday morning, but 12 cups? (see video)

    1. 404 Silver badge

      Re: Must.Have.More.Coffee

      Maybe city folk, but with the wife and I, that's 4 cups. (those things are inaccurate)

  2. Anonymous Coward
    Anonymous Coward

    brewed coffee from the command line

    Does he mention if he had the coffee delivered to him by drone, or did he have to manually retrieve it himself. All seems like a waste of time and effort to me.

    1. Dave 126 Silver badge

      Re: brewed coffee from the command line

      The history of the internet is lost on you. The world's first 'webcam' was rigged up at MIT to see the level of coffee in a filter machine.

      https://en.wikipedia.org/wiki/Trojan_Room_coffee_pot

      Right, I'm off now to use my Aeropress. I might give it a quick check for security flaws whilst I'm at it, but I'm fairly relaxed about it!

      1. Martin-R

        Re: brewed coffee from the command line

        Error, wrong Cambridge...

      2. richardcox13

        Re: brewed coffee from the command line

        > The world's first 'webcam' was rigged up at MIT to see the level of coffee in a filter machine.

        You linked to the page which in the *first sentance* says Cambridge University. Which is named for Cambridge England.

        A certain location in New England is also named for the city, and there is apparently also a seat of learning there. But the coffee pot and webcam existed in the original.

        1. Dave 126 Silver badge

          Re: brewed coffee from the command line

          Thanks for the correction, guys!

          (I had read the wiki page in the past having heard of the coffee pot long ago, but I didn't read it today. As could be inferred from my post, it was written before I had drunk any coffee. That situation has now been corrected.)

      3. Anonymous Coward
        Anonymous Coward

        Re: brewed coffee from the command line

        Wrong Cambridge - It was Cambridge University in the UK

      4. Trigonoceps occipitalis

        Re: brewed coffee from the command line

        I knew I was getting old when the Trojan Room Coffee Pot went off line. JenniCam, where are you?

  3. Mark Solaris

    Extrapolating...

    The command line in the video was "coffee make".

    For dinner he bashes out a "deadbeef cook".

    1. MrDamage

      Re: Extrapolating...

      Unless his GF is a vegitarian, then it's something like.

      10 heat cooker

      20 delete tofu

      30 cook cow

      1. Putters

        Re: Extrapolating...

        He's freely spending his time hacking his coffee machine so he can order it what to do from the command line and you think he has a girlfriend ?!?

    2. dajames Silver badge

      Re: Extrapolating...

      The command line in the video was "coffee make".

      For dinner he bashes out a "deadbeef cook".

      Well, I guess:

      make coffee

      builds the application, and

      coffee make

      runs it with the argument "make"

      That's, you know, how commandline stuff works.

      1. David Harper 1

        Re: Extrapolating...

        Or perhaps he's a secret FORTH programmer? Or an admirer of Master Yoda.

      2. Law

        Re: Extrapolating...

        replicator: tea -type earlgrey -temp hot

        1. Anonymous Coward
          Anonymous Coward

          Re: Extrapolating...

          Voice is easier, I'm Getting a GoPro

          https://www.youtube.com/watch?v=Zm3QjYf1AVY

          1. TRT Silver badge

            Re: does it grind beans?

            Load Java

    3. Doctor Syntax Silver badge

      Re: Extrapolating...

      "The command line in the video was "coffee make"."

      Just as well it's not the other way round unless he had a Makefile with a target of coffee.

  4. Voland's right hand Silver badge

    Nuff said

    Even if the mobile app requires you to register an account, access to port 2081 is completely unauthenticated

    Welcome to the world of IoT as done by clueless vendors.

    1. Pascal Monett Silver badge
      Facepalm

      And people still ask my why I don't want any IoT.

      <sigh>

    2. Adam 1 Silver badge

      Re: Nuff said

      Oh it's worse than you think. You can flash the whole machine, permitting a malicious actor (whom I will assert to be a nation state because that seems to be the thing™) to change settings so it always makes American coffee.

      The bastards...

      1. This post has been deleted by its author

      2. Hans 1 Silver badge
        Facepalm

        Re: Nuff said

        >it always makes American coffee.

        Don't be silly, who is to transport the dirty socks from the laundry to the machine ?

  5. rob_leady
    Facepalm

    Why aren't they following the standards ?!

    I do wonder why the IETF bother coming up with all these standards, when manufacturers just seem to ignore them...

    Hyper Text Coffee Pot Control Protocol

    1. David Roberts Silver badge

      Re: Why aren't they following the standards ?!

      Thank you.

      I had forgotten about that. Very entertaining read.

    2. Doctor Syntax Silver badge

      Re: Why aren't they following the standards ?!

      "Hyper Text Coffee Pot Control Protocol"

      It's not a standard:

      "Status of this Memo

      This memo provides information for the Internet community. It does

      not specify an Internet standard of any kind. Distribution of this

      memo is unlimited."

    3. Stoneshop Silver badge
      Facepalm

      Re: Why aren't they following the standards ?!

      Because standards are for you, as an idIoT developer, to make it so that your Proprietary Protocol doesn't accidentally overlap with any of them, because, you know, reasons.

    4. Down not across Silver badge

      Re: Why aren't they following the standards ?!

      Couldn't agree more. It should also support being integrated into network management system/monitoring via SNMP :-)

    5. John Gamble
      Boffin

      Re: Why aren't they following the standards ?!

      Well, the RFC is nearly nineteen years old, so some of the proposals are out of date.

      Having said that, I agree that the "coffee:" URI scheme should be implemented immediately.

    6. Adam 1 Silver badge

      Re: Why aren't they following the standards ?!

      You assume that the standard has been ignored, but I have seen no evidence that this "researcher" has even set the evil bit correctly.

      https://www.ietf.org/rfc/rfc3514.txt

      1. Steve the Cynic Silver badge

        Re: Why aren't they following the standards ?!

        And he hasn't used avian carriers either.

        https://www.ietf.org/rfc/rfc1149.txt

        (I know the numbers of two different RFCs by heart. One is 7112, a deeply boring blither about IPv6 fragmentation as it applies to extension headers. The other is Avian Carriers.)

    7. Hans 1 Silver badge

      Re: Why aren't they following the standards ?!

      I searched the comment section for HTTP 418 and found nothing, so posted that same idea ... incidentally, my post added directly above yours ...

      Anyway, how about:

      HTTP 449 e.g. retry with no milk, when the machine is out of milk ?

  6. Ian Bush
    Pint

    Make coffee

    Give the explosion of caffeine options since I were a lad I'm surprised he didn't do this via the standard Unix build automation tool. Then he could do things like

    make coffee

    or

    make cappuccino

    or

    make Venti-Iced-Skinny-Hazelnut-Macchiato-Sugar-Free-Syrup-Extra-Shot-Light-Ice-No-Whip

    if he so wanted

    1. Pen-y-gors Silver badge

      Re: Make coffee

      make Venti-Iced-Skinny-Hazelnut-Macchiato-Sugar-Free-Syrup-Extra-Shot-Light-Ice-No-Whip

      I thought it was meant for making coffee.

      1. Paul Crawford Silver badge
        Gimp

        Re: Make coffee

        I thought it was meant for making coffee.

        Indeed, last time I ordered that I could not sit properly for 3 days...

    2. Stoneshop Silver badge
      Holmes

      Re: Make coffee

      Given that most of these StarSucks-originating fluid recipes have less resemblance to coffee than what gets pumped out of a washing machine during its rinse cycle, it's just as well that there are separate $make targets, and not some weird branching within $make coffee based on an environment variable.

    3. wikkity

      Re: Make coffee

      No, strong black coffee would be

      make coffee

      That other nonsense requires a bit more effort, though there is probably a TCL gui front end somewhere:

      ./configure --with-hazelnut --with-sugar --without-caffine --strength=weak

      make coffee

  7. Anonymous Coward
    Anonymous Coward

    It's not passwords then ..

    .. that will leak, but coffee, unless that machine detects if there is actually a cup or can present.

    He may be better, of course, but I know that I'm prone to fairly "duh" type mistakes before my first cup, and if I ended late it's not guaranteed I prepped the machine :).

    That said, I am a fan of the let's-make-a-complete-jug-in-one-go machines, if for no other reason that they're quieter when they make coffee. If post weekend even Alka Seltzers are too loud, I don't want a noisy coffee machine either. And you can get a second cup RIGHT NOW without having to wait.

    No, the first can is mine. Go away.

    1. Stoneshop Silver badge
      Boffin

      Re: It's not passwords then ..

      that will leak, but coffee, unless that machine detects if there is actually a cup or can present.

      Teasmades are actually fairly resistant against failure in setting up the machine, discounting actually flipping the right switches the right way. But it senses the pot and the kettle being in their respective positions; if not it won't power up the kettle.

      I haven't seen a coffee maker that used such a safety measure.

    2. CrazyOldCatMan Silver badge

      Re: It's not passwords then ..

      I am a fan of the let's-make-a-complete-jug-in-one-go machines

      I was until I realised that it was filter coffee that was giving me (more) migraines. Oddly enough, pumped-type espresso machines doesn't do that so I have one of those now.

  8. Pen-y-gors Silver badge

    This is bad

    Something like this is a potential killer. About the only exercise I get is walking to the kitchen to make/fetch another coffee. Without that I'll die. (well, I'll die anyway, but sooner than need be) And as a bonus I can run the washing machine/dishwasher/dryer while I wait for the kettle to boil and the coffee to brew (my cafetiere is internet connected using the special AirGap (TM) technology)

    1. Bronek Kozicki Silver badge

      Re: This is bad

      If you are genuinely concerned about your lifestyle, you should know that the amount of walking necessary to grab a coffee or performing minimal house chores is nowhere close to actual exercise.

      1. Anonymous Coward
        Anonymous Coward

        Re: This is bad

        Bollocks. Its an exercise in futility. Which is an exercise regardless of futility.

      2. Anonymous Coward
        Anonymous Coward

        Re: This is bad

        @Bronek Kozicki; "the amount of walking necessary to grab a coffee or performing minimal house chores is nowhere close to actual exercise."

        "Whoosh whoosh" go the jokes as they fly above your head. (^_^)

        1. Bronek Kozicki Silver badge
          Facepalm

          Re: This is bad

          see icon ->

    2. Doctor Syntax Silver badge

      Re: This is bad

      "I can run the washing machine/dishwasher/dryer"

      All in one? Have you got a patent on that?

      1. Fred Flintstone Gold badge

        Re: This is bad

        "I can run the washing machine/dishwasher/dryer"

        All in one? Have you got a patent on that?

        No, but a lot of broken dishes.

        :)

  9. Anonymous South African Coward Silver badge

    next step : play ZORK on your coffee machine while it's brewing a cuppa...

  10. Anonymous Coward
    Anonymous Coward

    On the same network as the coffee machine...

    'Nuff said.

    Not finding it easy to see the benefit in lots this IoT stuff.

    I want to, but making coffee is hardly a big deal.

    1. Anonymous Coward
      Anonymous Coward

      Re: On the same network as the coffee machine...

      making coffee is hardly a big deal

      You haven't met me before my first coffee, clearly..

    2. Wensleydale Cheese Silver badge

      Re: On the same network as the coffee machine...

      "making coffee is hardly a big deal"

      It's a very big deal in this house.

      Which is why we try to keep it as simple as possible.

      Complete with backup systems:

      If the coffee machine fails, there's the kettle plus a cafetière (aka French Press).

      If there's no electricity, there's the gas cooker plus aforementioned cafetière.

      (Yes, we have a spare cafetière)

  11. BinkyTheHorse
    Facepalm

    One of these thing is not like the other...

    "His hacking did not uncover serious security bugs [...]"

    "[...] but it would let fellow hackers on the same network as the coffee machine to mess with its firmware without requiring authentication, [...]"

    That's literally the same sentence (plus the "access to port 2081 is completely unauthenticated")!

    Have security standards changed over the weekend so that "free access on local network" is not a "serious issue" anymore?

    1. Swarthy Silver badge
      Devil

      Re: One of these thing is not like the other...

      Compared to "free access via the Internet", "free access on local network" is not a serious issue.

      It can be mitigated by securing your local network.

  12. David Roberts Silver badge

    Not true IoT

    If it doesn't have a gateway to a cloud server.

    1. PAKennedy

      Re: Not true IoT

      You think he hasn't got a port forward to set it off as he enters the building?

  13. Joe Montana

    Security bug?

    "His hacking did not uncover serious security bugs but it would let fellow hackers on the same network as the coffee machine to mess with its firmware without requiring authentication"

    Personally i'd consider the ability to push new firmware to a device without authentication to be an extremely serious security bug... Your new firmware could do *anything(

    1. Anonymous Coward
      Anonymous Coward

      Re: Security bug?

      Yeah, it could switch to decaff

      1. Adam 1 Silver badge

        Re: Security bug?

        Don't even make jokes about such matters. Someone should report him.

  14. Version 1.0 Silver badge

    "Would you like to play a game?"

    I guess this beats dialing into WOPR even if my first item on the War Operation Plan Response prep list would be to make a pot of coffee.

  15. PassiveSmoking

    Entity may be short and stout

    That's all well and good, but does it implement RFC 2324?

    https://tools.ietf.org/html/rfc2324

    1. Anonymous Coward
      Anonymous Coward

      Re: Entity may be short and stout

      That's all well and good, but does it implement RFC 2324?

      If you can also get it to support RFC 6214 I would really be impressed, and it makes packet tracing easier. It may give the coffee a funny taste, though.

      :)

  16. Pete 2 Silver badge

    Networked, but not joined up

    > Since I work from home, most of the times ...

    The guy wrote a command line app so he can spend more time bash[groan]-ing out code.

    However, he still has to get up from his chair, walk over to the machine and collect his freshly brewed coffee.

    A more sensible approach would simply be to put the machine near his desk.

    1. Wensleydale Cheese Silver badge

      Re: Networked, but not joined up

      "A more sensible approach would simply be to put the machine near his desk."

      That potentially takes "You owe me a new keyboard" to new levels.

  17. liamprincetech

    Dad Joke:

    Surely the hack was written in java?

  18. Diogenes

    Enquiring minds want to know

    (so many comments & not yet one asking)

    Will his coffee machine play Crysis ?

  19. Duffy Moon

    I feel inadequate

    My coffee machine has just two buttons and two knobs. It's not networked at all. I feel like I'm missing out.

    1. qwertyuiop
      Coat

      Re: I feel inadequate

      "...and two knobs.." fnaar!

      Mine's the one with a copy of Viz in the pocket...

    2. Anonymous Coward
      Anonymous Coward

      Re: I feel inadequate

      Don't worry, you're probably not missing out just because you don't have two knobs.

      1. Teiwaz Silver badge
        Coat

        Re: I feel inadequate

        Don't worry, you're probably not missing out just because you don't have two knobs.

        Ask a Kangaroo whether this is true......or maybe someone whose 'slept' with a kangaroo....

        ...ok, I've had too much coffee...I've my cloakroom ticket right here, Miss, no need to fetch the bouncers, and no, those aren't zoo staff chasing me.

    3. Anonymous Coward
      Anonymous Coward

      Re: I feel inadequate

      Mine has one knob, two buttons and a moveable but rigid foaming spout .. however the knob does switch two ways.

  20. Anonymous Coward
    Anonymous Coward

    Earth shattering news

    I hacked my convection oven to roast a chicken tonight. I followed every instruction on the packet to the letter. My intervention though was actually opening the oven door to put the chicken in. This was not mentioned on the instructions. Do I get a Nobel award or at least a first class masters for innovation?

    Hacking the Iotthe modern way.

    Downvotes=approval

    My oven is not an Iot thingy, but the packaging is right on

  21. Antti Roppola

    Pipes?

    Does it support pipes? Maybe we can make C|N>K for real.

    http://www.catb.org/jargon/html/C/CNK.html

  22. Jamie Jones Silver badge
    Thumb Down

    Whatever

    I do almost everything via the command line,

    I also like coffee. In fact, I want one now.

    *walks to kitchen. Gets coffee*

    I'm back! Job done.

    *sigh* And IT geeka wonder why the rest of the world laugh at us...

  23. Daggerchild Silver badge
    Gimp

    If only...

    The story just causes a pang in my chest. People go "Ho Ho that's Amusing" but it painfully underscores to me all the things the GUI mindset prevent from existing..

    coffee make # yeah, but the app can do that so what's the point of a CLI?

    sleep 3600 ; coffee make && mailx -s "Yo, coffee!" user </dev/null # Well, okay, that's more useful, but the App probly has that too

    echo "coffee querylevel beans | grep -v full && sms linda 'Low on coffee. Can you pick some up on the way home?'" | at 4pm # Okay, look, that's in the next release.. but nobody wants it anyway!

    smsrcv linda | grep -i "Buy your own *ing coffee" && amazon --autobuy coffee # Wait, what?

    Imagination. Small bricks. 10 minutes. Huge possibilities. Permission denied.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019