The (editorialized) current HN title ("Coffee makers are demanding ransom") implies that this is an in-the-wild attack.
It's just another PoC showing that IoT devices tend to have bad security.
In-the-wild ransomware would be interesting news because the same fragmentation that makes it unprofitable to secure devices (too few devices sold of each vendor/model for the vendor to invest serious money in security) makes it unprofitable to attack most devices.
Ransomware is particularly pointless for non-critical devices like a coffee maker. I could see it working e.g. with something controlling heating that isn't easily bypassable (pay us now, or by the time you get a tech out your pipes will be frozen and your house ruined), or something that can otherwise cause harm before the user can disable it (which is likely rare).
With a coffee maker, you can easily unplug the device (preventing it from doing further harm/threatening to burn your house down), put it in a box, and ship it to the vendor to fix it.
We changed the title to a substring of the title ("Coffee makers are demanding a ransom") to make it less baity but I see how that could be misleading. I've attempted to disambiguate it above.
Came here to say exactly this...it's still a click-baity title.
This really has nothing to do with demanding ransom. You could hack a website leaving a message and claim they could "Demand a ransom".
Quite simply this is just the ease of hacking IoT devices which unfortunately is not new and has happened with every industry as it becomes "connected" (cars, homes, etc).
I would have clicked if it said merely "IoT /s/Home Devices /Coffee Makers/ easily hacked" but the "ransom" aspect is purely to heighten the fear, arguably even in the article itself.
This reminds me of the range-rover when they reported on it as if they had taken over a jeep "in-the-wild" where in reality it was a very controlled scenario and arguably much more sophisticated. Even then it wasn't as sensational as this (just my opinion).
Demand a ransom of $2 to make coffee first thing in the morning, when people don't want to have their routine interrupted. Repeat rarely so that the victim won't prioritize replacing the machine. Instant subscription-based startup, no hardware dev cost.
DDoS botnets are a lot easier than ransomware. They don't have to communicate with the user and don't need a credible threat. Many devices that simply don't have a realistic ransom threat are usable for those, and the same code can potentially be reused across completely different classes of devices as long as they run the same underlying OS.
They also often don't cause problems for the user, so the user - and as a result, the vendor - doesn't have a strong incentive to avoid them.
The set of people who have that specific coffee machine is pretty small. The set of people who have that specific machine, will be able to send you the money without calling someone more competent first, yet are not smart enough to unplug it, is simply not worth the criminal's time.
What would you make "XYZ" to convince a reasonable number of users to pay you, instead of unplugging the machine and optionally removing it from their house through the nearest window?
I suppose this PoC shows how bad it can be, and you should ask, would a machine from a "major manufacturer" be any better, or how high do you think the chances are that the product manager from that major manufacturer would just look for the cheapest vendor offering IoT, and would be fooled by the sales people saying "Oh yeah, our software is very secure!" (they'll tell him this lie over the Zoom meeting that has "end to end encryption"...).
And showing the face of the devil and saying "Gimme money" is an obvious PoC. In 5 years the error message will be "Problem 0xDF. Please contact support at [scammer's number]". And then? Sending a fake repairman with a hefty bill would take too much time, how about a remote "repair" and a repair bill?
"We can send someone out to repair it, but that'll 2 weeks. Or we can do it over the Internet in 5 minutes, but it will cost $10, which would you prefer?".
So now the criminal earned $10 each, from maybe 10% of the device owners that they managed to hit.
Balance that with the cost of developing the attack, the software, the phone scripts, the infrastructure for handling the calls and money collection, ...
Also, how would the attacker collect payment? Bitcoin/gift cards break the conversion rate, and credit card will get killed by chargebacks once the attack becomes well known.
I just bought a Keurig and the there is no screen to display such a message, so the set of people this would theoretically effect is even smaller than the initial thought experiment...
I once asked the author of “Magical Objects” - a book proselytizing about the future of IoT - about security. He blew it off, saying something along the lines of “Security isn’t really necessary for these devices, but I’m sure someone’s working on it.”
And thus we are here. When the evangelists don’t care about security, the industry won’t care about security. Well, maybe it’s the other way around. In either case, nobody in the industry cares about security.
Worrying about things like security would adversely impact your time-to-market.
Security isn't a feature---it has to be baked in from the ground floor and isn't apparent to the end user except as a annoyance.
Security is a difficult problem that requires at least some minimum of knowledge and experience---knowledge and experience that are unrelated to the device or the development of its new features.
There is no financial or professional upside to paying for security, and no financial downside to not doing so.
Security is always regarded as a magic-bullet topic; there must be some magic pixie dust to sprinkle on the device to make security problems disappear. Like firewalls, VPNs, and encryption.
Security problems have two advantages. First, they are rather rare and something that happens to other people. Second, they are easy to push off onto the end user: "Well, har, har, you wouldn't have this problem if you had just..."
The devices themselves are regarded in black-or-white terms: either a coffeemaker with multiple processors is the best thing since Attila the Hun invented the pillage, or the whole idea is more idiotic than selling a fish a bicycle. No one is interested in a middleground, cost-benefit analysis.
Yes, many of these put the responsibility for the (lack of) security of devices on the engineers and developers. That's why we get paid the big bucks.
I’m often a Luddite regarding smart versions of simple electronics, but at least part of the issue is how cumbersome “dumb” versions have become relative to modern software. The knobs on my gas stove are intuitive, yes, but the buttons on my dumb microwave are not. It takes trial-and-error every six months to adjust the clock for DST. I bought a $30 Casio watch recently, specifically for the hourly chime so I don’t miss Zoom meetings while away from my laptop. It works great, but when I wanted to disable the chime on vacation I had to download a large, unsearchable PDF manual on my iPhone because I couldn’t figure it out. And this is an interface that, presumably, has been honed by decades of use by billions of people. It wasn’t enough of an issue to make me consider an Apple Watch or the like, but it’s made me more sympathetic to people who gravitate to modern, frivolous-seeming electronics by default. To a security-naive buyer (i.e., everyone), “smart” often means “usable without a manual”. I imagine this is doubly true for someone younger who isn’t used to electronics with highly constrained UI’s.
I bought an oven. I wanted one without many settings, “make it hot, make it hotter, off” type scenario.
I found a Smeg one that had just two knobs and seemed ok.
It turns out that they got all the settings in, but the interface is the two knobs. Click, click and hold, click and hold while twiddling the other knob etc.
Changing the clock with the manual in hand is still hard.
Even if it is usable without a manual, adjusting a timer switch hidden behind the couch using its LCD display and buttons is a lot less comfortable than using an app, if you do it frequently enough.
There are things where IoT was added to make them appear more modern, and things where it actually makes sense.
For the microwave, for example, I'd argue IoT would still be the wrong choice, because figuring out the magic buttons for setting the time twice a year is less work than dealing with the overhead of IoT (updating their app, managing the account when it breaks, etc.).
I've operated a bunch of button-equipped microwaves in my life and while changing the clock is a nuisance (and arguably, neither the microwave nor the electric oven should have clocks in the first place!), it's a great interface for its day-to-day use, i.e. heating stuff up.
The tactile and audio feedback, coupled with low modality and high reliability, means you can operate it without looking. On the microwaves I owned, I'd start keying in times with one hand while the other hand was still putting the food in, and closing the lid doors would coincide with me pressing <Start>.
That's not an experience you can replicate with an app. Phones themselves aren't ergonomic enough, and even if they were, app creators generally don't know how to design ergonomic user interfaces.
The microwave was also the first digital clock we ever had in my childhood home, and was prominent in the kitchen. I do remember it fondly, but then again, we also had analog clocks around the house. It was a hassle to keep them all in sync ;).
But the problem I now see is that a kitchen today can have half a dozen clocks in it now, because a lot of appliances ship with one.
My experience is that the smarter the device, the worse the UX. Smart UIs are laggy and less buttons/knobs usually means more fumbling in order to do anything.
Also, touchscreens assume reasonably clean, dry and ungloved hands. This mixes poorly with kitchens.
> "The knobs on my gas stove are intuitive, yes, but the buttons on my dumb microwave are not. It takes trial-and-error every six months to adjust the clock for DST."
Not really related to the topic but there are microwaves out there with a well implemented dial control, e.g. some Panasonic models. Worth every penny for a device I use so frequently.
I still don't understand the value proposition of an IoT kitchen appliance.
This thing vs a $10 French Press in particular, but even internet connected crock pots and things. Monitoring my cooking food from across town doesn't solve any problem - if something goes wrong, there's nothing I can do about it and I've just added stress to my life that wasn't there previously.
In a perfect world, where IoT stands for Intranet of Things, IoT companies do actual engineering, and turning products into services is illegal?
In that world, the use case isn't cooking food from across town. It's cooking food from another room.
I'm sitting in my home office right now. I'm working (well, on a HN break :)). My wife is playing with our child. I'm thirsty and I want a cup of tea now. My choices are either to distract myself for a couple minutes, which is annoying if the thirst hits in when I'm "in the zone". Or I could ask my wife, but she has better things to do and I don't like interrupting people unless it's necessary. In this perfect world I described at the beginning, I could just press a button on my keyboard to start the kettle, and would get a pop-up notification once the water is ready. I'd just get up and get my tea without losing focus, and without distracting anyone else.
Similar reasoning for other appliances.
Unfortunately, the way IoT is developing, I don't expect that future any time soon, because some of the features are in opposition to the business model under which IoT companies operate. A better bet for me would be to get an EE degree and mod the appliances myself (I'm not doing it now, because I'm afraid of letting my contraptions control anything that's connected to mains, or could otherwise start a fire).
EDIT:
Another way of putting the value proposition of IoT in a sane world: rich people hire assistants to handle trivial and distracting errands. IoT is supposed to be an equivalent of that, but available to everyone.
Technology creates its own addicts. I'm pretty sure someone is now collecting the information about dishes they made and calculating the calories cooked for the last year, etc.
I suppose, I was thinking the appliance caught fire (neighbors electric kettle did this a few year ago, not IoT). Shutting it off doesn't put out the fire. Or, soup boils over edge of pot - I have to clean that mess either way.
Maybe once IoT is sufficiently advanced, with robots and stuff, it turns into the "household servants for the Every Man" noted above.
And I'm not anti-tech. I have some IoT stuff (cameras) that serve no real purpose other than "look, I have cameras!"
Again, ideally, everything is so well connected you'd just stop the problem before it occurs, with sufficiently smart devices. Eg, your pot detects the rise, and sees its about to overflow, it can signal the stove to lower the heat. Same with the kettle -- it gets on fire when it runs out of water, but stays on. A "smart" kettle could detect that, and shut down before the fire starts. Of course, after the fire, there's nothing it can do... but targetting the cause rather than the symptom has potential, for probably many issues
But to be clear, I'm not advocating anything -- I'm just describing why IoT is a thing, and people get excited for. I don't actually believe this universe will really exist anytime soon, as it requires "sufficiently intelligent" technology and communication, which really almost starts to approach knowing how to cook your food for you to accomplish anything non-trivial
That's not my dream. I don't care in the slightest about everything being interconnected. I have only known one person who wanted that, and he worked with home-automation.
This is how I feel about the security cameras we have at my house. Initially I got very anxious every time a (usually false-positive) alert arrived; now I'm so desensitized I basically ignore them. I know when my house or garage gets burglarized I'll have some nice, grainy over-exposed videos of the entire event but no real advantage over where I was before.
I have two. They serve mostly as a notification system for somebody in the house that I'm not expecting, but not a security problem (housekeeper, adult son drops by for some reason, neighborhood friend drops off a roll of fabric for my wife - but that's everybody with a key, so like I said, not a security thing).
It will also hopefully be time stamped. Video cameras for porch pirates seems to pay off well, though making a big mail box for your porch is probably more effective.
I really question more the risk reward trade off of these devices. What is having an internet connected coffee maker buying me? Is the minutes save per month worth the security risk it’s exposing me? This coupled with the knowledge these are mostly discount devices made with the least amount of on going support intended, you pretty much know you’re setup for a disaster.
Additionally, I was finding most of these devices were actually increasing the time it took to do something rather than enabling some impossible interaction.
I’m short on IoT except for industrial usage, where you are displacing an inspector or a manual data collection. That said those spaces are just as bad as the home devices.
> What is having an internet connected coffee maker buying me?
One "cool" point with your friends.
"Check this out dudes! Alexa! Brew coffee"
And when Alexa responds with, "Please add water", you lose two cool points and end up in a deficit.
If you need to remote start your coffee pot, you need to get your life a little more together. If you need remote notifications that coffee is done, the same applies. It's not hard to plan around "Coffee takes about 15 minutes to brew, so I start it before I hop in the shower".
Let's not throw the baby out with the bathwater. I'd really appreciate if my electric kettle could send me a notification when it's done, because waiting for it to boil is three to five minutes I could be spending e.g. listening to the music with my headphones on.
Same applies to other household appliances: the dishwasher, the oven, the washing machine. All I want is to have a set of icons in my computer's tray that change color when a given device is done. This would let me stop scheduling life around the machines, or having to keep the doors to the home office open and headphones off to hear the various beeps. Instead, I could set them to do the work, and go back to doing my stuff fully focused.
In a sane world where tech companies practice anything resembling solid engineering, this would not require the devices to have an Internet connection. Working over LAN with standardized (and already existing) protocols is all that's required. In this world, I don't have any of the conveniences described above, because I'm not crazy or gullible enough to buy an IoT appliance.
All I want is to have a set of icons in my computer's tray that change color when a given device is done.
I used to be here, had goals of "Tony Stark-ing" as much of my home automation as Ic could and managed to succeed in a lot of ways.
What's weird is where I used to be 50/50 WFH thanks to successfully negotiating it in my hiring, going 100% WFH has made me really appreciate having analog "chores" to do that have nothing to do with the world of digital technology that consumes 8-10 hours of the day. In fact I've started looking forward to them.
The side effects have been interesting, the chores went from "I gotta clear out the dishwasher otherwise I'll have nothing to cook with, I wish I could automate this" to "I'm gonna tidy up and put on some Chuck Mingus because it's a nice break from Zoom calls" and has introduced a lot of deliberate-ness to my world that didn't exist before. And I like it.
Anybody else reach this inflection point in their day to day yet having gone full-remote?
I get what you mean - I know people with similar views. So please read my comments as written by someone who's just wired differently.
For me, the perfect break from 8 hours of work isn't analog chores. It's playing a videogame. Or working on a side project. Or reading a book. I don't know why is that, perhaps because I just don't tire in front of computers: I can stare at a screen for 16+ hours and my eyes don't even get dry (I contrast that to some of my co-workers from previous jobs, who'd have to take breaks to put saline drops in their eyes near the end of the work day).
This of course puts me in a risk group - I have to actively manage myself to not become a couch potato. I've been working from home for more than 3 years now, so I know I can easily do the "work -> videogame -> sleep -> repeat" routine without ever getting away from a computer for more than 15 minutes. Being married definitely helps with ensuring I don't spend the whole day in front of the screen.
But the bottom line is: even after an exhausting day, I don't find rest in physical chores. Never had. So I welcome every opportunity to get rid of them, as I always feel I have more interesting stuff to do.
Yup, "different strokes for different folks" is very much a thing here, and I can't help wondering if we're going to see the wild and varying elements of the individualized-cyberfuture made popular in comics and video games arriving sooner than expected, or in entirely different forms than popularized, or even a new way entirely of discussing the "digital divide" at large.
I've got a huge tree that came down in a "1 in 500 year storm" lying outside my home office. I go out and chainsaw and axe it up some more whenever I need a break. Chopping firewood is about at the opposite end of the scale from coding, design or web site-ing.
I've worked from home most of my professional working life (20+ years). Some years less than 100% some fulltime.
I love manual chores. During RSI breaks, (previously pomodoro breaks), five minutes cleaning out the washer, hanging up laundry, weeding a patch of vegetables, pruning a shrub, chopping wood, collecting fruit, feeding chickens or just petting my cats.
E.g. plucking weed in my garden gives me headspace to 'zoom out'. To see bigger pictures. Evaluate if 'm ye entire morning updating the linter' benefits the company at all (no). Or if performance really is an issue for customers in that area. Or if this idea for presentation-models really helps with velocity.
> I don't have any of the conveniences described above, because I'm not crazy or gullible enough to buy an IoT appliance.
It’s a deep hole when you fall it, but you can have what you want.
ESP8266 and ESP32 chips can be made to to do all sorts of magic and are very inexpensive and easily flashed.
There are a variety of option for programming them from flashing with mostly-premade software (ESPHome) or do it yourself with Arduino. Mine all tie into Home Assistant.
There are a range of sensors that do all sorts of things.
Mine post to a Slack channel for stuff I want to know about.
The time invested is vastly more than the time saved, but I love it.
I played a bit with the ESP family, and done some little IoT experiments for myself. But I'm not an EE, I don't have much solid knowledge or experience around circuits, so I'm deadly afraid of having any of my contraptions control something connected to the mains, or which could otherwise start a fire. This leaves me with only some hacky ways to add sensing to existing devices.
(One of these days I'll figure out how to properly design battery-powered devices, and build some sensors that aren't hooked to wall warts.)
My dishwasher is noisy and I live in a studio apartment, so prior to COVID[1], my policy was to start the cycle right before leaving for work in the morning. When this worked, I would come home to clean dishes and never have to hear any noise. On days when I forgot to start the dishwasher before leaving, I would come home to dirty dishes and have to wait before making dinner.
If I could schedule the dishwasher to start automatically at 10 am every weekday, that would be fantastic! If it could remind me to load detergent the night before, that would be even better. And if the dishwasher had a reservoir of detergent that I only had to refill once a month... I’m not saying these little enhancements would be life-changing or anything, and if they cost hundreds of dollars extra, I would certainly pass. But it would be nice.
——
1: (Now I work from home, so there’s no way to avoid hearing the dishwasher.)
Unless you put in ice water some days, and hot water others, physics is physics, and I guarantee it takes roughly the same amount of time, every time, and I doubt you have taken the time to time it - too busy saving time to save time, I imagine.
If it takes 3 minutes, press start, look at the clock, come back in 3 (or ~1 song later, if that's easier).
I don't mean to be rude, but if a task this simple is difficult for you to manage on your own, you might benefit from a little more organizing and self-discipline in your life.
To each their own (I don't know your life), but in my world, attempting to be "fully focused" every second of the day is a perfect recipe for burnout. Coffee, for me, is about not being fully focused. Like an intentional break from it (i.e, a "coffee break"). Taking the time to prep it, brew it, and drink it, is all a part of the process.
It's a fun experiment to try and optimize every minute of the day around productivity, but its untenable, long-term.
> If it takes 3 minutes, press start, look at the clock, come back in 3 (or ~1 song later, if that's easier).
Sure. And that's how I cope with life, really. My watch has a bunch of timers pre-configured on it - a Pomodoro timer, a "pizza in oven" timer, a "baguettes in oven" timer, an "instant noodles" timer, etc. But the list of timers keeps growing, and it's mildly annoying that I have to do it in the first place. So my argument here can be somewhat simplified to: in a world with working IoT, I wouldn't have to manage those timers.
> if a task this simple is difficult for you to manage on your own
I never said I can't manage it. I only said it's annoying to have to be waiting on the kettle. One more thing to juggle in your head.
> To each their own (I don't know your life), but in my world, attempting to be "fully focused" every second of the day is a perfect recipe for burnout.
I don't mean to be rude, but yeah, you don't know my life :).
I'm not trying to optimize my entire day to the minute (I actually did try that, I couldn't handle it - I'm not wired for rigid, inflexible schedules without space for randomness). But due to nature and nurture, I require a constant influx of fresh tea (I average roughly a cup an hour). I drink tea while doing the stuff I'm doing. So during the course of the day, it does intersect the times where I want to be focused - whether on work, on a side project, or on my family.
My philosophy of life is one of eliminating upkeep and maintenance work - things that distract me from what I want to be doing. So e.g. I use a dishwasher to spend less time cleaning up after cooking (and save some water too). "Eating good food" is the only goal I care about here - the cooking and the cleaning afterwards are both means to an end, and the less effort they take, the better. Under the same philosophy, I'd prefer if my kettle could be filled and triggered remotely, and flashed an icon on my desktop (or better, vibed my watch) when it's done.
And to be absolutely clear: we're talking ultimate "first world problem" level here. I'm not suffering because I have a manually operated kettle.
people have been using timers in the kitchen for generations. it's not simply the strict amount of time saved, but the mental cost, both in context switching and active attention.
> Let's not throw the baby out with the bathwater. I'd really appreciate if my electric kettle could send me a notification when it's done, because waiting for it to boil is three to five minutes I could be spending e.g. listening to the music with my headphones on.
I respect and individual’s choice and would never diminish it. Having utilized both techniques we are discussing, I can say holding the home button on a phone and issuing a voice command while walking away is a very different user experience than tapping several times on a watch, to start a timer.
No matter what I need a notification about, it’s the same action every time if I’m boiling noodles or filling the bathtub or preheating the barbecue. No configuration necessary. I appreciate that level of simplicity.
I don't have an iPhone, and I don't like Google's voice assistant - it's not reliable enough for me.
FWIW, I have my Pebble workflow simplified to "long hold down button" as a shortcut to timer list, then scroll to the right timer, "long hold middle button" to start it. It takes about as much time as it takes me to fetch my phone from my pocket. Also, since I do Pomodoros during work day (to keep myself focused), the timer list is usually always open on my watch, so the flow reduces to just scrolling through the list and activating the right timer - i.e. roughly 2 seconds. And, after activating the timer, I don't have a phone to stow back into my pocket :).
(Also, since the timer is active and visible on my watch, I can give an immediate answer whenever my wife asks me how much longer is the cooking going to take :). That one was a side benefit I didn't initially expect.)
> No configuration necessary. I appreciate that level of simplicity.
Yeah, that's good. In my case, I achieve almost the equivalent through pre-configuration: over time I've accrued a bunch of pre-set timers that cover 95% of my day-to-day needs. I rarely need to create a new one.
Anyway, that's what works for me now. I'm not saying this is optimal for everyone.
I have an iKettle. It is not bad, but you need to keep it always at least half-full, for the thermostat to not swing too much.
You set the temp. on the app, and how long to keep warm once it reaches that temp, and it sends push notifications for when it is ready and also done warming.
I have not decompiled the app, nor attempted to MitM it yet.
This falls into over optimization for me. The kettle takes 4 minutes, I grind my coffee and prepare for the ritual of making it. The laundry can sit till I have the time to deal with it. The dishes can sit until I have the time to put them away. At most I’d pickup an hour this way. (Incidentally all of my appliance have their noises turned off.)
I also think it’s not tech companies making these devices, they are low margin commodities. And since you’re competing adding a luxury like a notification on your phone, versus 4 minutes of your time. It hard to justify the larger margin.
I use smarthome based stuff for doing that when needed (I don't drink it myself, but have a maker for guests). I set it up the night before and have it go on with whatever alarms are going to happen so that the coffee is started when people are just waking up and half awake.
In some environments (specifically, an academic department I used to know), knowing whether the coffeemaker was brewing, ready, or empty would be important, with potentially career damaging consequences.
You can literally say that about anything that saves you a little time. In aggregate, all the time you save from small optimizations adds up to something non-trivial.
Smart TVs are different - people want netflix/hulu/disney+ built into their TV a long with a bunch of other interfaces to play video with their remote. TV for lots of non tech savy people comes over the internet now.
A lot of powered appliances either heat something up or spin a fan or pump. They don't need information from the internet and any slight advantage is outweighed by their complexity and cost.
I think you are right that manufacturers want to break free from being commodities. I think it is only a matter of time before people realize that they aren't gaining anything from complicating things that used to be simple.
The value from smart TVs is very clear, even if the privacy concerns are only clear to a few.
But a coffee machine, toaster or whatever... just... why?!
Even as a life-long techie, and putting aside privacy concerns, there isn't a single compelling reason to want my coffee machine to be connected to the Internet, or even my local network.
> " think it is only a matter of time before people realize that they aren't gaining anything from complicating things that used to be simple."
you're making the same mistake of overgeneralizing, assuming that every (other) smart appliance can't have usefulness outside of its core, dumb functionality, based on one example of that being true.
hopefully we can agree that some smartened appliances benefit the consumer, though not all (as in the case of a coffee maker), even if manufacturers are incentivized to break out of the commodity box by smartifying all the things, consequences and functionality be damned.
> assuming that every (other) smart appliance can't have usefulness outside of its core, dumb functionality,
I'm not assuming that at all and it has nothing to do with smart TVs. Smart TVs are a place where having a computer inside is something people want.
I'm saying other appliances are different, not because there can't be a benefit, but because the benefits are much smaller and complexity to usefulness ratio is much smaller. Also operating most appliances remotely or with a more elaborate interface doesn't give much benefit. Thermostats might be somewhere in the middle since there is a lot of room for improvement, not just in setting up a schedule or setting them remotely, but in the information they give back to you (how many btus are you leaking out of your house over time, etc.)
If you are actually into coffee, you likely would not buy these devices. I consider them a novelty, but there are plenty of consumers who will end up with them as gifts. You can make way better coffee much cheaper or just buy a Moccamaster and be done with it forever. If you're into espresso, that's an entirely different rabbit hole (and much more expensive).
> Is the minutes save per month worth the security risk it’s exposing me?
Agree with that. Especially if a hard problem stumps me, it's very refreshing to actually focus on making coffee for a few minutes. It clears the head to so something simple and different for a few minutes.
You should know there is a coffee machine that can be set by a timer, that take raw beans, roasts them to a set level of darkness, grinds them and makes a pot of coffee. I was given a broken one a while back, should probably get it working and hunt down a source of raw beans.
Cuisinart also makes one that takes roasted beans and does everything else. And having dated a girl who owned one and lived in a studio apartment, I can tell you that it also serves as the world's rudest alarm clock.
I've never used one of these fully automatic coffee makers that didn't make terrible, weak coffee.
Making good coffee isn't expensive and it isn't rocket science. It doesn't even have to be that fresh to still be good. But there are two corners you absolutely can't cut: if you skimp on the quantity of coffee, you waste all you've used; if you skimp on time, you waste all you've spent.
Though I've been drinking black coffee since my teens and never found it bitter when made right. The cream-and-sugar majority might disagree.
I don't think these devices save time at all. In the time it takes me to navigate the through the touch-screen UIs of these fancy toys I can microwave a cup of instant coffee and start drinking it before the fancy machine starts brewing anything. The results are indistinguishable.
I can. I love all sorts of preparations, and really enjoy the broad range of flavor profiles out there. I only drink instant coffee when I'm staying at somebody's house. I don't insult their hospitality and drink it.
For many people, the cost (both labor and monetary) of "good" coffee doesn't come with a corresponding increase in their enjoyment. You won't change their mind.
Nope. Nor can I tell the difference in a blind taste test between white and red wine. Probably most wine snobs can't either, and probably most coffee snobs couldn't really tell the difference in a blind test.
If it were true in my case for instant coffee, I would be ALL over that.
Instant coffee is not even in the same category as brewed coffee. I am by no means a coffee snob. I do grind beans right before I brew, but they are the lowest priced beans I can find that taste good to me (which is reasonably cheap).
I'd love to just microwave a cup, but that stuff tastes nasty.
What are the two closest flavors that you can differentiate? Because those are some massive gaps in flavor to not taste any differently. Can you tell different brands of soda apart? Styles of beer? Does all liquor taste the same?
I haven't tasted cola in years; back when I drank it I believed I could tell the difference but today I doubt I ever could. I can tell a pilsner apart from a stout. All whiskey tastes like whiskey, but whiskey doesn't taste like gin.
I don't believe I have an impaired sense of taste. I'm just highly skeptical of the objectivity of my sense of taste. Marketting and branding probably has more influence than anything else when comparing two drinks in the same category (wine-to-wine, coffee-to-coffee, etc.)
You're referring to the Brochet experiment? That wasn't a blind test: the white wine was dyed red with a flavourless dye, so there was an element of deception involved.
Biased sample. There are many confounding factors why if you cannot tell the difference, it is likely your family can’t either.
I do like the idea of testing my wine drinking friends, who are definitely not snobs. I would bet money they would mostly pick the difference between a normal: Oaked Chardonnay, Reisling, Savignon Blanc, and Cabernet Savignon. I suspect the red wine drinkers could tell some of the red wine varietals too (I would struggle there).
I would take that bet. I'm prepared to believe there are wines that if the only question is 'white or red' I might not know, especially if an ambiguous temperature. (Most people are accustomed to drinking white 'too' cold, and red 'too' warm - so obviously in such a test you have to remove that cue, but then what do you choose and still get a good fair test?) but there are also wines that I could tell you which of two grapes it is with nothing but my teeth. (I wouldn't say I'm a snob, but I'm sure you'd disagree.. meh, whatever.)
Coffee.. geeze, much more so. If the only thing available is a jug of brewed coffeewater that you pump out nice and bubbly, as at hotel breakfast bars or conference centres, I have to really 'need' it, and then I pack it with sugar to take the taste away. (I don't ordinarily drink coffee with sugar at all.) Instant, I just can't drink. I could definitely tell you the difference between instant 'coffee' and real, it's not a case of having a preference and better 'notes' like 'essence of snobby bullshit' - one I would be able to drink, and the other I would want to spit out before it even hit my lips.
> Probably most wine snobs can't either, and probably most coffee snobs couldn't really tell the difference in a blind test.
I think you are concluding too much for the data points you have (of your personal experience).
I have a similar palate (lack thereof) like yours, but even my family members can tell when I've (say) used "too much" garlic in a recipe--when I can't even tell that the garlic is even there in the final product. (I only use it because the recipe says to.) Using a (e.g.) different marinade for chicken does not change my perception of it much when I chow down, but it does for others eating it.
I once heard the explanation that the 'flavour' of a food is made of the taste (tongue), aroma (smell), and even texture of a food. Adam Ragusa made a video on the smell part recently:
I suspect that I (and you given your descriptions) may have some kind of lowered sense of smell when comes to intaking foods and beverages, and so do not perceive the "tastes" as much as some other people. For example I cannot tell the difference in a lager, stout, etc, types of beer (they're all 'yeast water' to me), but I know people who love beer so much that if you put down a random one in from of them they could ID the style and often the maker and make.
The flavours that do not exist in your experience may in fact do so for folks who have senses that are more sensitive than yours. Epicurious has a series of videos where experts do a blind taste test on "Cheap vs Expensive" products:
There certainly are folks that pre-judge things by simply knowing which is which beforehand, but to say that 'there are no differences' is swinging the pendulum the other way too much as well IMHO.
Find a few coffee gear testing reviews where they use the same beans, using the same grinder, and yet different brewers cause slightly different results as perceive by the testers.
America's Test Kitchen is a good source, as they often have a dozen-plus folks do blind tests to find the most-liked ("best") product.
I'm given instant sufficiently infrequently that it always comes as a shock -- I'll decline if I know it's going to be instant coffee, so I am indeed in the state of taking a mouthful of something that I expect to be regular coffee and discovering to my distaste that it's actually instant.
And I'm definitely not a coffee snob. But I can tell you that bog standard Tesco "house blend" coffee tastes nicer in a Philips Solimo machine than in an Aeropress, and nicer in the Aeropress than in a cafetière. And Amazon branded Solimo sachets aren't quite as nice as the ground coffee in the machine, but are good enough for every-day use.
IoT terrifies me and I'd never buy one of these internet-connected gizmos but let me play devil's advocate: you could be coming home from work and, as you know you're about 6 or 7 minutes away, you instruct the machine to make a cup of coffee so that it has time to cool, and maybe you also turn the AC on, etc. It's the exact fantasy being sold to people who buy them and it does, in a way, save time.
Although, personally, I'd question anyone buying these, much less taking out their phone while they're driving to tell a "smart" coffee maker to brew a cup.
In the UK we make instant coffee by putting water in an electric kettle, letting it boil, putting the instant coffee in a mug, adding the boiled water, optionally adding milk and sugar. (For ground coffee, we use a cafetiere.) But I've read that Americans don't have kettles.
Surely a kettle (ahem) boils down to a simple resistor (the heating element) that gets good and hot, boiling the water. P=VI, so if you halve the voltage (wrt the UK) you need to sink twice the current. I=V/R, so if you need to double the current (and voltage is fixed) you need to halve the resistance.
Is the problem that they're rare enough that they're all import kettles safe at 110 but designed for higher voltages?
The maximum current you can draw is based on the ratings of the plugs, cabling, fuses, circuit breakers, etc. Regular US appliances use less than 15A. I believe UK is similar at about 13A. The voltage available almost doubles the available power.
Yes, and a kettle is a likely candidate for the cause of a trip, but (in normal operation) the vast majority aren't near that, a little over half.
AmazonBasics kettle (first result for searching kettle) for example is rated 1.5kW.
I'm just sceptical that all American kettles can suck, and mains voltage be the cause. If that were the only reason, and otherwise you'd all love them, you'd have a 'kettle socket' on higher amperage, as for ovens (here too, 32A).
Yeah. American homes do have 240V across a split phase but this is virtually always used only for heavy appliances like electric ovens. Split phase 240V for countertop appliances isn't a thing and NEMA 14 outlets aren't installed in locations that would accommodate such appliances.
WiFi is a difficult protocol, so it makes sense to use a radio coprocessor. The ESP8266 can also have trouble running non-trivial applications while reliably handling WiFi, and in 2020 a Cortex-M0 chip is probably at least as cost effective as an 8-bit micro.
They don't need those chips to make your coffee, they need them to connect to the internet and to avoid hiring expensive experts. 5 years from now this might use a single ESP32-S2, but it doesn't seem outrageous, especially when the machine also has a display.
Plus, as a bonus, you can use it to mine Monero! Small correction to the article, STM32F0s have a PLL so they aren't limited to the crystal's 8MHz frequency. They're rated for 48MHz, but you can also overclock them.
A standard, more powerful part is usually much cheaper than having to do more customization, and these CPUs are so cheap that making it cheaper simply doesn't matter anymore.
For projects made in small quantities, as soon as you need a touch display, throwing an Android phone at the problem is often the right solution, even if you just need something extremely trivial. Sure, I could do it with an 8-bit microcontroller and physical buttons, but by the time I've designed a custom board for it, the time I spent was worth more than the phone.
It's still funny though. It's got more horsepower than an SMP RISC box from the early 90s that would have powered a top 100 website. And probably could have controlled a room full of coffee makers.
Tbh it might be best if we saw something like the FDA for consumer electronics.
I don't worry that much about the food I way because my tax dollars are spent to ensure that it meets a quality bar..
Relying on the market to do that would put really high cost or high risk on each individual consumer. Imo it's much better to just be able to trust that everything you can buy meets a bare minimum, unless specifically unregulated.
I know the FTC regulates stuff like what frequencies something is broadcasting on, and on some of the broadcast spectrums they also regulate what is said. What else do they regulate?
They have the very broad mission of "preventing anticompetitive, deceptive, and unfair business practices" which includes electronics but not a strong focus. Upon looking into it further, the few big cases I was remembering were privacy related rather than consumer electronics [1][2]. They also set energy standards and vet environmental marketing claims but that doesn't really match the approve/deny role that the FDA does.
I'm unhappy when this happens to my laptop but I'm frankly grateful to live in a world where coffeemakers can become almost literally possessed by demons
I'd much rather have the poltergeist coffeemaker than be back in the 80s when there were 10 identical buttons and no display to schedule my VCR to record a show
Sorry for the rant but I think it's several wonderful (/s) mentalities coming together in the design of those IoC things:
- hw engineers that don't know much (almost nothing I'd say) about internet security. Or all the gotchas of sw developments
- "nodejs/docker/systemd" mentality who thinks of uptimes (what's uptime?) in terms of hours instead of years and "just reboot" as a solution to any problem
- "Monetize all the data", hey your coffee maker has a gdpr popup with only an OK button, that's fine and dandy right?
Every device should be factory resettable with a button. Allow upgrades? Sure, but the upgrade runs after the base code ran. It does not override a fixed partition.
Everything that doesn't need to be plugged in shouldn't, and conveniences quickly turn into inconveniences if they can't be maintained long-term.
This attack works for a single brand of device if it's either not been configured for wifi yet or you're on the same wifi (and within wifi range or control the router, just access to the wifi isn't enough). So the risk profile to an owner seems negligible. Probably more risk that your coffee maker will have a short circuit and catch on fire. If this is the doomsday scenario then I can see why no one cares.
I don't see how. Stuxnet was able to remotely infect windows machines over the internet and local network while this is a purely physically local attack.
> I don't see how. Stuxnet was able to remotely infect windows machines over the internet and local network while this is a purely physically local attack.
I think the reference was to the payload, which was targeted at the Siemens S7-315-2 programmable logic controller in order to destabilize high frequency drives and thus ruin the centrifuges attached to them.
Ah. I mean, sure, but it took a state level actor to make use of that against a state level target. So I stand by my statement that for the average user of a coffee pot the risk is negligible.
There will be good and bad IoT devices. At the moment there’s little way for a consumer to tell which is which - that you me is the biggest glaring omission. I wish we had branded security and privacy standards like “we don’t open unencrypted wifi access points”.
Doesn't this ignore the broader question of IoT devices for things like coffee makers in the first place? It seems like internet-enabled for the sake of it, which is cool in the "We built a java-based coffee maker monitor for the break room back in 1991" way, but kind of sad today.
Product progressions in my lifetime:
1. Put a clock in it
2. Put a radio in it
3. Put a camera in it
4. Hook everything up to the internet
The Decent Espresso machines [0] are the only smart coffee makers that seem to be doing something exceptional with their interfaces. Control over temperature, flow, and pressure in real time with pretty graphs seem almost worth the sticker price. Of course knobs and heater indicator lights are usually all you need.
Amazon released its Alexa Connect Kit to solve this problem: it’s an end to end IoT integration in a module. It’s a good way to focus on building an IoT device while someone else takes care of the security. https://developer.amazon.com/en-US/alexa/connected-devices/a...
Yup, all your usage data goes through Alexa and Amazon keeps an eye out to decide when it would be worthwhile to make a first-party Alexa coffee maker and eat your entire business
I'm skeptical that Amazon did this out of a genuine concern of IoT security. Seems more likely they wanted to be firmly at the center of all the data acquisition, and while they're no doubt more secure than the average IoT maker they can never be as secure as the act of not collecting the information in the first place. Their new interior security drones are next-level distopian. How long till we're avoiding the Half Life 2 drones inside our own homes?
It’s not just a toolkit. If you use Amazon’s hardware module, then they manage all of the security of the on-device code as well as the cloud connection, plus traditional vulnerabilities like setup (as demonstrated in TFA). If there are vulnerabilities, then Amazon can patch them via over-the-air updates that they manage.
Yes, you can still screw it up, but Amazon takes care of most of the hard bits that people get wrong.
You can throw rocks at the windows of any car, put a banana in the exhaust and put superglue in the locks. You can then say that the designers of the car didn't take security seriously.
However, we live in a world where anyone throwing rocks through the car's windows or vandalising the car can be caught to then be given a criminal record, possibly involving time in jail.
We need a culture of prosecuting people who vandalise computer systems and a police force able to take these things seriously, working internationally as required. As it is we do victim blaming and cover ups instead. If a server or an IOT gadget gets hacked we restore from backups (and don't tell the client) rather than go after the evil wrong doer.
I would prefer to see our efforts go into not just better security (encryption everywhere and best practices) but also into the law and order aspect. In that way we can foster a better environment for citizens and business. Any country that gets this together and goes after hackers will have an advantage when it comes to attracting companies that want to have their web services (and coffee machines) secure.
I've tried a ton of different electronic coffee makers to try to replace the manual labor of my Chemex but they never taste as good. I'm not willing to sacrifice taste for a little more convenience but I may be in the minority.
I guess my point was, our devices are simple because making coffee is simple. I mean, technically you can just make cowboy coffee with no tools at all, but our methods get the grinds out. I never understood the need for most people to have electric machines, but I definitely will never understand the need for them to be network connected!
My 25 year old La Cimbali takes about 30 minutes to warm up. It’s 30kgs or so of brass and steel. Putting a smart plug on it has been great. The relay clicking at 6am makes me happy.
And forcing all dns traffic through a Pihole (with the firewall forcing all port 53 back to the Pihole). Google and Samsung to some sneaky stuff and I assume others do too.
If by “screwed” you mean you can keep selling worse home kitchen appliances while also inheriting a recurring revenue stream because you slapped an android device behind the LCD
It's just another PoC showing that IoT devices tend to have bad security.
In-the-wild ransomware would be interesting news because the same fragmentation that makes it unprofitable to secure devices (too few devices sold of each vendor/model for the vendor to invest serious money in security) makes it unprofitable to attack most devices.
Ransomware is particularly pointless for non-critical devices like a coffee maker. I could see it working e.g. with something controlling heating that isn't easily bypassable (pay us now, or by the time you get a tech out your pipes will be frozen and your house ruined), or something that can otherwise cause harm before the user can disable it (which is likely rare).
With a coffee maker, you can easily unplug the device (preventing it from doing further harm/threatening to burn your house down), put it in a box, and ship it to the vendor to fix it.