Eccellenza Touch Coffee Maker
Rooting the Coffee Machine
So you get a new coffee machine. It has network capabilities…. and It has a USB port…
Obviously this means you should hack it.
The steps we took sort of went like this.Go make cup of Coffee
- Notice login interface while making coffee.
- Google default account info and test. Sadly this worked
- Notice USB port and Network config
- Connect to Network (does not support WPA2 enterprise)
This is when things got fairly interesting. We wanted the coffee machine to be on our enterprise network but the network configuration interface does not allow for that. We looked up firmware updates to no avail but after emailing the support team we were sent a dropbox link to download the latest firmware.
The download was quite interesting. This one download pretty much allowed us to see exactly how the update process would function and what scripts would be ran and when during the boot process. This also contained an entire drive where we could find things such as the shadow file, or the ssh configuration.
Using nmap we did a scan on the device and what’d ya know. SSH is enabled, isn’t that lovely. After trying to bruteforce our way into the device via SSH and the root users hashed password found in the shadow file we were unsuccessful with many wordlists. Then we noticed the ssh/sshd.conf and how passwordauthentication was disabled; whoops. Decided this was the end of the road for this route and started to think of alternative routes.
We installed the firmware update without editing anything and noticed the glorious command line. Being as it is updating the system we assume it is running with root privileges. So we go ahead and edit the update.sh script. After the mounting process we want to stop the update and allow us to have a romantic getaway with the lovely command line via keyboard access using the USB port. Reading the code we find a good place to insert our code and we go ahead and insert 3 lines.
echo “Done hacking.”
Now when we plug in the USB we will have root privileges on the command line. We are not done just yet as this is just the drive used for updating. We discovered many other drives on the device. With educational guess and check we were able to discover the main drive. We then mounted this drive to the tmp directory and chroot on over there. We are now root on the main drive and can simply go to /etc/ssh/sshd.conf and enable passwordauth and we are set to go. Before attempting to ssh into the device we ran “passwd “ with no parameter which seemed to set the password to nothing. While in this command line the input responses were not giving much information therefore we are not positive this command actually mattered.
Let us now sit back at our desk and ssh right into the coffee machine. There is plenty to explore in here and the possibilities of what you can do with this are endless. I recommend playing music through the coffees speakers and or playing a movie via the touch panel; but that’s just me.