Cosori Kitchen Appliance Security Flaws Found

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.

Researchers from the Cisco Talos Intelligence Group have uncovered security vulnerabilities in a popular kitchen appliance, the Cosori Smart Air Fryer. The blog post confirming these vulnerabilities states that these could “hypothetically allow an adversary to change temperatures, cooking times and settings on the air fryer.” The remote code execution vulnerabilities, CVE-2020-28592 and CVE-2020-2859 could allow remote code injection by an attacker. Temperature and timer controls in the hands of a malicious attacker could prove dangerous in the extreme, but what is the real-world risk?

Vacuum cleaners, coffee machines and sex toys

The internet of not so smart things is a security and privacy nightmare, no doubt about that, but some vulnerabilities are more worrying than others.

Last year I reported on a robot vacuum cleaner that could be hacked to spy on the user. Out of the lab and in the real world, this would require a firmware update, access to the local network and the correct ambient light and sound levels to work.

There are, truth be told, much easier ways to use technology to eavesdrop on someone.

Smart lock issues, yep. Coffee machine ransomware, less so. Connected car hacking and even permanently locking an internet-connected chastity belt, well, yeah.

Air fryer hacking, not so much.

The problem with air fryer security vulnerabilities

Obviously, the ability to tamper with temperature and timer controls on a cooking device dangerous thing that, if successfully exploited, could potentially start a fire. So why am I not overly concerned about this one?

Well, to begin with, the researchers admit that the attacker “must have physical access to the air fryer for some of these vulnerabilities to work.” Given that there are only two vulnerabilities to begin with, the exploit opportunity has already shrunk considerably, it would seem to me.

OK, you have to allow for the ingenuity of persistent threat actors, which might see a scenario involving a stack of other exploits and malware to gain access to the local network and then the air fryer firmware. Still, it’s a bit of a stretch. At least as far as the average user, or rather risk to the average user,…