Campbell Murray, technical director of Blackberry-owned Encription, led the demo, his British accent confirming why a tea-making device had become the centre of attention.
Murray showed that common security flaws in the WiFi network, including the use of ‘0000’ as a password, enabled him and his colleague Fraser Winterborn, head of R&D at Encription, to compromise the kettle and capture insecure communications including the user’s location.
The entire hack took just 14 minutes, and Murray pointed out that the key takeaway is that no evidence was left behind, and that “the only way to solve these issues is to prevent them”, which businesses fail to do.
“The [malware] sample appears to be targeting facilities that not only have software security in place, but physical security as well. ZKTeco is a global manufacturer of access control systems, including facial recognition, fingerprint scanners and RFID. If the sample is run on a workstation with ZKTeco’s ZKAccess software installed, the process will prematurely terminate.
“These systems would be heavily scrutinised by their administrators, and an infection on one of these machines would likely not go unnoticed,” suggest the researchers, Joseph Landry and Udi Shamir of security software and services company SentinelOne, who uncovered the malware.
“It exhibits traits seen in previous nation-state Rootkits, and appears to have been designed by multiple developers with high-level skills and access to considerable resources.”