Researchers have disclosed two remote code execution (RCE) vulnerabilities in a smart air fryer. The impacted vendor has not fixed the security issues.
RCEs could allow attackers to remotely deploy code, execute additional malware payloads, and eventually hijack a system.
While exploiting an RCE in consumer products may not have the same consequences as doing the same on a corporate network, it is highlighting the fact that even though these products are considered ‘smart,’ it does not mean they are safe.
Researchers from Cisco Talos described two RCEs in Cosori Smart Air Fryer, a connected kitchen gadget that users can use to remotely control cooking temperature, times, and settings of the smart cooker.
“An unauthenticated backdoor exists in the configuration server functionality of Cosori Smart 5.8-Quart Air Fryer CS158-AF 1.1.0. A specially crafted JSON object can lead to code execution. ”
An attacker can send a specially crafted script in a traffic packet to trigger this vulnerability and allows them to take control of the device.
The team has discovered two vulnerabilities, CVE-2020-28592 and CVE-2020-28593. The first vulnerability stems from the possibility to establish a connection with a device and enter a developer mode to later install a backdoor. The second is a heap-based overflow issue. Both issues are exploitable via crafted traffic packets, although local access may be required for easier exploitation, researchers note.
The vulnerabilities have now been disclosed but the company didn’t issue any fix. Talos researchers say Cosori did not “respond appropriately” within the 90-day vulnerability disclosure period, that’s why researchers went on to disclose the flaws publicly.
This case serves as proof of a far wider problem, the security gaps in Internet of Things (IoT) devices in our homes. Last week, Forescout researchers disclosed nine vulnerabilities in four TCP/IP stacks widely used by connected devices. The flaws impact over 100 million consumer, enterprise, and industrial devices.